Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

– JS:Redirect-Mx{Trj.}.


  • Please log in to reply

#1
disberg

disberg

    Member

  • Member
  • PipPip
  • 21 posts
I tried to open www.disbergsdepot.com on the Internet and my virus protector - Avast said that the website was infected with a Trojan Horse virus – JS:Redirect-Mx{Trj.}.

I did a scan of my computer and there was no virus found.

Because there was no virus found in my computer I thought that I would simply upload a clean copy of my webpages. The Directory posted with my Web Host looked odd and I couldn't find the file I was looking for.

I contacted my Web Host and this is in part their reply "...Upon an investigation of your account, we have found that it was compromised and malicious files were uploaded. This was able to be done by using a compromised cPanel password to log in and add malicious code to your files. We have removed the malicious code and updated your password. Issues like this typically occur due to malware or viruses on user's PC. We recommend that you scan any PC that is used to access this account with multiple antivirus and malware scanners before attempting to log in with the new password..."

I then did a boot scan using Avast and again my computer was clean. I then did a HiJack this scan and seen
nothing indicating a virus.

I have also done a HiJackThis Scan and a OTL scan as per attached.

Using the attached scans as reference, is there any data present for the subject Trojan or other malicious issues?

Thank you for your assistance.

disberg

OTL logfile created on: 12/21/2011 6:27:14 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Downloads\Geek to Go
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.20 Gb Available Physical Memory | 60.39% Memory free
3.84 Gb Paging File | 2.99 Gb Available in Paging File | 77.96% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 25.38 Gb Free Space | 34.07% Space Free | Partition Type: NTFS

Computer Name: USER-W05P6ZM3U6 | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/21 06:11:42 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Downloads\Geek to Go\OTL.exe
PRC - [2011/12/15 08:41:50 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2011/12/14 07:04:16 | 000,107,000 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2011/12/12 23:09:09 | 000,949,104 | ---- | M] (Opera Software) -- C:\Program Files\Opera\opera.exe
PRC - [2011/11/28 10:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2011/11/28 10:01:23 | 000,127,192 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\afwServ.exe
PRC - [2011/11/28 10:01:23 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2011/10/03 04:06:15 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\javaw.exe
PRC - [2011/10/03 04:06:14 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\system32\java.exe
PRC - [2011/03/21 13:10:00 | 001,230,704 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/09/16 11:06:03 | 000,622,504 | ---- | M] () -- C:\Program Files\OnlyWire\OnlyWireWindows.exe
PRC - [2010/05/19 15:20:44 | 012,776,728 | ---- | M] () -- C:\Program Files\RegCure\RegCure.exe
PRC - [2009/05/25 17:31:09 | 000,733,188 | ---- | M] (NCH Software) -- C:\Program Files\NCH Swift Sound\MSRS\msrs.exe
PRC - [2008/04/13 16:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 16:12:14 | 000,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cmd.exe
PRC - [2004/04/06 18:35:10 | 000,929,904 | ---- | M] (Ahead Software AG) -- C:\Program Files\Ahead\InCD\incdsrv.exe
PRC - [2001/10/23 22:31:16 | 000,147,456 | ---- | M] (Netropa Corp.) -- C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
PRC - [2001/10/02 11:34:58 | 000,094,208 | ---- | M] () -- C:\Program Files\Netropa\Multimedia Keyboard\Traymon.exe
PRC - [2001/09/17 12:48:42 | 000,090,112 | ---- | M] (Netropa Corp.) -- C:\Program Files\Netropa\Onscreen Display\osd.exe
PRC - [2001/08/06 13:41:48 | 000,028,672 | ---- | M] () -- C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe


========== Modules (No Company Name) ==========

MOD - [2011/12/21 00:28:01 | 001,651,200 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\11122100\algo.dll
MOD - [2011/12/20 12:03:17 | 001,650,688 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\11122001\algo.dll
MOD - [2011/12/19 15:49:56 | 000,241,528 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\11122100\aswRep.dll
MOD - [2011/12/19 15:49:56 | 000,241,528 | ---- | M] () -- C:\Program Files\Alwil Software\Avast5\defs\11122001\aswRep.dll
MOD - [2011/11/08 12:46:02 | 000,093,696 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll
MOD - [2011/03/21 13:10:36 | 000,096,112 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll
MOD - [2011/03/21 13:10:00 | 001,230,704 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
MOD - [2010/09/16 11:06:03 | 000,622,504 | ---- | M] () -- C:\Program Files\OnlyWire\OnlyWireWindows.exe
MOD - [2010/05/19 15:20:46 | 000,077,592 | ---- | M] () -- C:\Program Files\RegCure\zlibwapi.dll
MOD - [2010/05/19 15:20:44 | 012,776,728 | ---- | M] () -- C:\Program Files\RegCure\RegCure.exe
MOD - [2010/05/19 15:20:44 | 000,541,976 | ---- | M] () -- C:\Program Files\RegCure\AutoUpdate.dll
MOD - [2001/10/02 11:34:58 | 000,094,208 | ---- | M] () -- C:\Program Files\Netropa\Multimedia Keyboard\Traymon.exe
MOD - [2001/08/06 13:41:48 | 000,028,672 | ---- | M] () -- C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
MOD - [2000/06/08 09:09:00 | 000,028,672 | ---- | M] () -- C:\WINDOWS\system32\msiosd32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/11/28 10:01:23 | 000,127,192 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\afwServ.exe -- (avast! Firewall)
SRV - [2011/11/28 10:01:23 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/05/25 17:31:09 | 000,733,188 | ---- | M] (NCH Software) [Auto | Running] -- C:\Program Files\NCH Swift Sound\MSRS\msrs.exe -- (MSRSService)
SRV - [2004/04/06 18:35:10 | 000,929,904 | ---- | M] (Ahead Software AG) [Auto | Running] -- C:\Program Files\Ahead\InCD\incdsrv.exe -- (InCDsrv)
SRV - [2001/08/06 13:41:48 | 000,028,672 | ---- | M] () [Auto | Running] -- C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe -- (nhksrv)


========== Driver Services (SafeList) ==========

DRV - [2011/11/28 09:54:38 | 000,111,320 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswFW.sys -- (aswFW)
DRV - [2011/11/28 09:53:53 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2011/11/28 09:53:35 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2011/11/28 09:53:22 | 000,195,416 | ---- | M] (AVAST Software) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\aswNdis2.sys -- (aswNdis2)
DRV - [2011/11/28 09:52:19 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2011/11/28 09:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2011/11/28 09:52:02 | 000,111,320 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2011/11/28 09:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2011/11/28 09:48:49 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2010/06/28 12:10:45 | 000,012,112 | ---- | M] (ALWIL Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aswNdis.sys -- (aswNdis)
DRV - [2009/01/06 18:00:08 | 004,968,448 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2008/06/24 09:45:18 | 000,113,896 | ---- | M] (QFX Software Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\keyscrambler.sys -- (KeyScrambler)
DRV - [2008/02/25 05:39:08 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2007/12/17 16:14:06 | 000,012,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2007/08/21 15:50:54 | 000,030,208 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l251x86.sys -- (AtcL002)
DRV - [2007/05/15 14:55:36 | 000,038,576 | ---- | M] (Nero AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDRm.sys -- (incdrm)
DRV - [2005/02/23 14:58:56 | 000,011,776 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2004/08/12 18:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/04/06 18:40:10 | 000,025,600 | ---- | M] (Ahead Software AG) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\InCDPass.sys -- (InCDPass)
DRV - [2004/04/06 18:39:20 | 000,089,472 | ---- | M] (Ahead Software AG) [File_System | Disabled | Running] -- C:\WINDOWS\system32\drivers\InCDfs.sys -- (InCDfs)
DRV - [2003/12/05 01:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2001/10/15 14:43:18 | 000,006,656 | ---- | M] (Netropa Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Msikbd2k.sys -- (msikbd2k)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-21-1482476501-115176313-682003330-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1482476501-115176313-682003330-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?rd=1
IE - HKU\S-1-5-21-1482476501-115176313-682003330-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1482476501-115176313-682003330-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = B4 86 92 31 41 9D CB 01 [binary data]
IE - HKU\S-1-5-21-1482476501-115176313-682003330-500\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1482476501-115176313-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo!"
FF - prefs.js..browser.startup.homepage: "http://www.isoregist...|about:myworld"
FF - prefs.js..extensions.enabledItems: {b01bf10c-302a-11da-b67b-000d60ca027b}:2.6.1
FF - prefs.js..flock.keyword.provider: "Yahoo!"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine,version=1.0: C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@real.com/RhapsodyPlayerEngine: File not found
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Administrator\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/12/15 08:42:35 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.5.5\extensions\\Components: C:\Program Files\Flock\components [2011/12/15 08:41:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.5.5\extensions\\Plugins: C:\Program Files\Flock\plugins [2011/12/15 08:41:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Components: C:\Program Files\Flock\components [2011/12/15 08:41:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Flock 2.6.1\extensions\\Plugins: C:\Program Files\Flock\plugins [2011/12/15 08:41:36 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/28 13:37:28 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2011/12/14 07:04:58 | 000,000,000 | ---D | M]

[2009/05/29 06:36:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2009/12/02 06:32:05 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{a463f10c-3994-11da-9945-000d60ca027b}
[2009/05/29 06:36:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{ea278cf8-93cd-484f-b951-57360482d33a}
[2010/11/20 12:07:31 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions
[2010/04/03 18:18:50 | 000,000,000 | ---D | M] (Free Traffic Bar Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{0ed0633c-a54d-47f1-94e7-5bded41ae674}
[2010/04/03 18:18:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{0ed0633c-a54d-47f1-94e7-5bded41ae674}-trash
[2010/07/12 08:15:41 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/11/24 10:58:49 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}
[2009/10/12 08:25:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
[2010/08/03 07:40:54 | 000,000,000 | ---D | M] (AddThis) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{3e0e7d2a-070f-4a47-b019-91fe5385ba79}
[2010/04/03 18:18:34 | 000,000,000 | ---D | M] (AniWeather) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{4176DFF4-4698-11DE-BEEB-45DA55D89593}
[2010/08/29 09:03:09 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/04/03 18:18:35 | 000,000,000 | ---D | M] (Firefox Showcase) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{89506680-e3f4-484c-a2c0-ed711d481eda}
[2010/07/11 15:28:45 | 000,000,000 | ---D | M] ("StumbleUpon") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
[2010/07/12 08:15:18 | 000,000,000 | ---D | M] ("CoolPreviews") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
[2010/07/12 08:13:11 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/07/19 06:09:07 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/05/18 06:35:51 | 000,000,000 | ---D | M] ("Dictionary.com Toolbar") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2010/04/03 18:17:51 | 000,000,000 | ---D | M] (FoxTab) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{ef4e370e-d9f0-4e00-b93e-a4f274cfdd5a}
[2010/07/19 06:09:07 | 000,000,000 | ---D | M] ("MultirowBookmarksToolbar") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\{FBF6D7FB-F305-4445-BB3D-FEF66579A033}
[2010/04/03 18:18:46 | 000,000,000 | ---D | M] (bit.ly preview) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\[email protected]
[2010/04/03 18:18:38 | 000,000,000 | ---D | M] ("CyberSearch") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\[email protected]
[2010/04/06 17:44:10 | 000,000,000 | ---D | M] (Read It Later) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\[email protected]
[2008/12/19 22:30:41 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\[email protected]
[2010/07/12 08:15:21 | 000,000,000 | ---D | M] ("Multiple Tab Handler") -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\[email protected]
[2010/07/12 08:13:07 | 000,000,000 | ---D | M] (Cooliris) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\[email protected]
[2009/10/12 08:31:34 | 000,000,000 | ---D | M] (QuickDrag) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\[email protected]
[2010/04/03 18:18:48 | 000,000,000 | ---D | M] (SEO Blogger) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\[email protected]
[2009/11/24 11:00:40 | 000,000,000 | ---D | M] (SeoQuake Plugin - Seolinx) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\[email protected]
[2010/08/29 09:03:09 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\staged-xpis
[2010/07/12 08:13:46 | 000,000,000 | ---D | M] (TinEye Reverse Image Search) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zdunryuk.default\extensions\[email protected]

========== Chrome ==========


O1 HOSTS File: ([2001/08/23 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Free Traffic Bar Toolbar) - {0ed0633c-a54d-47f1-94e7-5bded41ae674} - C:\Program Files\Free_Traffic_Bar\prxtbFre0.dll (Conduit Ltd.)
O2 - BHO: (ShopperReports) - {100EB1FD-D03E-47fd-81F3-EE91287F9465} - C:\Program Files\ShopperReports3\bin\3.0.489.0\ShopperReports.dll (SmartShopper Inc.)
O2 - BHO: (no name) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - No CLSID value found.
O2 - BHO: (KeyScramblerBHO Class) - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (SQplus) - {CCF078EE-B071-4C40-9E57-F7B5962E8C95} - C:\Program Files\SeoQuake\SQplus.dll ()
O3 - HKLM\..\Toolbar: (Free Traffic Bar Toolbar) - {0ed0633c-a54d-47f1-94e7-5bded41ae674} - C:\Program Files\Free_Traffic_Bar\prxtbFre0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (SeoQuake) - {9C590067-8A6A-4db6-B052-069283790B04} - C:\Program Files\SeoQuake\SeoQuake.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1482476501-115176313-682003330-500\..\Toolbar\WebBrowser: (Free Traffic Bar Toolbar) - {0ED0633C-A54D-47F1-94E7-5BDED41AE674} - C:\Program Files\Free_Traffic_Bar\prxtbFre0.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1482476501-115176313-682003330-500\..\Toolbar\WebBrowser: (Mp3Rocket Toolbar) - {4C350B19-6CA1-4569-B14C-296D8D65300B} - "C:\Program Files\MP3 Rocket Toolbar\mp3rockettb.dll" File not found
O3 - HKU\S-1-5-21-1482476501-115176313-682003330-500\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe (Netropa Corp.)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-1482476501-115176313-682003330-500..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OnlyWire.LNK = C:\Program Files\OnlyWire\OnlyWireWindows.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-1482476501-115176313-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O7 - HKU\S-1-5-21-1482476501-115176313-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EditLevel = 0
O7 - HKU\S-1-5-21-1482476501-115176313-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O7 - HKU\S-1-5-21-1482476501-115176313-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0
O7 - HKU\S-1-5-21-1482476501-115176313-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKU\S-1-5-21-1482476501-115176313-682003330-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 0
O8 - Extra context menu item: Customize Menu - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html ()
O8 - Extra context menu item: Fill Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O8 - Extra context menu item: RoboForm Toolbar - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O8 - Extra context menu item: Save Forms - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll (QFX Software Corporation)
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShopperReports3\bin\3.0.489.0\ShopperReports.dll (SmartShopper Inc.)
O9 - Extra Button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShopperReports3\bin\3.0.489.0\ShopperReports.dll (SmartShopper Inc.)
O15 - HKU\S-1-5-21-1482476501-115176313-682003330-500\..Trusted Domains: istockphoto.com ([secure] https in Trusted sites)
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} http://www.worldwinn...rabblecubes.cab (ScrabbleCubes Control)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...tes/ieawsdc.cab (Microsoft Office Template and Media Control)
O16 - DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} https://mytbb.primus.../plugins/VA.cab ()
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} http://www.bestmark....ort/ScriptX.cab (MeadCo ScriptX)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} https://www.permissi..._hooking_xp.cab (Setup Class)
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} http://picasaweb.goo...1/uploader2.cab (UploadListView Class)
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} http://www.worldwinn...d/bejeweled.cab (Bejeweled Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1193513582156 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1218068981281 (MUWebControl Class)
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} http://www.kodakgall..._2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.h...tDetection2.cab (Reg Error: Key error.)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinn...ed/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Yahtzee/Images/armhelper.ocx (ArmHelper Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://googleonline...nbr/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B4E47413-1CF5-4193-BB25-7C4AF7982CA6}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/10/27 10:45:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/12/15 08:42:41 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2011/12/15 08:42:24 | 000,198,832 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2011/12/15 08:41:56 | 000,005,632 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2011/12/15 08:41:55 | 000,006,656 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2011/12/15 08:41:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Real
[2011/12/14 07:08:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\RoboForm
[2011/12/14 07:05:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\RoboForm
[2011/12/12 23:12:10 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/09/04 07:18:40 | 000,463,699 | ---- | C] (Tilman Hausherr) -- C:\Program Files\Setup.exe
[2008/09/07 15:55:04 | 000,207,872 | ---- | C] (Funkytoad.com) -- C:\Program Files\ZonedOut.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/12/21 06:02:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/12/21 05:53:00 | 000,001,010 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-115176313-682003330-500UA.job
[2011/12/20 23:04:39 | 000,000,114 | -H-- | M] () -- C:\WINDOWS\popcreg.dat
[2011/12/20 23:04:39 | 000,000,038 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2011/12/20 22:27:53 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{B3373D59-21A2-40B0-B7E0-6FE630ED01A1}.job
[2011/12/20 22:27:03 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/12/20 22:24:42 | 000,000,245 | ---- | M] () -- C:\WINDOWS\Msiosd.ini
[2011/12/20 22:24:22 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1482476501-115176313-682003330-500.job
[2011/12/20 22:24:18 | 000,000,032 | ---- | M] () -- C:\WINDOWS\MMKEYBD.INI
[2011/12/20 22:24:09 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/12/20 22:24:08 | 000,000,394 | ---- | M] () -- C:\WINDOWS\tasks\FreeFileViewerUpdateChecker.job
[2011/12/20 22:24:06 | 000,000,394 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Startup.job
[2011/12/20 22:23:52 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/12/20 18:53:00 | 000,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-115176313-682003330-500Core1cc06789b3ca7ac.job
[2011/12/20 18:00:00 | 000,000,458 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2011/12/20 17:00:00 | 000,000,406 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2011/12/18 04:25:01 | 000,000,388 | ---- | M] () -- C:\WINDOWS\tasks\RegCure.job
[2011/12/18 03:46:00 | 000,000,454 | ---- | M] () -- C:\WINDOWS\tasks\Driver Robot.job
[2011/12/16 02:29:01 | 000,000,432 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job
[2011/12/15 08:44:30 | 000,000,302 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1482476501-115176313-682003330-500.job
[2011/12/15 08:42:24 | 000,198,832 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2011/12/15 08:41:56 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2011/12/15 08:41:55 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2011/12/15 08:41:52 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\WINDOWS\System32\pncrt.dll
[2011/12/15 03:21:06 | 000,497,848 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/12/15 03:03:45 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/12/02 21:30:51 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2011/11/29 20:30:28 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/11/28 10:01:25 | 000,041,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2011/11/28 10:01:23 | 000,199,816 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2011/11/28 09:54:38 | 000,111,320 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFW.sys
[2011/11/28 09:53:53 | 000,435,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2011/11/28 09:53:35 | 000,314,456 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2011/11/28 09:53:22 | 000,195,416 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswNdis2.sys
[2011/11/28 09:52:19 | 000,034,392 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2011/11/28 09:52:16 | 000,052,952 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2011/11/28 09:52:02 | 000,111,320 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2011/11/28 09:51:59 | 000,105,176 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2011/11/28 09:51:50 | 000,020,568 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2011/11/28 09:48:49 | 000,030,808 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2011/11/23 05:25:32 | 001,859,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\win32k.sys
[2011/11/23 05:25:32 | 001,859,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\win32k.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/17 16:50:43 | 000,072,192 | ---- | C] () -- C:\WINDOWS\System32\zlib.dll
[2010/06/28 13:36:17 | 000,023,113 | ---- | C] () -- C:\WINDOWS\hpqins15.dat
[2010/06/27 11:22:35 | 000,205,415 | ---- | C] () -- C:\WINDOWS\hpwins26.dat
[2010/06/27 11:22:35 | 000,000,370 | ---- | C] () -- C:\WINDOWS\hpwmdl26.dat
[2010/02/10 14:32:34 | 000,000,047 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Best10Player.upd
[2010/02/10 14:32:13 | 000,000,162 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\best10freeleads.dbf
[2010/02/10 14:32:13 | 000,000,024 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\best10freeleads.DBT
[2009/12/11 23:01:23 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/10/17 11:00:38 | 000,516,096 | ---- | C] () -- C:\WINDOWS\iwexec.exe
[2009/08/25 23:11:39 | 000,000,031 | ---- | C] () -- C:\WINDOWS\warhead.ini
[2009/08/03 14:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/03 14:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
[2009/07/27 20:32:14 | 000,000,052 | ---- | C] () -- C:\WINDOWS\System32\windriver32.ini
[2009/07/07 18:16:42 | 000,000,058 | ---- | C] () -- C:\WINDOWS\menumake.INI
[2009/06/28 13:28:10 | 000,001,163 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/06/23 07:40:03 | 000,161,542 | ---- | C] () -- C:\WINDOWS\Webmaster Email Extractor Uninstaller.exe
[2009/05/23 06:43:25 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/05/23 06:43:25 | 000,012,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/05/17 04:56:11 | 000,000,296 | ---- | C] () -- C:\WINDOWS\ANS2000.INI
[2009/05/17 04:56:11 | 000,000,020 | -H-- | C] () -- C:\WINDOWS\akebook.ini
[2009/05/17 04:56:11 | 000,000,004 | -H-- | C] () -- C:\WINDOWS\a3kebook.ini
[2008/11/15 11:24:01 | 000,000,114 | -H-- | C] () -- C:\WINDOWS\popcreg.dat
[2008/11/15 09:24:00 | 000,000,038 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2008/09/07 16:23:10 | 000,038,213 | ---- | C] () -- C:\Program Files\ZonedOut.chm
[2008/08/11 15:09:00 | 000,000,148 | ---- | C] () -- C:\WINDOWS\BAGO.INI
[2008/06/02 11:43:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/03/05 18:26:18 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/04 20:54:22 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
[2008/01/22 19:35:13 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/01/21 20:14:15 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2007/12/19 02:54:15 | 000,000,032 | ---- | C] () -- C:\WINDOWS\MMKEYBD.INI
[2007/12/18 14:40:24 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2007/12/18 14:40:23 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\msiosd32.dll
[2007/12/18 14:40:23 | 000,000,245 | ---- | C] () -- C:\WINDOWS\Msiosd.ini
[2007/12/11 08:20:50 | 001,358,156 | ---- | C] () -- C:\WINDOWS\System32\model.dat
[2007/12/11 08:19:27 | 000,966,656 | ---- | C] () -- C:\WINDOWS\System32\LDPackage.dll
[2007/11/21 14:14:04 | 000,000,041 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2007/11/20 08:05:20 | 000,000,014 | ---- | C] () -- C:\WINDOWS\popcinfo.dat
[2007/11/18 21:16:59 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2007/11/16 17:36:10 | 000,073,220 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
[2007/11/16 17:36:10 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
[2007/11/16 17:36:10 | 000,029,114 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
[2007/11/16 17:36:10 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
[2007/11/16 17:36:10 | 000,021,021 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
[2007/11/16 17:36:10 | 000,015,670 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
[2007/11/16 17:36:10 | 000,013,280 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
[2007/11/16 17:36:10 | 000,010,673 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
[2007/11/16 17:36:10 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
[2007/11/16 17:36:10 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
[2007/11/16 17:36:10 | 000,001,140 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
[2007/11/16 17:36:10 | 000,001,137 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
[2007/11/16 17:36:10 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
[2007/11/16 17:36:10 | 000,001,130 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
[2007/11/16 17:36:10 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
[2007/11/16 17:36:10 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2007/11/16 17:30:42 | 000,000,044 | ---- | C] () -- C:\WINDOWS\PERFV100V350.ini
[2007/11/15 09:46:01 | 000,000,173 | ---- | C] () -- C:\WINDOWS\KPCMS.INI
[2007/11/15 09:45:48 | 000,040,129 | ---- | C] () -- C:\WINDOWS\iccsigs.dat
[2007/11/15 09:45:41 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2007/10/30 19:27:31 | 000,009,418 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/10/28 09:30:52 | 000,040,960 | ---- | C] () -- C:\Program Files\Uninstall_CDS.exe
[2007/10/27 19:10:01 | 000,372,736 | R--- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2007/10/27 11:42:15 | 000,000,794 | ---- | C] () -- C:\WINDOWS\lrun32.ini
[2007/10/27 11:41:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\AutoRun.INI
[2007/10/27 11:32:19 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/10/27 11:22:50 | 000,200,704 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4704.dll
[2007/10/27 10:51:31 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/10/27 10:51:17 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/10/27 10:47:00 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/10/27 10:42:35 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/10/27 03:37:19 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/10/27 03:36:02 | 000,497,848 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/08/03 06:29:06 | 000,023,134 | ---- | C] () -- C:\Program Files\s.php
[2007/08/03 06:11:28 | 000,004,062 | ---- | C] () -- C:\Program Files\list.php
[2007/08/02 23:18:40 | 000,042,122 | ---- | C] () -- C:\Program Files\functions.php
[2007/08/02 23:00:52 | 000,001,483 | ---- | C] () -- C:\Program Files\silent_post.php
[2007/08/02 19:57:18 | 000,006,020 | ---- | C] () -- C:\Program Files\bouncechecker.php
[2007/07/29 18:28:18 | 000,025,750 | ---- | C] () -- C:\Program Files\sendmails.php
[2007/07/27 21:54:28 | 000,041,433 | ---- | C] () -- C:\Program Files\manual.html
[2007/07/24 18:45:04 | 000,000,518 | ---- | C] () -- C:\Program Files\subhandler.php
[2007/07/24 18:36:42 | 000,002,588 | ---- | C] () -- C:\Program Files\sub_wrapper.php
[2007/07/19 01:50:48 | 000,003,128 | ---- | C] () -- C:\Program Files\get_config_vars.php
[2007/07/18 20:52:18 | 000,000,254 | ---- | C] () -- C:\Program Files\PKG-INFO
[2007/07/18 20:51:20 | 000,000,313 | ---- | C] () -- C:\Program Files\setup.py
[2007/07/18 20:42:36 | 000,006,712 | ---- | C] () -- C:\Program Files\example_config.xml
[2007/07/18 20:42:36 | 000,000,082 | ---- | C] () -- C:\Program Files\._example_config.xml
[2007/07/18 20:41:06 | 000,002,669 | ---- | C] () -- C:\Program Files\ChangeLog
[2007/07/18 20:33:30 | 000,069,239 | ---- | C] () -- C:\Program Files\sitemap_gen.py
[2007/07/17 02:23:36 | 000,015,338 | ---- | C] () -- C:\Program Files\mailbursts.php
[2007/07/17 01:01:16 | 000,009,114 | ---- | C] () -- C:\Program Files\defs.sql
[2007/07/17 00:19:06 | 000,010,917 | ---- | C] () -- C:\Program Files\messages.php
[2007/07/16 22:41:50 | 000,004,661 | ---- | C] () -- C:\Program Files\tagref.html
[2007/07/16 22:08:16 | 000,022,380 | ---- | C] () -- C:\Program Files\admin.php
[2007/07/16 15:29:10 | 000,002,896 | ---- | C] () -- C:\Program Files\edit_config.php
[2007/07/07 19:48:48 | 000,003,027 | ---- | C] () -- C:\Program Files\get_config_vars_funky.php
[2007/07/01 15:53:46 | 000,017,369 | ---- | C] () -- C:\Program Files\responders.php
[2007/06/26 11:36:52 | 000,000,305 | ---- | C] () -- C:\Program Files\tinyMCE_simple.php
[2007/06/26 11:36:48 | 000,001,666 | ---- | C] () -- C:\Program Files\tinyMCE_full.php
[2007/06/26 11:36:42 | 000,000,398 | ---- | C] () -- C:\Program Files\tinyMCE.php
[2007/06/24 19:47:06 | 000,001,111 | ---- | C] () -- C:\Program Files\README
[2007/06/24 11:44:14 | 000,009,405 | ---- | C] () -- C:\Program Files\mailchecker-verbose.php
[2007/06/24 11:42:14 | 000,009,406 | ---- | C] () -- C:\Program Files\mailchecker.php
[2007/06/22 06:46:38 | 000,000,486 | ---- | C] () -- C:\Program Files\config.php
[2007/06/22 05:53:38 | 000,000,914 | ---- | C] () -- C:\Program Files\logout.php
[2007/06/22 05:40:04 | 000,003,654 | ---- | C] () -- C:\Program Files\regexps.php
[2007/06/22 05:40:00 | 000,004,079 | ---- | C] () -- C:\Program Files\blacklist.php
[2007/06/22 05:30:28 | 000,001,357 | ---- | C] () -- C:\Program Files\tools.php
[2007/06/22 05:16:30 | 000,010,690 | ---- | C] () -- C:\Program Files\bouncers.php
[2007/06/17 09:06:46 | 000,000,912 | ---- | C] () -- C:\Program Files\check_install.php
[2007/06/17 08:15:18 | 000,000,238 | ---- | C] () -- C:\Program Files\popup_js.php
[2007/06/14 13:08:56 | 000,009,845 | ---- | C] () -- C:\Program Files\move_subscriber.php
[2007/06/04 11:37:36 | 000,001,741 | ---- | C] () -- C:\Program Files\evilness-filter.php
[2007/04/27 10:43:58 | 000,120,200 | ---- | C] () -- C:\WINDOWS\System32\DLLDEV32i.dll
[2006/12/15 14:49:28 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\VoissUtils.dll
[2005/06/16 12:41:30 | 000,001,791 | ---- | C] () -- C:\Program Files\COPYING
[2005/06/16 12:41:30 | 000,000,023 | ---- | C] () -- C:\Program Files\AUTHORS
[2005/02/15 10:22:54 | 000,000,356 | ---- | C] () -- C:\Program Files\index.php
[2004/08/02 13:20:40 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2001/08/23 04:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2001/08/23 04:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2001/08/23 04:00:00 | 000,436,710 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2001/08/23 04:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/23 04:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/08/23 04:00:00 | 000,069,600 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2001/08/23 04:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/08/23 04:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/23 04:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2001/08/23 04:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2001/08/23 04:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2001/07/15 16:48:32 | 000,170,585 | ---- | C] () -- C:\WINDOWS\System32\MCPrintX.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:52B72A7C
@Alternate Data Stream - 124 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3F2F06F2
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:538DC028
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:77248999
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3A6F413D
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AA243C48
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:AFFC859A
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EA34E08F

< End of report >

Attached Files


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
How do you connect to the internet? If by wireless or if there is a wireless router make sure it has a password different from the default and also make sure that it is usign WPA or WPA2 for encrypting the links. Do not use WEP as it is easily broken.

The site has been reinfected per my Avast. IF you haven't logged on then I expect either it was not totally disinfected or the hosting software or hosting operating system has been compromised.

I don't see anything obvious but we can run a few scans to make sure:

First we need to tell Avast that it is OK:


Click on the Avast ball. Then click on Additional Protections then on AutoSandbox then on Settings then uncheck Enable AutoSandbox. OK

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it from your browser:!:

:!: Disable your Antivirus software when downloading or running Combofix. ==>Right click on the Avast Ball and select Avast! Shields Control and Disable Until Computer is Restarted


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on Combofix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus at this time :!:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply
Posted Image


Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Use IE and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish
# Once the scan is completed, you may close the window.
# Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
# Copy and paste that log as a reply.


Let's also try the bitdefender quickscan.

http://quickscan.bitdefender.com/

When it finishes there is a report option. Click on it and copy and paste the report (even if it says nothing found).

IF you haven't already, run a boot-time scan with Avast. Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?




Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them.
  • 1

#3
disberg

disberg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Dear RKinner

Thank you for replying so promptly.

I am using a wireless router and it is a WAP, which was installed and obtained through my IP. I understood that the password was unique but will discuss that with them later.

Yes, my website is re-infected. I advised Hostgator, my web host of the steps I had taken, as outlined above with the first paragraph of your reply.

I had not tried to address my account with them subject to whatever information you gave me, so you are correct in assuming they did not get the infection completely removed.

I will follow you suggestions and will get back to you with the logs upon completion.
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
Could they have your email password? You said that your hosting people had changed your password - did they send it to you in an email?

You might check out this website: http://codex.wordpre...ening_WordPress

It's for wordpress and I don't know what platform you are using but most of the ideas should carry over to whatever platform you are using.

Ron
  • 1

#5
disberg

disberg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hello RKinner

What a learning curve you sent me. I did the scans you recommended and have attached both reports.

Short Story: they did not turn anything up about the Trojan but found some Adware with the Malwarebytes and ComboFix removed 9 versions of Java and still left Java operating. So I have learned I will have to pay attention to that account when updating. Combofix took 15 minutes to scan the computer and another hour and 55 minutes to delete the Java. Yikes.

I received a report back from Hostgator after advising them the Trojan was still resident and they confirmed that they overlooked part of it and dealt with it. I tested www.disbergsdepot.com and it loaded clean.

Thank you very much for such in-depth information in such a timely manner.

Darlene

Attached Files


  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
Interesting that Combofix is now targeting old Java version. Something new. Current version is 6 Update 30 so make sure that is what you have.

I usually have to have the user delete all of the old versions manually. The reason old Java versions are dangerous is that they have security holes and Java is so stupid that if you go to an infected website and you even if you have the newest Java, the website can ask for an older version and if it is still on your system it will be offered and you get infected.

Old Adobe programs are also a major risk so they need to be removed and the latest versions downloaded and installed from adobe.com

There is something in your combofix logs that I don't like:

[HKEY_USERS\S-1-5-21-1482476501-115176313-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{85CB1A53-9CF4-F38D-19CD-083ABD857E81}*]
"dajbemij"=hex:64,62,6b,64,62,6a,64,62,61,6d,65,67,6e,64,6a,6f,6c,67,67,6c,69,
6a,6b,63,67,6a,70,6e,66,66,64,6a,6e,63,6e,63,69,6b,6e,68,00,00
"iagdhegancddcabdkc"=hex:69,61,6d,6d,6b,68,62,63,6e,62,61,6f,6c,6e,64,68,6b,67,
00,00
"haadbiedlmnodjdg"=hex:6a,61,63,6e,63,68,65,65,6e,66,69,64,6e,62,67,63,67,69,
65,63,00,1b
"eaoahldiih"=hex:66,61,69,61,65,70,68,66,6e,61,61,66,00,fc
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6D0C447E-484F-F7CA-50C2-03626B394D20}\InProcServer32*]
"jaimklekancmiphiaaop"=hex:6a,61,67,70,67,6d,6c,67,61,6d,67,6d,67,65,70,67,6c,
6c,63,6f,00,00
"iaimamggedkglmdnaj"=hex:6a,61,67,70,61,6d,6e,65,6d,6b,66,62,6c,64,6b,6e,6e,69,
6b,66,00,9c
"faimklpkcnpa"=hex:66,61,6b,6d,6e,66,6c,6f,6d,68,61,6f,00,ff

I'm not sure what is going on here but I don't like random names and I don't approve of locked registry keys so I usually remove them:



Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::

RegNull::
[HKEY_USERS\S-1-5-21-1482476501-115176313-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{85CB1A53-9CF4-F38D-19CD-083ABD857E81}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6D0C447E-484F-F7CA-50C2-03626B394D20}\InProcServer32*]

RegLock::
[HKEY_USERS\S-1-5-21-1482476501-115176313-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{85CB1A53-9CF4-F38D-19CD-083ABD857E81}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6D0C447E-484F-F7CA-50C2-03626B394D20}\InProcServer32*]
[HKEY_USERS\S-1-5-21-1482476501-115176313-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{85CB1A53-9CF4-F38D-19CD-083ABD857E81}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6D0C447E-484F-F7CA-50C2-03626B394D20}\InProcServer32]


Registry::
[-HKEY_USERS\S-1-5-21-1482476501-115176313-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{85CB1A53-9CF4-F38D-19CD-083ABD857E81}*]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6D0C447E-484F-F7CA-50C2-03626B394D20}\InProcServer32*]
[-HKEY_USERS\S-1-5-21-1482476501-115176313-682003330-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{85CB1A53-9CF4-F38D-19CD-083ABD857E81}]
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6D0C447E-484F-F7CA-50C2-03626B394D20}\InProcServer32]



******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

Ron
  • 1

#7
disberg

disberg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Ron

What a rush. Finished your assignments from the 1st post, excepting for the last one. By this time it appears to be over-kill based on the reports I have viewed to date.

Firstly though, I don't know what version I have of Java I have attached a report of the files sitting in Java, plus some other folders, which I think should probably be deleted.

Completed the further deletion of the files you recommended in your 2nd post and attached is log. Just by-the-by upon dropping the killall:: script into Combofix it downloaded an update for the program and then hung. I had to boot the system and then open it again. It worked that time.

Yes, the Web Host has my email passwords. Actually, since this scenario one of my email accounts is not functioning and I need to get on to them about that. Yes, they did email a new account password but I have not tried to use it yet. I don't want to go into the CPanel until I knew my computer was clean.

I use the WordPress version through my Web Host that is found on Ruby Rails. That way, the IT guys can help me if I need it. So far I have been OK, but you never know do you? Well, you do, but I don't. I use RoboForm to generate my passwords and have just adjusted my password format to a 10 digits.

I downloaded aswMBR.exe and did a scan see attached.

I opened TDSSKiller and did a scan. It found "0" viruses and did not offer a report although there was one. I couldn't figure out how to copy it so I just closed it.

I think I attracted the Trojan from visiting some websites. I look at them sometimes to see how they are made. I am just in the middle of converting my websites to XHTML/CSS and as a beginner you will know some of the challenges I have been trying to figure out. So far so good and I have one website almost 75% completed.

I use Avast as my main defense against viruses, partly because it can analysis the UNIX system too. I had it for awhile thinking I would get away from the Viruses but it got infected too, so I don't use it anymore. It was just too much to remember running 2 systems at the same time. I have another hard drive but something disconnected the secondary hard drive about 3 months ago, I think. I was using it for storage of clean data, just in case something awful happened to my main hard drive. I think it must be something in the Bio's but haven't looked yet.

One thing about owning a computer is one is never done. Something always comes up, or there are new information/programs to learn and so on.

Merry Christmas

Thank you

Darlene

Attached Files


  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
Doesn't look like Combofix worked.

You might try it again.

If you


Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan. You will get two logs. The Extras log will show me what is installed.

Ron
  • 0

#9
disberg

disberg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Evening Ron

I had to run ComboFix twice. It hung on the Stage 3 first go-around. Second time seemed OK. See attached.

I have XP so did not use Vista/Windows7. I presume it was run by the Administrator. See attached.

Attached Files

  • Attached File  OTL.txt   51.66KB   32 downloads
  • Attached File  log.txt   19.39KB   35 downloads

  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
Combofix worked that time.

I do not see the Extras log. Judging by the OTL log you missed the step about selecting the ALL button in the EXTRA REGISTRY section.

Also I would uninstall Reg Cure and ParetoLogic. Neither will really do anything for your PC and they may make it worse.
  • 0

#11
disberg

disberg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
LOL. Oh, the program gave me the extra log I just didn't realize what it was. I thought I had generated or saved it wrong or something. I am very stupid sometimes. I forgot your reference to the 2nd log.

Ran the program again and attached are the two logs.

Attached Files


  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
Appears Combofix doesn't remove all of the old Javas.

Uninstall
Java™ 6 Update 29 Should be Java™ 6 Update 30 - java.com
Java™ 6 Update 16
J2SE Runtime Environment 5.0 Update 1
Java™ 6 Update 7
Java 2 Runtime Environment, SE v1.4.1
Java™ SE Development Kit 6 Update 13
JavaFX™ 1.1 SDK should be JavaFX 2.0 http://www.oracle.co...view/index.html
Java DB 10.4.1.3 should be Java DB 10.5.3.0 http://www.oracle.co...view/index.html
Adobe Reader 9.4.6 should be X.something - Adobe.com
Adobe Acrobat 5.0 should be X.something - Adobe.com
"Yahoo! Companion" = Yahoo! Toolbar - Foistware
"Yahoo! Toolbar" = Yahoo! Toolbar - Foistware


That's about all I see so I think we can clean up now.

We need to clean up System Restore.

Copy the following:

:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]

Run OTL. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

OTL has a cleanup tab so if you run it again and select cleanup it will remove itself and its backup files.

To hide hidden files again (If you do not run OTL cleanup):

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You probably do not have the latest Java (Java™ 6 Update 29 or 7 update 1). Get the latest at:
http://www.java.com/en/

Save it to your PC then close all browsers and install it. Note on Java and Firefox. For some reason Java does not remove old consoles from Firefox. Any time you update Java you should do Firefox, Add-ons, Extensions and disable any old Java Consoles

They will look like: Java Console 6.xx. The xx corresponds to the update number. When they switch to 7 update 0 then it will be Java Console 7.

Multiple Java Consoles will slow down the Firefox boot. After any change to Firefox or its extension you should run Speedyfox. (Mentioned later.)



Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it. You can right click on the updatechecker icon (looks like a downward green arrowhead) and select Settings and tell it no betas. If you don't use MSN Messenger I would not upgdate it. MS installs a bunch of stuff when you do. You can tell the program to not show you that update.)
If you use Firefox or Chome then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.
The equivalent to AdBlock Plus for IE is called Simple Adblock and you should install it too: Adhttp://simple-adblock.com/

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox . Click on Speedup my Firefox. When it finishes click on Exit.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.

Ron
  • 0

#13
disberg

disberg

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Happy New Year Ron.

I hadn't gone to sleep at the switch, just had to wait for the holidays to get over as my ISP has only a skeleton staff on during holidays. Even so today it took me 1.45 hrs to get someone to talk to.

I am glad I did, as I found out a few things I didn't know about - (that's not hard).

Anyways, although I have a wireless modem my PC is not on wireless. I use the wireless for my Kindle and just though the wireless is attached to everything, my computer is not.

I was told that encryption is built into their equipment and could not be an issue.

I don't use Firefox or Chrome for anything. Only I/E or Opera.

I removed the JavaScript from Adobe Reader etc.

I think everything is done now. The computer is working fine and my website is no longer infected.

Thank you very much for your assistance and knowledge.

If you ever need an extra pair of hands I would be available.

Regards

Darlene
  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,025 posts
  • MVP
Happy New Year to you too. May it be a virus free year!

Glad things are working ok. I'd say use Opera as much as possible. It's not a very well known browser so there are fewer attacks on it than on IE.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP