Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware problems [Solved]


  • This topic is locked This topic is locked

#31
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
roguekill report,

RogueKiller V8.6.6 [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.co...es/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Joe [Admin rights]
Mode : Remove -- Date : 08/21/2013 21:45:33
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe [7] -> KILLED [TermProc]
[SVCHOST] svchost.exe -- C:\WINDOWS\system32\svchost.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : TvtXdnsd (C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe [-]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-448539723-515967899-725345543-1004\[...]\Run : TvtXdnsd (C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe [-]) -> [0x2] The system cannot find the file specified.
[SHELL][SUSP PATH] HKLM\[...]\Winlogon : userinit (c:\windows\system32\userinit.exe,,C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe [7][-]) -> REPLACED (C:\WINDOWS\system32\userinit.exe,)
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ SECU] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ SECU] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ SECU] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


˙ž1

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3250820AS +++++
--- User ---
[MBR] c22358d4f4a6616a5ccf77711b57b869
[BSP] a1cd38a3ebe5e0fca92649b10ccc2fee : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_08212013_214533.txt >>
RKreport[0]_S_08212013_212018.txt
  • 0

Advertisements


#32
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Can you please run RogueKiller scan once more to make sure that all is clean?
  • 0

#33
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
OTL logfile created on: 21/08/2013 21:47:16 - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Joe\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.40 Gb Available Physical Memory | 70.00% Memory free
3.85 Gb Paging File | 3.44 Gb Available in Paging File | 89.44% Paging File free
Paging file location(s): C:\pagefile.sys 0 0F:\pagefile.sys 2047 3070 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 180.93 Gb Free Space | 77.69% Space Free | Partition Type: NTFS

Computer Name: ASUSP5K-SE | User Name: Joe | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/08/17 23:23:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
PRC - [2013/07/25 17:57:36 | 000,853,800 | ---- | M] (AnchorFree Inc.) -- C:\Program Files\Hotspot Shield\bin\cmw_srv.exe
PRC - [2013/07/25 17:57:08 | 000,548,136 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\hsswd.exe
PRC - [2012/06/03 17:55:08 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2009/11/04 10:20:04 | 001,507,431 | ---- | M] (NETGEAR) -- C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
PRC - [2008/06/27 16:24:34 | 000,467,028 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/08 17:31:24 | 000,148,760 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
PRC - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (No Company Name) ==========

MOD - [2013/07/25 17:57:08 | 000,548,136 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\hsswd.exe
MOD - [2013/07/24 20:18:40 | 000,744,744 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\af_proxy.dll
MOD - [2010/07/04 22:32:38 | 000,010,752 | ---- | M] () -- C:\Program Files\Unlocker\UnlockerCOM.dll
MOD - [2008/09/16 21:18:06 | 000,132,608 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/07/25 17:57:36 | 000,853,800 | ---- | M] (AnchorFree Inc.) [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\cmw_srv.exe -- (hshld)
SRV - [2013/07/25 17:57:08 | 000,548,136 | ---- | M] () [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\hsswd.exe -- (HssWd)
SRV - [2013/07/24 03:17:10 | 000,078,512 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Hotspot Shield\bin\HSSTrayService.exe -- (HssTrayService)
SRV - [2012/01/18 14:38:28 | 000,155,320 | ---- | M] (Avanquest Software) [Disabled | Stopped] -- C:\Program Files\Sony\Sony PC Companion\PCCService.exe -- (Sony PC Companion)
SRV - [2010/06/06 17:32:00 | 003,819,912 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\system32\GameMon.des -- (npggsvc)
SRV - [2008/06/27 16:24:34 | 000,467,028 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2008/02/27 11:54:52 | 000,360,547 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe -- (jswpsapi)
SRV - [2007/08/08 17:31:14 | 000,410,904 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | Auto | Stopped] -- system32\DRIVERS\rp_skt32.sys -- (RPSKT)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lmimirr.sys -- (lmimirr)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Joe\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys -- (cpuz132)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (ai2evsrk)
DRV - [2013/08/17 20:37:56 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2013/07/24 03:10:56 | 000,044,744 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hssdrv.sys -- (HssDrv)
DRV - [2013/06/21 01:19:10 | 000,033,512 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
DRV - [2010/10/27 16:40:00 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2010/07/04 20:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2010/04/20 05:12:32 | 000,601,088 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WN111v2.sys -- (WN111v2)
DRV - [2009/01/31 03:55:05 | 000,033,824 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\oreans32.sys -- (oreans32)
DRV - [2008/10/01 16:45:52 | 000,057,440 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jswscimd.sys -- (JSWSCIMD)
DRV - [2008/05/14 00:08:04 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/13 19:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2007/12/14 04:31:00 | 000,057,408 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/11/01 01:56:00 | 000,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l151x86.sys -- (AtcL001)
DRV - [2007/06/18 21:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/03/26 12:21:06 | 004,395,008 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2006/10/18 20:12:16 | 000,012,664 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006/09/05 19:26:56 | 000,168,832 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinavt2.sys -- (ATIAVAIW)
DRV - [2004/08/13 11:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2003/07/24 12:10:34 | 000,017,149 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DNINDIS5.sys -- (DNINDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.bing.com/ [binary data]
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.co.uk/
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes,DefaultScope = {E397187B-6912-4356-95B2-3D204C8F4741}
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{08AADFBC-3CEE-4019-A342-6EE40DDFDC73}: "URL" = http://search.yahoo....petb&type=10553
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7ADFA_enGB382
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{E397187B-6912-4356-95B2-3D204C8F4741}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: [email protected]:1.0
FF - prefs.js..extensions.enabledAddons: {97E22097-9A2F-45b1-8DAF-36AD648C7EF4}:15.0.4
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tightropeinteractive.com/Plugin: C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2\2.0.0.1627\npTNT2.dll (Search.Us.com)
FF - HKCU\Software\MozillaPlugins\@tnt2ghost.com/Plugin: C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2\2.0.0.1627\npTNT2ghost.dll (Search.Us.com)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/06/03 17:55:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/03 17:55:18 | 000,000,000 | ---D | M]

[2011/04/05 10:34:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Joe\Application Data\Mozilla\Extensions
[2013/08/18 15:14:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/08/18 15:14:48 | 000,000,000 | ---D | M] (Hotspot Shield Helper (Please allow this installation)) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2011/03/18 18:57:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 09:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2010/01/01 09:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 09:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010/01/01 09:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2010/01/01 09:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2013/08/19 21:21:48 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-448539723-515967899-725345543-1004..\Run: [TvtXdnsd] C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111v2\WN111V2.exe (NETGEAR)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1199120511546 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{068DCEAB-14A4-4E6D-9C26-03D529310EFD}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0E0EEEF2-16DD-4387-ABD4-AA840C8FA85F}: NameServer = 8.8.8.8
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe) - C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/31 18:04:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{32acefe0-3762-11dd-ac65-001d60526c5c}\Shell\AutoRun\command - "" = E:\WD_Windows_Tools\Setup.exe
O33 - MountPoints2\{54a7570c-185f-11de-ae2c-001d60526c5c}\Shell\AutoRun\command - "" = E:\wdsync.exe
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell - "" = AutoRun
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell\AutoRun\command - "" = F:\Startme.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/08/21 21:18:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Desktop\RK_Quarantine
[2013/08/20 17:42:11 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Joe\Desktop\aswMBR.com
[2013/08/19 21:16:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\CC Support
[2013/08/19 17:32:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Hotspot Shield
[2013/08/18 15:14:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2
[2013/08/18 14:59:52 | 000,000,000 | ---D | C] -- C:\Avenger
[2013/08/18 14:53:14 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/08/17 23:23:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
[2013/08/17 20:37:56 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/07/30 12:26:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Desktop\ff11 stuff
[2013/07/25 19:33:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Hotspot Shield
[2013/07/25 19:33:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hotspot Shield
[2013/07/25 19:32:42 | 000,000,000 | ---D | C] -- C:\Program Files\Hotspot Shield
[2013/07/25 19:32:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Application Data\Hotspot Shield
[2010/03/07 14:09:26 | 000,092,064 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmmdm.sys
[2010/03/07 14:09:26 | 000,079,328 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmserd.sys
[2010/03/07 14:09:26 | 000,066,656 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmbus.sys
[2010/03/07 14:09:26 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Joe\usbsermptxp.sys
[2010/03/07 14:09:26 | 000,022,768 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Joe\usbsermpt.sys
[2010/03/07 14:09:26 | 000,009,232 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmmdfl.sys
[2010/03/07 14:09:26 | 000,006,208 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmcmnt.sys
[2010/03/07 14:09:26 | 000,005,936 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmwhnt.sys
[2010/03/07 14:09:26 | 000,004,048 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmcr.sys
[1 C:\Documents and Settings\LocalService\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\LocalService\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/08/21 21:39:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/08/21 21:18:17 | 000,923,136 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\RogueKiller.com
[2013/08/21 18:34:51 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-448539723-515967899-725345543-1004.job
[2013/08/21 18:34:32 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/08/21 18:34:22 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/08/21 18:32:38 | 000,003,274 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\Wmi.reg
[2013/08/21 18:32:24 | 000,005,848 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\SharedAccess.reg
[2013/08/21 18:32:19 | 000,003,658 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\wscsvc.reg
[2013/08/21 18:32:14 | 000,002,764 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\ALG.reg
[2013/08/20 17:44:08 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\MBR.dat
[2013/08/20 17:42:12 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Joe\Desktop\aswMBR.com
[2013/08/19 21:21:48 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2013/08/19 21:16:12 | 004,009,167 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\ServicesRepair.com
[2013/08/19 17:33:00 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hotspot Shield.lnk
[2013/08/19 17:30:58 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/08/18 17:56:01 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-515967899-725345543-1004.job
[2013/08/18 14:57:25 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\avenger.zip
[2013/08/17 23:23:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
[2013/08/17 22:06:02 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2013/08/17 20:37:56 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/08/03 13:09:18 | 000,001,124 | ---- | M] () -- C:\Documents and Settings\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickStores.lnk
[2013/07/24 03:10:56 | 000,044,744 | ---- | M] (AnchorFree Inc.) -- C:\WINDOWS\System32\drivers\hssdrv.sys

========== Files Created - No Company Name ==========

[2013/08/21 21:18:16 | 000,923,136 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\RogueKiller.com
[2013/08/21 18:32:38 | 000,003,274 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\Wmi.reg
[2013/08/21 18:32:24 | 000,005,848 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\SharedAccess.reg
[2013/08/21 18:32:19 | 000,003,658 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\wscsvc.reg
[2013/08/21 18:32:13 | 000,002,764 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\ALG.reg
[2013/08/20 17:44:08 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\MBR.dat
[2013/08/19 21:16:11 | 004,009,167 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\ServicesRepair.com
[2013/08/18 14:57:43 | 000,731,136 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\avenger.com
[2013/08/18 14:57:24 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\avenger.zip
[2013/08/03 13:09:18 | 000,001,124 | ---- | C] () -- C:\Documents and Settings\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickStores.lnk
[2013/07/25 19:33:37 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hotspot Shield.lnk
[2013/06/30 10:34:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/06/22 19:48:44 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Joe\Application Data\SharedSettings.ccs
[2013/05/09 19:00:44 | 000,646,807 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-448539723-515967899-725345543-1004-0.dat
[2013/05/09 19:00:38 | 000,299,122 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2013/02/21 22:02:23 | 000,000,096 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2012/04/04 23:49:04 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/03/07 14:11:53 | 000,070,690 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem41.PNF
[2010/03/07 14:11:53 | 000,054,341 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem41.inf
[2010/03/07 14:11:53 | 000,016,002 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem36.PNF
[2010/03/07 14:11:53 | 000,015,682 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem33.PNF
[2010/03/07 14:11:53 | 000,014,334 | ---- | C] () -- C:\Documents and Settings\Joe\Copy (2) of oem28.PNF
[2010/03/07 14:11:53 | 000,012,866 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem31.PNF
[2010/03/07 14:11:53 | 000,012,828 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem30.PNF
[2010/03/07 14:11:53 | 000,012,348 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem32.PNF
[2010/03/07 14:11:53 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem36.inf
[2010/03/07 14:11:53 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem33.inf
[2010/03/07 14:11:53 | 000,007,754 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem34.PNF
[2010/03/07 14:11:53 | 000,007,314 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem35.PNF
[2010/03/07 14:11:53 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Joe\1267967513-(null)
[2010/03/07 14:11:53 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem34.inf
[2010/03/07 14:11:53 | 000,006,209 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem31.inf
[2010/03/07 14:11:53 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem30.inf
[2010/03/07 14:11:53 | 000,005,813 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem32.inf
[2010/03/07 14:11:53 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem35.inf
[2010/03/07 14:09:26 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_MDM.INF
[2010/03/07 14:09:26 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Joe\USB_MOT_BRIT.INF
[2010/03/07 14:09:26 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Joe\USBMOT2000.INF
[2010/03/07 14:09:26 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_BUS.INF
[2010/03/07 14:09:26 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\Joe\USBMOT2000XP.INF
[2010/03/07 14:09:26 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\Joe\USB_MOT_A1000.INF
[2010/03/07 14:09:26 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Joe\USB_CMCS_2000.INF
[2010/03/07 14:09:26 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_SDM.INF
[2010/03/07 14:09:20 | 000,070,690 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem28.PNF
[2010/03/07 14:09:20 | 000,054,341 | ---- | C] () -- C:\Documents and Settings\Joe\1267967360-(null)
[2008/03/04 23:48:34 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/31 18:55:51 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2007/12/31 17:39:10 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 01:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 13:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 01:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

========== Base Services ==========
No service found with a name of ALG
SRV - [2008/04/14 01:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/14 01:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2012/07/06 14:58:51 | 000,078,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/14 01:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/14 01:11:51 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2009/04/20 18:17:26 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2008/04/14 01:11:52 | 000,033,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/14 01:12:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2008/04/14 01:11:54 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2008/04/14 01:12:22 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/14 01:11:52 | 000,023,552 | ---- | M] (Microsoft Corp.) [On_Demand | Stopped] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/14 01:12:17 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/14 01:12:17 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/14 01:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/06/20 17:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\mswsock.dll -- (Nla)
SRV - [2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2010/08/17 14:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/14 01:12:03 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/14 01:12:03 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2009/02/09 13:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs)
SRV - [2008/04/14 01:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/14 01:12:05 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
No service found with a name of wscsvc
SRV - [2010/08/27 06:57:43 | 000,099,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/14 01:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/14 01:12:05 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/14 01:11:56 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/14 01:12:07 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/14 01:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/14 01:12:38 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/14 01:11:50 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
SRV - [2008/04/14 01:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) [Disabled | Unknown] -- C:\WINDOWS\system32\svchost.exe -- (SharedAccess)
SRV - [2008/04/14 01:12:08 | 000,333,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc)
SRV - [2008/04/14 01:12:28 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/14 01:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2009/02/09 13:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi)
SRV - [2008/04/14 01:11:52 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)
SRV - [2008/04/14 01:12:11 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2009/06/10 07:14:49 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)

< >

========== Files - Unicode (All) ==========
[2009/04/29 03:11:18 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
[2009/04/29 03:11:18 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
[2009/04/24 17:15:11 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“
[2009/04/24 17:15:11 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“

< End of report >
  • 0

#34
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Run wscsvc.reg and ALG.reg on your Desktop once more before the fix. Accept all changes for the registry.

Boot your computer into Safe Mode with Networking (press and hold F8 key while computer starts).

Step 1. OTL fix.

  • Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    :Commands
    [CREATERESTOREPOINT]
    
    :OTL
    O4 - HKU\S-1-5-21-448539723-515967899-725345543-1004..\Run: [TvtXdnsd] C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
    O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe) - C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
    [2009/04/29 03:11:18 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
    [2009/04/29 03:11:18 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
    [2009/04/24 17:15:11 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“
    [2009/04/24 17:15:11 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“
    
    :Files
    C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm
    netsh int ip reset resetlog.txt /c
    netsh winsock reset catalog /c
    sc config SharedAccess start=demand /c
    sc query alg /c
    sc query wscsvc /c
    
    :Commands
    [EMPTYTEMP]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.
  • After reboot OTL log should pop up. Post it contents in your next message.

Step 2. OTL scan.

  • Run OTL.
  • Click on Scan All Users checkbox, which is located near Quick Scan button.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    BASESERVICES
  • Then click the Run Scan button at the top.
  • Let the program run unhindered.
  • When the scan completes, it will open notepad window - OTL.Txt. This is saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file, one at a time and post them in your topic.
So, please, don't forget to post in your next message:

  • OTL log after reboot
  • OTL.txt

  • 0

#35
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
All processes killed
========== COMMANDS ==========
Unable to start System Restore Service. Error code 10
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-448539723-515967899-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Run\\TvtXdnsd deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe deleted successfully.
File C:\WINDOWS\System32\8m“ not found.
File C:\WINDOWS\System32\8m“ not found.
File C:\WINDOWS\System32\0~“ not found.
File C:\WINDOWS\System32\0~“ not found.
========== FILES ==========
File\Folder C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm not found.
< netsh int ip reset resetlog.txt /c >
C:\Documents and Settings\Joe\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Joe\Desktop\cmd.txt deleted successfully.
< netsh winsock reset catalog /c >
Sucessfully reset the Winsock Catalog.
You must restart the machine in order to complete the reset.
C:\Documents and Settings\Joe\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Joe\Desktop\cmd.txt deleted successfully.
< sc config SharedAccess start=demand /c >
Modifies a service entry in the registry and Service Database.
SYNTAX:
sc <server> config [service name] <option1> <option2>...
CONFIG OPTIONS:
NOTE: The option name includes the equal sign.
type= <own|share|interact|kernel|filesys|rec|adapt>
start= <boot|system|auto|demand|disabled>
error= <normal|severe|critical|ignore>
binPath= <BinaryPathName>
group= <LoadOrderGroup>
tag= <yes|no>
depend= <Dependencies(separated by / (forward slash))>
obj= <AccountName|ObjectName>
DisplayName= <display name>
password= <password>
C:\Documents and Settings\Joe\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Joe\Desktop\cmd.txt deleted successfully.
< sc query alg /c >
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
C:\Documents and Settings\Joe\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Joe\Desktop\cmd.txt deleted successfully.
< sc query wscsvc /c >
[SC] EnumQueryServicesStatus:OpenService FAILED 1060:
The specified service does not exist as an installed service.
C:\Documents and Settings\Joe\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Joe\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: fbwuser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Joe
->Temp folder emptied: 131492 bytes
->Temporary Internet Files folder emptied: 3193161 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 511 bytes

User: Keith
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 49816 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 3.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 08222013_203056

Files\Folders moved on Reboot...
C:\WINDOWS\temp\Perflib_Perfdata_7e0.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#36
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
OTL logfile created on: 22/08/2013 20:38:07 - Run 5
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Joe\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 76.61% Memory free
3.85 Gb Paging File | 3.56 Gb Available in Paging File | 92.61% Paging File free
Paging file location(s): C:\pagefile.sys 0 0F:\pagefile.sys 2047 3070 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 180.94 Gb Free Space | 77.69% Space Free | Partition Type: NTFS

Computer Name: ASUSP5K-SE | User Name: Joe | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/08/17 23:23:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
PRC - [2012/06/03 17:55:08 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2009/11/04 10:20:04 | 001,507,431 | ---- | M] (NETGEAR) -- C:\Program Files\NETGEAR\WN111v2\WN111V2.exe
PRC - [2008/06/27 16:24:34 | 000,467,028 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/08 17:31:24 | 000,148,760 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
PRC - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/07/25 17:57:36 | 000,853,800 | ---- | M] (AnchorFree Inc.) [Disabled | Stopped] -- C:\Program Files\Hotspot Shield\bin\cmw_srv.exe -- (hshld)
SRV - [2013/07/25 17:57:08 | 000,548,136 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Hotspot Shield\bin\hsswd.exe -- (HssWd)
SRV - [2013/07/24 03:17:10 | 000,078,512 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\Hotspot Shield\bin\HSSTrayService.exe -- (HssTrayService)
SRV - [2012/01/18 14:38:28 | 000,155,320 | ---- | M] (Avanquest Software) [Disabled | Stopped] -- C:\Program Files\Sony\Sony PC Companion\PCCService.exe -- (Sony PC Companion)
SRV - [2010/06/06 17:32:00 | 003,819,912 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\system32\GameMon.des -- (npggsvc)
SRV - [2008/06/27 16:24:34 | 000,467,028 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2008/02/27 11:54:52 | 000,360,547 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\NETGEAR\WN111v2\jswpsapi.exe -- (jswpsapi)
SRV - [2007/08/08 17:31:14 | 000,410,904 | ---- | M] (Acronis) [Disabled | Stopped] -- C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Auto | Running] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | Auto | Stopped] -- system32\DRIVERS\rp_skt32.sys -- (RPSKT)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lmimirr.sys -- (lmimirr)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\Joe\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys -- (cpuz132)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a93xpps7)
DRV - [2013/08/17 20:37:56 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2013/07/24 03:10:56 | 000,044,744 | ---- | M] (AnchorFree Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hssdrv.sys -- (HssDrv)
DRV - [2013/06/21 01:19:10 | 000,033,512 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\taphss.sys -- (taphss)
DRV - [2010/10/27 16:40:00 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2010/07/04 20:51:26 | 000,004,096 | ---- | M] () [Kernel | Unavailable | Unknown] -- C:\Program Files\Unlocker\UnlockerDriver5.sys -- (UnlockerDriver5)
DRV - [2010/04/20 05:12:32 | 000,601,088 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\WN111v2.sys -- (WN111v2)
DRV - [2009/01/31 03:55:05 | 000,033,824 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\oreans32.sys -- (oreans32)
DRV - [2008/10/01 16:45:52 | 000,057,440 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\jswscimd.sys -- (JSWSCIMD)
DRV - [2008/05/14 00:08:04 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
DRV - [2008/04/13 19:46:22 | 000,015,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)
DRV - [2007/12/14 04:31:00 | 000,057,408 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/11/01 01:56:00 | 000,036,864 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\l151x86.sys -- (AtcL001)
DRV - [2007/06/18 21:18:26 | 000,023,680 | ---- | M] (Motorola) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\motmodem.sys -- (motmodem)
DRV - [2007/03/26 12:21:06 | 004,395,008 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2006/10/18 20:12:16 | 000,012,664 | R--- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2006/09/05 19:26:56 | 000,168,832 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\atinavt2.sys -- (ATIAVAIW)
DRV - [2004/08/13 11:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2003/07/24 12:10:34 | 000,017,149 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\DNINDIS5.sys -- (DNINDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL =
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://www.bing.com/ [binary data]
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.co.uk/
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes,DefaultScope = {E397187B-6912-4356-95B2-3D204C8F4741}
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{08AADFBC-3CEE-4019-A342-6EE40DDFDC73}: "URL" = http://search.yahoo....petb&type=10553
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...1I7ADFA_enGB382
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\..\SearchScopes\{E397187B-6912-4356-95B2-3D204C8F4741}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKU\S-1-5-21-448539723-515967899-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: [email protected]:1.0
FF - prefs.js..extensions.enabledAddons: {97E22097-9A2F-45b1-8DAF-36AD648C7EF4}:15.0.4
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: C:\Program Files\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tightropeinteractive.com/Plugin: C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2\2.0.0.1627\npTNT2.dll (Search.Us.com)
FF - HKCU\Software\MozillaPlugins\@tnt2ghost.com/Plugin: C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2\2.0.0.1627\npTNT2ghost.dll (Search.Us.com)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/06/03 17:55:31 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/03 17:55:18 | 000,000,000 | ---D | M]

[2011/04/05 10:34:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Joe\Application Data\Mozilla\Extensions
[2013/08/18 15:14:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/08/18 15:14:48 | 000,000,000 | ---D | M] (Hotspot Shield Helper (Please allow this installation)) -- C:\Program Files\Mozilla Firefox\extensions\[email protected]
[2011/03/18 18:57:02 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/01/01 09:00:00 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2010/01/01 09:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2010/01/01 09:00:00 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2010/01/01 09:00:00 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2010/01/01 09:00:00 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2013/08/19 21:21:48 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\HssIE\HssIE.dll (AnchorFree Inc.)
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-448539723-515967899-725345543-1004..\Run: [TvtXdnsd] C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WN111v2 Smart Wizard.lnk = C:\Program Files\NETGEAR\WN111v2\WN111V2.exe (NETGEAR)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-448539723-515967899-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.ma...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1199120511546 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_06)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx1.hotmail....ol/MSNPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{068DCEAB-14A4-4E6D-9C26-03D529310EFD}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\windows\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe) - C:\Documents and Settings\Joe\Local Settings\Application Data\lpclpkjm\tvtxdnsd.exe File not found
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Joe\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/12/31 18:04:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{32acefe0-3762-11dd-ac65-001d60526c5c}\Shell\AutoRun\command - "" = E:\WD_Windows_Tools\Setup.exe
O33 - MountPoints2\{54a7570c-185f-11de-ae2c-001d60526c5c}\Shell\AutoRun\command - "" = E:\wdsync.exe
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell - "" = AutoRun
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{5f785bf4-e661-11df-afbd-001d60526c5c}\Shell\AutoRun\command - "" = F:\Startme.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/08/21 21:18:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Desktop\RK_Quarantine
[2013/08/20 17:42:11 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Joe\Desktop\aswMBR.com
[2013/08/19 21:16:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\CC Support
[2013/08/19 17:32:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Hotspot Shield
[2013/08/18 15:14:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Local Settings\Application Data\TNT2
[2013/08/18 14:59:52 | 000,000,000 | ---D | C] -- C:\Avenger
[2013/08/18 14:53:14 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/08/17 23:23:40 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
[2013/08/17 20:37:56 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/07/30 12:26:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Desktop\ff11 stuff
[2013/07/25 19:33:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Hotspot Shield
[2013/07/25 19:33:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hotspot Shield
[2013/07/25 19:32:42 | 000,000,000 | ---D | C] -- C:\Program Files\Hotspot Shield
[2013/07/25 19:32:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Joe\Application Data\Hotspot Shield
[2010/03/07 14:09:26 | 000,092,064 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmmdm.sys
[2010/03/07 14:09:26 | 000,079,328 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmserd.sys
[2010/03/07 14:09:26 | 000,066,656 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmbus.sys
[2010/03/07 14:09:26 | 000,025,600 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Joe\usbsermptxp.sys
[2010/03/07 14:09:26 | 000,022,768 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Joe\usbsermpt.sys
[2010/03/07 14:09:26 | 000,009,232 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmmdfl.sys
[2010/03/07 14:09:26 | 000,006,208 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmcmnt.sys
[2010/03/07 14:09:26 | 000,005,936 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmwhnt.sys
[2010/03/07 14:09:26 | 000,004,048 | ---- | C] (MCCI) -- C:\Documents and Settings\Joe\mqdmcr.sys
[1 C:\Documents and Settings\LocalService\Local Settings\Application Data\*.tmp files -> C:\Documents and Settings\LocalService\Local Settings\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/08/22 20:39:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/08/22 20:35:29 | 000,000,274 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-448539723-515967899-725345543-1004.job
[2013/08/22 20:35:28 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/08/22 20:35:27 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/08/22 20:35:19 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/08/22 20:34:24 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2013/08/21 21:18:17 | 000,923,136 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\RogueKiller.com
[2013/08/21 18:32:38 | 000,003,274 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\Wmi.reg
[2013/08/21 18:32:24 | 000,005,848 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\SharedAccess.reg
[2013/08/21 18:32:19 | 000,003,658 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\wscsvc.reg
[2013/08/21 18:32:14 | 000,002,764 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\ALG.reg
[2013/08/20 17:44:08 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\MBR.dat
[2013/08/20 17:42:12 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Joe\Desktop\aswMBR.com
[2013/08/19 21:21:48 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2013/08/19 21:16:12 | 004,009,167 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\ServicesRepair.com
[2013/08/19 17:33:00 | 000,000,773 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hotspot Shield.lnk
[2013/08/18 17:56:01 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-448539723-515967899-725345543-1004.job
[2013/08/18 14:57:25 | 000,724,952 | ---- | M] () -- C:\Documents and Settings\Joe\Desktop\avenger.zip
[2013/08/17 23:23:40 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Joe\Desktop\OTL.com
[2013/08/17 20:37:56 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/08/03 13:09:18 | 000,001,124 | ---- | M] () -- C:\Documents and Settings\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickStores.lnk
[2013/07/24 03:10:56 | 000,044,744 | ---- | M] (AnchorFree Inc.) -- C:\WINDOWS\System32\drivers\hssdrv.sys

========== Files Created - No Company Name ==========

[2013/08/21 21:18:16 | 000,923,136 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\RogueKiller.com
[2013/08/21 18:32:38 | 000,003,274 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\Wmi.reg
[2013/08/21 18:32:24 | 000,005,848 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\SharedAccess.reg
[2013/08/21 18:32:19 | 000,003,658 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\wscsvc.reg
[2013/08/21 18:32:13 | 000,002,764 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\ALG.reg
[2013/08/20 17:44:08 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\MBR.dat
[2013/08/19 21:16:11 | 004,009,167 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\ServicesRepair.com
[2013/08/18 14:57:43 | 000,731,136 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\avenger.com
[2013/08/18 14:57:24 | 000,724,952 | ---- | C] () -- C:\Documents and Settings\Joe\Desktop\avenger.zip
[2013/08/03 13:09:18 | 000,001,124 | ---- | C] () -- C:\Documents and Settings\Joe\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickStores.lnk
[2013/07/25 19:33:37 | 000,000,773 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hotspot Shield.lnk
[2013/06/30 10:34:56 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/06/22 19:48:44 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Joe\Application Data\SharedSettings.ccs
[2013/05/09 19:00:44 | 000,646,807 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-448539723-515967899-725345543-1004-0.dat
[2013/05/09 19:00:38 | 000,299,122 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2013/02/21 22:02:23 | 000,000,096 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.351.32.bc
[2012/04/04 23:49:04 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2010/03/07 14:11:53 | 000,070,690 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem41.PNF
[2010/03/07 14:11:53 | 000,054,341 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem41.inf
[2010/03/07 14:11:53 | 000,016,002 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem36.PNF
[2010/03/07 14:11:53 | 000,015,682 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem33.PNF
[2010/03/07 14:11:53 | 000,014,334 | ---- | C] () -- C:\Documents and Settings\Joe\Copy (2) of oem28.PNF
[2010/03/07 14:11:53 | 000,012,866 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem31.PNF
[2010/03/07 14:11:53 | 000,012,828 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem30.PNF
[2010/03/07 14:11:53 | 000,012,348 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem32.PNF
[2010/03/07 14:11:53 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem36.inf
[2010/03/07 14:11:53 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem33.inf
[2010/03/07 14:11:53 | 000,007,754 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem34.PNF
[2010/03/07 14:11:53 | 000,007,314 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem35.PNF
[2010/03/07 14:11:53 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Joe\1267967513-(null)
[2010/03/07 14:11:53 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem34.inf
[2010/03/07 14:11:53 | 000,006,209 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem31.inf
[2010/03/07 14:11:53 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem30.inf
[2010/03/07 14:11:53 | 000,005,813 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem32.inf
[2010/03/07 14:11:53 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem35.inf
[2010/03/07 14:09:26 | 000,009,913 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_MDM.INF
[2010/03/07 14:09:26 | 000,009,232 | ---- | C] () -- C:\Documents and Settings\Joe\USB_MOT_BRIT.INF
[2010/03/07 14:09:26 | 000,007,201 | ---- | C] () -- C:\Documents and Settings\Joe\USBMOT2000.INF
[2010/03/07 14:09:26 | 000,006,989 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_BUS.INF
[2010/03/07 14:09:26 | 000,006,141 | ---- | C] () -- C:\Documents and Settings\Joe\USBMOT2000XP.INF
[2010/03/07 14:09:26 | 000,005,960 | ---- | C] () -- C:\Documents and Settings\Joe\USB_MOT_A1000.INF
[2010/03/07 14:09:26 | 000,005,880 | ---- | C] () -- C:\Documents and Settings\Joe\USB_CMCS_2000.INF
[2010/03/07 14:09:26 | 000,004,477 | ---- | C] () -- C:\Documents and Settings\Joe\MCCI_SDM.INF
[2010/03/07 14:09:20 | 000,070,690 | ---- | C] () -- C:\Documents and Settings\Joe\Copy of oem28.PNF
[2010/03/07 14:09:20 | 000,054,341 | ---- | C] () -- C:\Documents and Settings\Joe\1267967360-(null)
[2008/03/04 23:48:34 | 000,033,792 | ---- | C] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/31 18:55:51 | 000,000,126 | ---- | C] () -- C:\Documents and Settings\Joe\Local Settings\Application Data\fusioncache.dat

========== ZeroAccess Check ==========

[2007/12/31 17:39:10 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 01:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 13:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 01:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Custom Scans ==========

========== Base Services ==========
No service found with a name of ALG
SRV - [2008/04/14 01:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2008/04/14 01:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2012/07/06 14:58:51 | 000,078,336 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2008/04/14 01:11:51 | 000,062,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2008/04/14 01:11:51 | 000,126,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2009/04/20 18:17:26 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
SRV - [2008/04/14 01:11:52 | 000,033,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\eapsvc.dll -- (EapHost)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2008/04/14 01:12:08 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2008/04/14 01:11:54 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2008/04/14 01:12:22 | 000,150,528 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2008/04/14 01:11:52 | 000,023,552 | ---- | M] (Microsoft Corp.) [On_Demand | Stopped] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2008/04/14 01:12:17 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2008/04/14 01:12:17 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2008/04/14 01:12:01 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/06/20 17:02:47 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\mswsock.dll -- (Nla)
SRV - [2009/02/06 12:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2010/08/17 14:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2008/04/14 01:12:03 | 000,088,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2008/04/14 01:12:03 | 000,186,368 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2009/02/09 13:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs)
SRV - [2008/04/14 01:12:02 | 000,435,200 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2008/04/14 01:12:05 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2008/04/14 01:12:24 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
No service found with a name of wscsvc
SRV - [2010/08/27 06:57:43 | 000,099,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2008/04/14 01:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2008/04/14 01:12:05 | 000,192,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2008/04/14 01:11:56 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2008/04/14 01:12:07 | 000,249,856 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2008/04/14 01:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2009/07/28 00:17:41 | 000,135,168 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2008/04/14 01:12:38 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2008/04/14 01:11:50 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
No service found with a name of SharedAccess
SRV - [2008/04/14 01:12:08 | 000,333,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc)
SRV - [2008/04/14 01:12:28 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2008/04/14 01:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2009/02/09 13:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi)
SRV - [2008/04/14 01:11:52 | 000,132,096 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\dot3svc.dll -- (Dot3svc)
SRV - [2008/04/14 01:12:11 | 000,483,840 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2009/06/10 07:14:49 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)

< >

========== Files - Unicode (All) ==========
[2009/04/29 03:11:18 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
[2009/04/29 03:11:18 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\8m?) -- C:\WINDOWS\System32\8m“
[2009/04/24 17:15:11 | 000,000,000 | ---- | M] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“
[2009/04/24 17:15:11 | 000,000,000 | ---- | C] ()(C:\WINDOWS\System32\0~?) -- C:\WINDOWS\System32\0~“

< End of report >
  • 0

#37
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Download Combofix from any of the links below:

Link 1
Link 2
Link 3


==================================


Double click on the renamed ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Are you able to reach antivirus sites after ComboFix?
  • 0

#38
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Unable to run it.

I click it and press run it starts for about 3 secs then stops.
  • 0

#39
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts

I click it and press run it starts for about 3 secs then stops.

Does ComboFix window close after 3 seconds or just hang and doing nothing? If it hangs and doing nothing, try to wait for some time, nearly 20 minutes, because scan can take some time.

If ComboFix window just simply closes, try these variants:

  • Try to run ComboFix in Safe Mode with Networking.
  • If that won't help, rename ComboFix.exe into one these (don't forget to change file extension!):


  • explorer.exe
  • winlogon.exe
  • 1235.com
  • abc.pif

  • 0

#40
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
renaming it allowed it to work. But when it reaches stage 49 it doesnt go any further and stays there until i close it.
  • 0

Advertisements


#41
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Please download DeFogger and save it to your desktop.

  • Once downloaded, double-click on the DeFogger icon to start the tool.
  • The application window will appear.
  • You should now click on the Disable button to disable your CD Emulation drivers.
  • When it prompts you whether or not you want to continue, please click on the Yes button to continue.
  • When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  • If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
After that try to run ComboFix again.
  • 0

#42
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
defogger is an unknown file type so im unable to run it.
  • 0

#43
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts

defogger is an unknown file type so im unable to run it.


Hmm, that's strange. First try to re-download it and run. If that won't help, rename it to winlogon.exe (don't forget to change extension!) and run.
  • 0

#44
raps1355

raps1355

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Defogger worked once it was renamed. Combofix is still sticking on stage 49.
  • 0

#45
Phel

Phel

    Trusted Helper

  • Malware Removal
  • 1,386 posts
Try to run it once again and do not mouse-click Combofix's window while it is running. If it's hanging, try to wait an hour. If that won't help, report me.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP