Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hacked by pokemon [Closed]

Started by YellowRubberDuck , Aug 17 2013 06:41 AM

  • This topic is locked This topic is locked

#16
YellowRubberDuck
Posted 28 August 2013 - 02:29 PM

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
C:\autorun.inf probably a variant of Win32/Agent.FOXSAFX trojan
C:\Documents and Settings\HP_Owner\Start Menu\jimmy\KITARO\KITARO.exe Win32/Hakaglan.B worm
C:\Documents and Settings\HP_Owner\Start Menu\jimmy\Video\Video.exe Win32/Hakaglan.B worm
C:\Documents and Settings\HP_Owner\Start Menu\jimmy\Z\Z.exe Win32/Hakaglan.B worm
C:\_OTL\MovedFiles\08182013_112117\C_\Bha.dll.vbs VBS/Butsur.B worm
C:\_OTL\MovedFiles\08182013_112117\C_WINDOWS\Bha.dll.vbs VBS/Butsur.B worm
D:\Autorun.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP27\A0010899.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP27\A0010900.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP27\A0010917.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP27\A0010918.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP28\A0011487.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP28\A0011488.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP29\A0011556.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP29\A0011557.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP29\A0011979.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP29\A0011980.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP29\A0011999.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP29\A0012000.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP30\A0012076.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP30\A0012077.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP30\A0012264.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP30\A0012265.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP32\A0015899.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP32\A0015900.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP32\A0015911.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP32\A0015912.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP32\A0015930.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP32\A0015931.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP32\A0015959.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP32\A0015960.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP33\A0016091.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP33\A0016092.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP33\A0016104.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP33\A0016105.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP34\A0016166.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP34\A0016167.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP35\A0016237.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP35\A0016238.inf probably a variant of Win32/Agent.FOXSAFX trojan
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP36\A0016472.vbs VBS/Butsur.B worm
D:\System Volume Information\_restore{FB0B7E35-1791-4838-8FCB-12BD2312AC3E}\RP36\A0016473.inf probably a variant of Win32/Agent.FOXSAFX trojan
  • 0

Advertisements

#17
YellowRubberDuck
Posted 28 August 2013 - 03:45 PM

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
3) I've installed IE8. After restart, it can load. And yes the hacked by Pokemon is still there. Also there was a warning pop up that said a program has changed the search provider. Another weird thing was a new hardware was detected (PCI controller) but I didn't install any hardware. I just clicked cancel.

4) I tried to uninstall MSE but it didn't let me. There was an error that said I need to install Filter manager rollup package.
  • 0

#18
Crowbar
Posted 28 August 2013 - 07:56 PM

Crowbar

    Teacher

  • GeekU Moderator
  • 4,798 posts
Glad that ESET ran but I see a problem I have to warn you about:

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please hold off trying to uninstall MSE or any other programs for now, and limit your internet usage on this machine.

Step 1
We need to do an OTL fix:

Note: If you have Malwarebytes 1.6 or higher installed please disable it for the duration of this fix as it may interfere with the successfully execution of the script below. If it still hangs then please uninstall MalwareBytes' and run this fix again.
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :commands
    [createrestorepoint]
    :Files
    C:\autorun.inf
    C:\Documents and Settings\HP_Owner\Start Menu\jimmy\KITARO\KITARO.exe
    C:\Documents and Settings\HP_Owner\Start Menu\jimmy\Video\Video.exe
    C:\Documents and Settings\HP_Owner\Start Menu\jimmy\Z\Z.exe
    D:\Autorun.inf
    :commands
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log it produces in your next reply.

Step 2
Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
winsock.*
/md5stop
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open OTL.Txt
  • Post this log in your next response

Step 3
The server that hosts this file has been slow lately, so please allow some time to download this file:
If it asks to run a virus scan you can answer no

Download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it
Posted Image

Click the [Scan] button to start scan
Posted Image

On completion of the scan click [Save log], save it to your desktop and post in your next reply

In your next reply I would like to see:
  • OTL fix log
  • OTL custom scan
  • ASWmbr scan log

Edited by Crowbar, 30 August 2013 - 09:48 AM.
fixed typo

  • 0

#19
Crowbar
Posted 30 August 2013 - 04:52 AM

Crowbar

    Teacher

  • GeekU Moderator
  • 4,798 posts
Hi,
I have a better link to download ASWmbr, if you have not already downloaded it, please do so from here
  • 0

#20
YellowRubberDuck
Posted 31 August 2013 - 10:50 AM

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
C:\autorun.inf moved successfully.
C:\Documents and Settings\HP_Owner\Start Menu\jimmy\KITARO\KITARO.exe moved successfully.
C:\Documents and Settings\HP_Owner\Start Menu\jimmy\Video\Video.exe moved successfully.
C:\Documents and Settings\HP_Owner\Start Menu\jimmy\Z\Z.exe moved successfully.
D:\Autorun.inf moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: HP_Owner
->Temp folder emptied: 22203367 bytes
->Temporary Internet Files folder emptied: 15582426 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 18051796 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 80474332 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 68396 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 130.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 09012013_002402

Files\Folders moved on Reboot...
C:\Documents and Settings\HP_Owner\Local Settings\Temp\IadHide5.dll moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#21
YellowRubberDuck
Posted 31 August 2013 - 11:11 AM

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
OTL logfile created on: 9/1/2013 1:06:11 AM - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\HP_Owner\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

223.36 Mb Total Physical Memory | 47.81 Mb Available Physical Memory | 21.41% Memory free
872.78 Mb Paging File | 154.75 Mb Available in Paging File | 17.73% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 142.07 Gb Total Space | 129.15 Gb Free Space | 90.91% Space Free | Partition Type: NTFS
Drive D: | 6.96 Gb Total Space | 1.32 Gb Free Space | 19.01% Space Free | Partition Type: FAT32

Computer Name: YOUR-808953D619 | User Name: HP_Owner | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/08/17 19:58:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Owner\Desktop\OTL.exe
PRC - [2013/08/15 01:55:20 | 000,276,376 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2013/07/18 16:49:42 | 000,022,216 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/07/18 16:49:24 | 000,995,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2009/09/23 16:45:50 | 001,287,176 | ---- | M] (Panda Security) -- C:\Program Files\Panda USB Vaccine\USBVaccine.exe
PRC - [2006/01/12 19:07:49 | 000,036,903 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
PRC - [2005/09/21 18:41:10 | 001,605,740 | ---- | M] (Hewlett-Packard Company) -- C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
PRC - [2004/10/19 16:54:40 | 000,430,080 | ---- | M] () -- C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
PRC - [2004/08/04 12:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2013/08/15 01:55:37 | 003,551,640 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2006/01/12 19:07:46 | 000,151,589 | ---- | M] () -- C:\Program Files\Updates from HP\9972322\6.3.2.116-9972322\Program\bwfiles.dll
MOD - [2006/01/12 19:07:46 | 000,098,339 | ---- | M] () -- C:\Program Files\Updates from HP\9972322\6.3.2.116-9972322\Program\FrExt.dll
MOD - [2006/01/12 19:07:46 | 000,061,496 | ---- | M] () -- C:\Program Files\Updates from HP\9972322\6.3.2.116-9972322\Program\clntutil.dll
MOD - [2006/01/12 19:07:44 | 000,126,976 | ---- | M] () -- C:\Program Files\Updates from HP\9972322\Program\HPClientExt.dll
MOD - [2005/03/15 15:17:28 | 000,204,800 | ---- | M] () -- c:\Program Files\HP\Digital Imaging\bin\HpqUtil.dll
MOD - [2004/10/19 16:54:40 | 000,430,080 | ---- | M] () -- C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe
MOD - [2004/10/06 19:18:00 | 000,040,960 | ---- | M] () -- C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.dll
MOD - [2004/09/03 16:11:00 | 000,200,704 | ---- | M] () -- C:\Program Files\WLAN\802.11b+g USB WLAN\dot1x_dll.dll
MOD - [2004/03/05 15:00:00 | 000,827,392 | ---- | M] () -- C:\Program Files\WLAN\802.11b+g USB WLAN\libeay32.dll
MOD - [2004/03/05 15:00:00 | 000,155,648 | ---- | M] () -- C:\Program Files\WLAN\802.11b+g USB WLAN\ssleay32.dll


========== Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2013/08/15 01:55:29 | 000,117,656 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/07/18 16:49:42 | 000,022,216 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2004/09/29 12:14:36 | 000,069,632 | ---- | M] (HP) [Boot | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2013/08/27 22:45:38 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/02/11 20:01:43 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/05/12 09:17:46 | 000,098,432 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\telitusbser.sys -- (telitusbser)
DRV - [2005/10/18 21:15:42 | 004,034,048 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2005/09/23 21:26:40 | 001,094,751 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/08/14 06:35:54 | 001,313,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/07/04 08:30:34 | 000,026,624 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PS2.sys -- (Ps2)
DRV - [2005/03/04 19:10:26 | 000,074,496 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/10/06 18:49:04 | 000,248,320 | ---- | M] (ZyDAS Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ZD1211U.sys -- (WLAN(WLAN)
DRV - [2004/08/04 05:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139)
DRV - [2004/01/14 11:30:00 | 000,017,151 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\ZDPNDIS5.sys -- (ZDPNDIS5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2977121927-3569450884-2823081615-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
IE - HKU\S-1-5-21-2977121927-3569450884-2823081615-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.my/
IE - HKU\S-1-5-21-2977121927-3569450884-2823081615-1008\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-2977121927-3569450884-2823081615-1008\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-2977121927-3569450884-2823081615-1008\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-2977121927-3569450884-2823081615-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:23.0.1
FF - user.js - File not found


FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 23.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2013/08/17 18:31:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Extensions
[2013/08/17 17:16:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/08/17 17:16:11 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

O1 HOSTS File: ([2004/08/04 19:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [HPBootOp] C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\802.11b+g USB Wireless LAN Utility.lnk = C:\Program Files\WLAN\802.11b+g USB WLAN\ZDWlan.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\Pin.lnk = C:\hp\bin\cloaker.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\PandaUSBVaccine.lnk = C:\Program Files\Panda USB Vaccine\USBVaccine.exe (Panda Security)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2977121927-3569450884-2823081615-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2977121927-3569450884-2823081615-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra Button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O9 - Extra 'Tools' menuitem : Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm ()
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7273E436-DB66-4460-B05A-9B270F6C0824}: DhcpNameServer = 15.243.128.51 15.243.160.51
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7ED70459-ED01-4548-8984-04AA68384D9C}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\dimsntfy: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/01/12 19:04:36 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2001/07/28 07:07:38 | 000,000,000 | -HS- | M] () - D:\AUTOEXEC.BAT -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2013/08/29 05:21:26 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\HP_Owner\IECompatCache
[2013/08/29 05:19:53 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\HP_Owner\PrivacIE
[2013/08/29 05:18:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\PCHealth
[2013/08/29 04:52:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2013/08/29 04:49:57 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2013/08/29 00:10:51 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2013/08/27 22:25:31 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/08/27 22:25:31 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/08/26 22:58:31 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft CAPICOM 2.1.0.2
[2013/08/26 22:57:13 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/08/26 22:57:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
[2013/08/26 22:56:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2013/08/26 22:47:21 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2013/08/24 16:01:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
[2013/08/24 15:22:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ERUNT
[2013/08/24 15:22:38 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2013/08/24 15:12:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2013/08/24 13:43:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Start Menu\Programs\Revo Uninstaller
[2013/08/24 13:42:12 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2013/08/24 00:00:44 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2013/08/22 00:44:49 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\HP_Owner\IETldCache
[2013/08/21 23:21:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2013/08/21 23:16:31 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2013/08/21 22:25:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2013/08/21 22:25:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Panda Security
[2013/08/21 22:25:21 | 000,000,000 | ---D | C] -- C:\Program Files\Panda USB Vaccine
[2013/08/20 08:32:52 | 000,000,000 | --SD | C] -- C:\ComboFix
[2013/08/20 01:29:28 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/08/20 01:29:28 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/08/20 01:29:28 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/08/20 01:29:28 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/08/20 01:29:09 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/08/20 01:28:59 | 000,000,000 | R--D | C] -- C:\Documents and Settings\HP_Owner\Start Menu\Programs\Administrative Tools
[2013/08/20 01:28:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/08/20 01:26:50 | 005,105,821 | R--- | C] (Swearware) -- C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
[2013/08/18 12:57:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Desktop\RK_Quarantine
[2013/08/18 11:36:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2013/08/18 11:36:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2013/08/18 11:36:49 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2013/08/18 11:36:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2013/08/18 11:36:48 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2013/08/18 11:33:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2013/08/18 11:30:29 | 000,281,088 | ---- | C] (Cinematronics) -- C:\WINDOWS\System32\dllcache\pinball.exe
[2013/08/18 11:30:28 | 000,026,624 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rw330ext.dll
[2013/08/18 11:29:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
[2013/08/18 11:21:17 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/08/18 11:10:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MRT
[2013/08/17 19:58:37 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\HP_Owner\Desktop\OTL.exe
[2013/08/17 19:58:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\My Documents\Downloads
[2013/08/17 18:35:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2013/08/17 18:34:31 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
[2013/08/17 17:16:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Mozilla
[2013/08/17 17:16:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Owner\Application Data\Mozilla
[2013/08/17 17:16:15 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2013/08/17 17:16:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2013/08/17 17:16:08 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2013/08/17 17:01:47 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\HP_Owner\Recent
[2013/08/17 16:57:14 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$MSI31Uninstall_KB893803v2$

========== Files - Modified Within 30 Days ==========

[2013/09/01 01:12:23 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1E902A08-ECF0-441C-8FBA-8D034C7F5396}.job
[2013/09/01 00:52:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/09/01 00:52:38 | 234,278,912 | -HS- | M] () -- C:\hiberfil.sys
[2013/09/01 00:12:19 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/08/29 05:28:01 | 000,001,919 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2013/08/29 05:10:24 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2013/08/29 05:08:11 | 000,000,184 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.DAT
[2013/08/29 04:51:31 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/08/29 00:30:40 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/08/27 22:45:38 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/08/27 22:25:37 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/08/26 23:07:34 | 000,309,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/08/24 15:22:42 | 000,000,622 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\NTREGOPT.lnk
[2013/08/24 15:22:42 | 000,000,603 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\ERUNT.lnk
[2013/08/24 15:16:34 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2013/08/24 15:16:28 | 000,384,904 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/08/24 15:16:28 | 000,054,396 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/08/24 15:14:22 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2013/08/24 15:14:21 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2013/08/24 14:48:41 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2013/08/24 13:44:00 | 000,000,928 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\Revo Uninstaller.lnk
[2013/08/24 00:32:28 | 000,866,592 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\Norton_Removal_Tool.exe
[2013/08/21 22:25:25 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\PandaUSBVaccine.lnk
[2013/08/20 01:27:38 | 005,105,821 | R--- | M] (Swearware) -- C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
[2013/08/18 13:07:57 | 000,891,115 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\SecurityCheck.exe
[2013/08/18 13:02:28 | 000,666,633 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\adwcleaner.exe
[2013/08/18 12:56:36 | 000,920,576 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Desktop\RogueKiller.exe
[2013/08/17 19:58:38 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\HP_Owner\Desktop\OTL.exe
[2013/08/17 17:16:24 | 000,000,753 | ---- | M] () -- C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2013/08/17 17:16:16 | 000,000,735 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk

========== Files Created - No Company Name ==========

[2013/08/29 05:21:11 | 000,000,428 | -H-- | C] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1E902A08-ECF0-441C-8FBA-8D034C7F5396}.job
[2013/08/29 05:10:23 | 000,000,814 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Start Menu\Programs\Internet Explorer.lnk
[2013/08/27 22:25:37 | 000,000,795 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2013/08/24 15:22:42 | 000,000,622 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\NTREGOPT.lnk
[2013/08/24 15:22:42 | 000,000,603 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\ERUNT.lnk
[2013/08/24 13:44:00 | 000,000,928 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\Revo Uninstaller.lnk
[2013/08/24 11:06:17 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2013/08/24 00:30:56 | 000,866,592 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\Norton_Removal_Tool.exe
[2013/08/21 23:18:48 | 000,001,919 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2013/08/21 23:18:06 | 000,001,709 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2013/08/21 22:25:25 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\PandaUSBVaccine.lnk
[2013/08/20 09:25:56 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2013/08/20 09:25:56 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2013/08/20 01:29:28 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/08/20 01:29:28 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/08/20 01:29:28 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/08/20 01:29:28 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/08/20 01:29:28 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/08/18 13:06:54 | 000,891,115 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\SecurityCheck.exe
[2013/08/18 13:02:25 | 000,666,633 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\adwcleaner.exe
[2013/08/18 12:56:32 | 000,920,576 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Desktop\RogueKiller.exe
[2013/08/18 11:30:41 | 000,168,806 | ---- | C] () -- C:\WINDOWS\System32\dllcache\startoc.cat
[2013/08/18 11:30:41 | 000,118,272 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mpg2data.ax
[2013/08/18 11:30:40 | 000,024,209 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn7.cat
[2013/08/18 11:30:40 | 000,011,651 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn9.cat
[2013/08/18 11:30:38 | 000,759,966 | ---- | C] () -- C:\WINDOWS\System32\dllcache\apph_sp.sdb
[2013/08/18 11:30:37 | 000,382,952 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nt5inf.cat
[2013/08/18 11:30:35 | 000,079,996 | ---- | C] () -- C:\WINDOWS\System32\dllcache\apps.chm
[2013/08/18 11:30:34 | 000,216,862 | ---- | C] () -- C:\WINDOWS\System32\dllcache\apphelp.sdb
[2013/08/18 11:30:34 | 000,031,281 | ---- | C] () -- C:\WINDOWS\System32\dllcache\fp4.cat
[2013/08/18 11:30:33 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\dllcache\fpencode.dll
[2013/08/18 11:30:31 | 000,013,753 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ims.cat
[2013/08/18 11:30:30 | 000,376,320 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msinfo.dll
[2013/08/18 11:30:30 | 000,198,736 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msimain.sdb
[2013/08/18 11:30:30 | 000,009,581 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msmsgs.cat
[2013/08/18 11:30:30 | 000,007,245 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mstsweb.cat
[2013/08/18 11:30:29 | 002,012,670 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nt5.cat
[2013/08/18 11:30:28 | 000,034,816 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sniffpol.dll
[2013/08/18 11:30:27 | 000,279,040 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tshoot.dll
[2013/08/18 11:30:27 | 000,033,280 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sstub.dll
[2013/08/18 11:30:23 | 000,460,728 | ---- | C] () -- C:\WINDOWS\System32\dllcache\micross.ttf
[2013/08/18 11:30:23 | 000,383,140 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tahoma.ttf
[2013/08/18 11:30:23 | 000,355,436 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tahomabd.ttf
[2013/08/18 11:30:21 | 000,070,656 | ---- | C] () -- C:\WINDOWS\System32\dllcache\amstream.dll
[2013/08/18 11:30:19 | 000,252,928 | ---- | C] () -- C:\WINDOWS\System32\dllcache\compatui.dll
[2013/08/18 11:30:15 | 000,059,904 | ---- | C] () -- C:\WINDOWS\System32\dllcache\devenum.dll
[2013/08/18 11:30:07 | 000,148,992 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mpg2splt.ax
[2013/08/18 11:30:07 | 000,035,328 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mciqtz32.dll
[2013/08/18 11:30:06 | 000,014,336 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msdmo.dll
[2013/08/18 11:30:01 | 000,004,310 | ---- | C] () -- C:\WINDOWS\System32\dllcache\odbcconf.rsp
[2013/08/18 11:30:00 | 000,562,176 | ---- | C] () -- C:\WINDOWS\System32\dllcache\qedit.dll
[2013/08/18 11:30:00 | 000,385,024 | ---- | C] () -- C:\WINDOWS\System32\dllcache\qdvd.dll
[2013/08/18 11:30:00 | 000,279,040 | ---- | C] () -- C:\WINDOWS\System32\dllcache\qdv.dll
[2013/08/18 11:30:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\dllcache\qcap.dll
[2013/08/18 11:29:59 | 001,291,264 | ---- | C] () -- C:\WINDOWS\System32\dllcache\quartz.dll
[2013/08/18 11:29:59 | 000,733,696 | ---- | C] () -- C:\WINDOWS\System32\dllcache\qedwipes.dll
[2013/08/18 11:29:49 | 000,009,424 | ---- | C] () -- C:\WINDOWS\System32\dllcache\drvmain.sdb
[2013/08/18 11:29:46 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2013/08/17 17:16:23 | 000,000,753 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2013/08/17 17:16:16 | 000,000,741 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2013/08/17 17:16:16 | 000,000,735 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/03/20 21:23:32 | 000,000,131 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\fusioncache.dat
[2006/08/07 21:03:52 | 000,028,160 | ---- | C] () -- C:\Documents and Settings\HP_Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2006/01/12 18:16:25 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2010/04/16 23:36:48 | 001,506,304 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 18:20:33 | 000,473,088 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2004/08/04 12:00:00 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2006/01/13 10:41:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\InterVideo
[2010/11/17 23:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\muvee Technologies
[2006/12/10 07:50:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Media
[2013/08/21 22:25:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panda Security
[2006/01/13 10:42:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Intervideo

========== Purity Check ==========



========== Custom Scans ==========

========== Base Services ==========
SRV - [2004/08/04 12:00:00 | 000,044,544 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\alg.exe -- (ALG)
SRV - [2004/08/04 12:00:00 | 000,006,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv)
SRV - [2004/08/04 12:00:00 | 000,382,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\qmgr.dll -- (BITS)
SRV - [2004/08/04 12:00:00 | 000,077,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\browser.dll -- (Browser)
SRV - [2004/08/04 12:00:00 | 000,060,416 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\cryptsvc.dll -- (CryptSvc)
SRV - [2004/08/04 12:00:00 | 000,111,104 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dhcpcsvc.dll -- (Dhcp)
SRV - [2004/08/04 12:00:00 | 000,045,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\dnsrslvr.dll -- (Dnscache)
SRV - [2009/02/07 01:14:03 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (Eventlog)
No service found with a name of EapHost
SRV - [2004/08/04 12:00:00 | 000,134,656 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (FastUserSwitchingCompatibility)
SRV - [2004/08/04 12:00:00 | 000,015,872 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\w3ssl.dll -- (HTTPFilter)
SRV - [2004/08/04 07:56:44 | 000,021,504 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\hidserv.dll -- (HidServ)
SRV - [2004/08/04 12:00:00 | 000,150,016 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\imapi.exe -- (ImapiService)
SRV - [2004/08/04 12:00:00 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (PolicyAgent)
SRV - [2004/08/04 12:00:00 | 000,023,552 | ---- | M] (Microsoft Corp.) [On_Demand | Stopped] -- C:\WINDOWS\system32\dmserver.dll -- (dmserver)
SRV - [2004/08/04 12:00:00 | 000,224,768 | ---- | M] (Microsoft Corp., Veritas Software) [On_Demand | Stopped] -- C:\WINDOWS\System32\dmadmin.exe -- (dmadmin)
SRV - [2004/08/04 12:00:00 | 000,005,120 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\dllhost.exe -- (SwPrv)
SRV - [2004/08/04 12:00:00 | 000,013,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\lsass.exe -- (Netlogon)
SRV - [2004/08/04 12:00:00 | 000,198,144 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\netman.dll -- (Netman)
SRV - [2008/06/21 01:41:10 | 000,245,248 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\mswsock.dll -- (Nla)
SRV - [2009/02/07 01:14:03 | 000,110,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\services.exe -- (PlugPlay)
SRV - [2004/08/04 12:00:00 | 000,057,856 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\spoolsv.exe -- (Spooler)
SRV - [2004/08/04 12:00:00 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (ProtectedStorage)
SRV - [2004/08/04 12:00:00 | 000,089,088 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\WINDOWS\system32\rasauto.dll -- (RasAuto)
SRV - [2004/08/04 12:00:00 | 000,174,080 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\rasmans.dll -- (RasMan)
SRV - [2009/02/09 18:20:34 | 000,399,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\rpcss.dll -- (RpcSs)
SRV - [2004/08/04 12:00:00 | 000,435,200 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\ntmssvc.dll -- (NtmsSvc)
SRV - [2004/08/04 12:00:00 | 000,018,944 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\seclogon.dll -- (seclogon)
SRV - [2004/08/04 12:00:00 | 000,013,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lsass.exe -- (SamSs)
SRV - [2004/08/04 12:00:00 | 000,081,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wscsvc.dll -- (wscsvc)
SRV - [2004/08/04 12:00:00 | 000,096,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srvsvc.dll -- (lanmanserver)
SRV - [2004/08/04 12:00:00 | 000,134,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (ShellHWDetection)
SRV - [2004/08/04 12:00:00 | 000,170,496 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\srsvc.dll -- (srservice)
SRV - [2004/08/04 12:00:00 | 000,190,976 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\schedsvc.dll -- (Schedule)
SRV - [2004/08/04 12:00:00 | 000,013,824 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\lmhsvc.dll -- (LmHosts)
SRV - [2004/08/04 12:00:00 | 000,246,272 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\tapisrv.dll -- (TapiSrv)
SRV - [2004/08/04 12:00:00 | 000,295,424 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\WINDOWS\system32\termsrv.dll -- (TermService)
SRV - [2004/08/04 12:00:00 | 000,134,656 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\shsvcs.dll -- (Themes)
SRV - [2004/08/04 12:00:00 | 000,289,792 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\vssvc.exe -- (VSS)
SRV - [2004/08/04 12:00:00 | 000,042,496 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\audiosrv.dll -- (AudioSrv)
SRV - [2004/08/04 12:00:00 | 000,331,264 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\ipnathlp.dll -- (SharedAccess)
SRV - [2004/08/04 12:00:00 | 000,333,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\wiaservc.dll -- (stisvc)
SRV - [2005/05/04 14:45:36 | 000,078,848 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\msiexec.exe -- (MSIServer)
SRV - [2004/08/04 12:00:00 | 000,144,896 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wbem\wmisvc.dll -- (winmgmt)
SRV - [2009/02/09 18:20:33 | 000,616,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\advapi32.dll -- (Wmi)
No service found with a name of Dot3Svc
SRV - [2004/08/04 19:00:00 | 000,359,936 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wzcsvc.dll -- (WZCSVC)
SRV - [2009/06/10 14:32:40 | 000,132,096 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\wkssvc.dll -- (lanmanworkstation)

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2004/08/04 12:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\explorer.exe
[2004/08/04 12:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: QMGR.DLL >
[2004/08/04 12:00:00 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\WINDOWS\system32\dllcache\qmgr.dll
[2004/08/04 12:00:00 | 000,382,464 | ---- | M] (Microsoft Corporation) MD5=2C69EC7E5A311334D10DD95F338FCCEA -- C:\WINDOWS\system32\qmgr.dll

< MD5 for: SERVICES >
[2004/08/04 19:00:00 | 000,007,116 | ---- | M] () MD5=95826940E657FE0567A8EC0F2A6AD11A -- C:\WINDOWS\system32\drivers\etc\services

< MD5 for: SERVICES._ >
[2004/08/04 12:00:00 | 000,001,989 | ---- | M] () MD5=29BB3BBBE3D49156A42BFB3DD000F554 -- C:\WINDOWS\I386\SERVICES._

< MD5 for: SERVICES.EX_ >
[2004/08/04 12:00:00 | 000,049,955 | ---- | M] () MD5=85A738BA493104ED103B26CADEB8B543 -- C:\WINDOWS\I386\SERVICES.EX_

< MD5 for: SERVICES.EXE >
[2009/02/06 19:06:24 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=020CEAAEDC8EB655B6506B8C70D53BB6 -- C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\services.exe
[2009/02/07 01:14:03 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=37561F8D4160D62DA86D24AE41FAE8DE -- C:\WINDOWS\system32\dllcache\services.exe
[2009/02/07 01:14:03 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=37561F8D4160D62DA86D24AE41FAE8DE -- C:\WINDOWS\system32\services.exe
[2009/02/06 18:22:21 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=4712531AB7A01B7EE059853CA17D39BD -- C:\WINDOWS\$hf_mig$\KB956572\SP2QFE\services.exe
[2009/02/06 19:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation) MD5=65DF52F5B8B6E9BBD183505225C37315 -- C:\WINDOWS\$hf_mig$\KB956572\SP3GDR\services.exe
[2004/08/04 12:00:00 | 000,108,032 | ---- | M] (Microsoft Corporation) MD5=C6CE6EEC82F187615D1002BB3BB50ED4 -- C:\WINDOWS\$NtUninstallKB956572$\services.exe

< MD5 for: SERVICES.LNK >
[2004/11/09 18:39:18 | 000,001,602 | ---- | M] () MD5=8E8DB0B6CE493FBD98C0B510ED8800D5 -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools\Services.lnk

< MD5 for: SERVICES.MS_ >
[2004/08/04 12:00:00 | 000,003,649 | ---- | M] () MD5=64E9F61D2ED093C361862DE36433B5E1 -- C:\WINDOWS\I386\SERVICES.MS_

< MD5 for: SERVICES.MSC >
[2004/08/04 12:00:00 | 000,033,464 | ---- | M] () MD5=E8089AA2A6F7FEE89B38C1F2D77BA6C6 -- C:\WINDOWS\system32\services.msc

< MD5 for: SVCHOST.EXE >
[2004/08/04 12:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\dllcache\svchost.exe
[2004/08/04 12:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\system32\svchost.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe

< MD5 for: USERINIT.EXE >
[2004/08/04 12:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\dllcache\userinit.exe
[2004/08/04 12:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\system32\userinit.exe

< MD5 for: WINLOGON.EXE >
[2004/08/04 12:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\dllcache\winlogon.exe
[2004/08/04 12:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\system32\winlogon.exe
[2013/04/04 14:50:32 | 000,218,184 | ---- | M] () MD5=B4C6E3889BB310CA7E974A04EC6E46AC -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe

< MD5 for: WINSOCK.DL_ >
[2004/08/04 12:00:00 | 000,001,516 | ---- | M] () MD5=DBE00AC2D306E49623D471A292EF25DC -- C:\WINDOWS\I386\WINSOCK.DL_

< MD5 for: WINSOCK.DLL >
[2004/08/04 12:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) MD5=68485C5EF0E2EFCEBF21BBB1042B823B -- C:\WINDOWS\system32\dllcache\winsock.dll
[2004/08/04 12:00:00 | 000,002,864 | ---- | M] (Microsoft Corporation) MD5=68485C5EF0E2EFCEBF21BBB1042B823B -- C:\WINDOWS\system32\winsock.dll

< dir "%systemdrive%\*" /S /A:L /C >
Volume in drive C is HP_PAVILION
Volume Serial Number is 5B67-DC52

< End of report >
  • 0

#22
YellowRubberDuck
Posted 31 August 2013 - 11:43 AM

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-09-01 01:43:09
-----------------------------
01:43:09.937 OS Version: Windows 5.1.2600 Service Pack 2
01:43:09.937 Number of processors: 2 586 0x409
01:43:09.953 ComputerName: YOUR-808953D619 UserName: HP_Owner
01:43:37.953 Initialize success
01:49:08.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7
01:49:09.109 Disk 0 Vendor: ST3160023AS 3.43 Size: 152627MB BusType: 3
01:49:09.343 Disk 0 MBR read successfully
01:49:09.359 Disk 0 MBR scan
01:49:09.359 Disk 0 unknown MBR code
01:49:09.375 Disk 0 Partition 1 00 0C FAT32 LBA RECOVERY 7138 MB offset 63
01:49:09.375 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 145479 MB offset 14619150
01:49:09.390 Disk 0 scanning sectors +312560640
01:49:09.468 Disk 0 scanning C:\WINDOWS\system32\drivers
01:49:14.671 Service scanning
01:49:29.203 Modules scanning
01:49:43.765 Disk 0 trace - called modules:
01:49:43.812 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
01:49:43.828 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x81d57a68]
01:49:44.265 3 CLASSPNP.SYS[f9ed505b] -> nt!IofCallDriver -> \Device\00000060[0x81cb62c0]
01:49:44.281 5 ACPI.sys[f9d4b620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-7[0x81cecb58]
01:49:44.296 Scan finished successfully
01:50:17.656 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Owner\Desktop\MBR.dat"
01:50:17.703 The log file has been saved successfully to "C:\Documents and Settings\HP_Owner\Desktop\aswMBR.txt"
  • 0

#23
Crowbar
Posted 01 September 2013 - 08:47 AM

Crowbar

    Teacher

  • GeekU Moderator
  • 4,798 posts
You do not seem to have a rootkit, but the unknown MBR code bothers me a little bit - I will have you submit it to an online virus scanner just to be safe.

Also would like to give combofix another try now.

Step 1
Please go to VirusTotal and upload the following file for scanning.
  • Click Choose File
  • Copy and paste the contents of the following code box into the text box next to File name: then click Open
  • C:\Documents and Settings\HP_Owner\Desktop\MBR.dat
  • Click Send File
  • If confronted with two options, choose Reanalyse file now
  • Wait for the scan to finish and then copy and paste the URL from your browser address bar in your next reply please.

Step 2
Please download ComboFix from Here or Here to your Desktop.
Allow it to overwrite the copy you already have on your desktop

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
  • Also allow the installation of the recovery console

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" ComboFix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

In your next reply I would like to see:
  • URL from virustotal
  • combofix.txt log file
  • How is the computer doing at this point?

  • 0

#24
YellowRubberDuck
Posted 03 September 2013 - 07:59 AM

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
https://www.virustot...sis/1378215863/
  • 0

#25
Crowbar
Posted 04 September 2013 - 05:00 AM

Crowbar

    Teacher

  • GeekU Moderator
  • 4,798 posts
Did Combofix run successfully?
  • 0

Advertisements

#26
YellowRubberDuck
Posted 04 September 2013 - 08:12 AM

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
No. I let it run overnight but it stucked at scanning part.

The computer is still same as before but at least Firefox loading this forum a little bit faster, just a little bit though.

Edited by YellowRubberDuck, 04 September 2013 - 08:15 AM.

  • 0

#27
Crowbar
Posted 05 September 2013 - 05:55 AM

Crowbar

    Teacher

  • GeekU Moderator
  • 4,798 posts
I don't see anything bad at this point, and sometimes combofix does not like to run on some system, but still I would like to see it run here.
Remember that you are not going to get any kind of real speed out of this machine with the small amount of ram installed.

Let's continue:

Step 1
I think it is time to get you up to speed with the service pack, so I would like you to run the installer for SP3 now.
You can find it here.
This version is a file you can download and run, rather than using Windows Update.

Step 2
next let's see if we can fix any Windows issues that we don't see:
Download Windows Repair (all in one) from this site

Install the programme then run

Posted Image

Go to step 3 and allow it to run SFC
Posted Image

After that, go to step 4 and do both Create restore point, and under Registry Backup click on Backup
Posted Image

On the start repairs tab click start
Posted Image

Select the following items and tick restart system when finished
Posted Image

Let me know how both of these steps go, after finishing them, please try Internet Explorer
  • 0

#28
YellowRubberDuck
Posted 07 September 2013 - 01:50 AM

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
1) Done. Everything run smoothly.

2) Done. Everything run smoothly too.

3) I open IE and yes the hacked by Pokemon is still there.
  • 0

#29
Crowbar
Posted 07 September 2013 - 07:27 PM

Crowbar

    Teacher

  • GeekU Moderator
  • 4,798 posts
Hi -
Please tell me how Internet Explorer is behaving?

Let's remove the Pokemon title from it now

Step 1
The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backing Up Your Registry
  • We will use the ERUNT program that you have installed previously
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Posted Image

Step 2

We need to do an OTL fix:

Note: If you have Malwarebytes 1.6 or higher installed please disable it for the duration of this fix as it may interfere with the successfully execution of the script below. If it still hangs then please uninstall MalwareBytes' and run this fix again.
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :commands
    [createrestorepoint]
    :reg
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title]
    :commands
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the log it produces in your next reply.

In your next reply I would like to see:
  • OTL fix log
  • How is Internet Explorer now?

  • 0

#30
YellowRubberDuck
Posted 10 September 2013 - 10:04 AM

YellowRubberDuck

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
1) Done.

2) I've done the OTL fix but there was no log. It didn't pop up after the reboot.

3) IE now can load this forum but the Hacked by Pokemon is still there.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP