Another victim: Vista 64-bit sirefef restart after 1 minute

Inactive
By Grampz719
Aug 17, 2012
  1. I followed the instructions from another victim [paddy12345, thread date Jun 10,2012] of the sirefef infection and generated FRST.txt While looking at the log I deduced that there is a problem with "services.exe", due to the giant arrow in the margin saying "ZeroAccess <======= ATTENTION!". So I also did the FRST64 search for "services.exe" and have included that log too.
    I read Julio Franco's thread for the 5-step program, but my system is so tied up, I can't hardly do anything, in normal or safe mode boots.
    The system had a browser redirect virus, then when I tried to install Microsoft Security Essentials, the "You are about to be logged off" pop ups started. I was able to see a MSE log that specifically had "sirefef" listed.
  2. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
    Ran by SYSTEM at 16-08-2012 13:14:06
    Running from E:\VI_TOOLS
    Windows Vista (TM) Ultimate Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM\...\Run: [SoundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe" /tray [3858432 2008-09-11] (Analog Devices, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [TurboV] "C:\Program Files\ASUS\TurboV\TurboV.exe" [5391872 2009-05-25] ()
    HKLM-x32\...\Run: [PlexUtilities] "C:\Program Files (x86)\Plextor\PlexUTILITIES\PlexRadar.exe" [1746944 2009-05-15] ()
    HKLM-x32\...\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1310720 2008-04-15] (Analog Devices, Inc.)
    HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [311296 2010-03-04] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
    HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [296096 2012-07-21] (RealNetworks, Inc.)
    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Main\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-11-20] (Hewlett-Packard Company)
    HKU\Main\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
    HKU\Main\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
    HKU\Main\...\Run: [HydraVisionMDEngine] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe" [569344 2010-08-03] (AMD)
    HKU\Main\...\Run: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [393216 2010-08-03] (AMD)
    HKU\Main\...\Run: [Grid] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraGrd.exe" [401408 2010-08-03] ()
    Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\570\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files (x86)\WinZip\WZQKPICK32.EXE (WinZip Computing, S.L.)
    Startup: C:\Users\Main\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)
    Startup: C:\Users\Main\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

    ==================== Services (Whitelisted) ======

    2 AEADIFilters; C:\Windows\System32\AEADISRV.EXE [111616 2008-07-14] (Andrea Electronics Corporation)
    2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [90112 2009-04-01] ()
    2 MDES; C:\ASUS.SYS\CONFIG\DVMExportService.exe [315392 2009-02-18] (DeviceVM)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    2 Net Driver HPZ12; C:\Windows\System32\svchost.exe -k HPZ12 [27648 2008-01-20] (Microsoft Corporation)
    2 Net Driver HPZ12; C:\Windows\SysWow64\svchost.exe -k HPZ12 [21504 2008-01-20] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    3 NtmsSvc; C:\Windows\System32\ntmssvc.dll [521216 2008-01-20] (Microsoft Corporation)
    2 Pml Driver HPZ12; C:\Windows\System32\svchost.exe -k HPZ12 [27648 2008-01-20] (Microsoft Corporation)
    2 Pml Driver HPZ12; C:\Windows\SysWow64\svchost.exe -k HPZ12 [21504 2008-01-20] (Microsoft Corporation)
    2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
    3 MozillaMaintenance; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [x]

    ========================== Drivers (Whitelisted) =============

    3 ADIHdAudAddService; C:\Windows\System32\drivers\ADIHdAud.sys [472576 2008-08-20] (Analog Devices, Inc.)
    1 Amfilter; C:\Windows\System32\DRIVERS\Amfltx64.sys [12288 2007-10-15] ((Standard mouse types))
    3 Amusbprt; C:\Windows\System32\DRIVERS\Amusbx64.sys [17920 2008-02-13] (A4Tech Co.,Ltd.)
    1 AsIO; C:\Windows\SysWow64\Drivers\AsIO.sys [13368 2009-04-05] ()
    0 mrdd; C:\Windows\System32\Drivers\mrdd.sys [22568 2008-11-11] (Marvell Semiconductor, Inc.)
    3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15680 2006-10-31] ()
    0 mv61xx; C:\Windows\System32\Drivers\mv61xx.sys [176680 2009-02-08] (Marvell Semiconductor, Inc.)
    2 cpuz132; [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    1 isjarjoc; \??\C:\Windows\system32\drivers\isjarjoc.sys [x]
    3 NAVENG; [x]
    3 NAVEX15; [x]
    2 Norton Internet Security; [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    1 SRTSP; [x]
    1 SRTSPX; [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-16 09:45 - 2012-08-16 09:45 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\hsbbdjqn.sys
    2012-08-16 09:34 - 2012-08-16 09:34 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\eumxhleh.sys
    2012-08-16 09:29 - 2012-08-16 09:29 - 00000000 ____D C:\$WINDOWS.~BT
    2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagwrn.xml
    2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagerr.xml
    2012-08-16 09:24 - 2012-08-16 09:24 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gugoewef.sys
    2012-08-16 09:19 - 2012-08-16 09:19 - 00001099 ____A C:\Users\Main\Desktop\Revo Uninstaller.lnk
    2012-08-16 09:19 - 2012-08-16 09:19 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
    2012-08-16 09:13 - 2012-08-16 09:13 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\earqytlr.sys
    2012-08-16 09:08 - 2012-08-16 09:44 - 00000000 ____D C:\FRST
    2012-08-16 08:55 - 2012-08-16 08:55 - 00001912 ____A C:\Users\Main\Desktop\JDownloader.lnk
    2012-08-16 08:54 - 2012-08-16 08:58 - 00000000 ____D C:\Program Files (x86)\DownloadManager
    2012-08-16 08:54 - 2012-08-16 08:54 - 00000304 ____A C:\user.js
    2012-08-16 08:54 - 2012-08-16 08:54 - 00000000 ____D C:\Program Files (x86)\BabylonToolbar
    2012-08-16 08:41 - 2012-08-16 08:41 - 00000000 ____D C:\Users\Main\AppData\Roaming\Babylon
    2012-08-16 08:41 - 2012-08-16 08:41 - 00000000 ____D C:\Users\All Users\Babylon
    2012-08-15 07:16 - 2012-08-15 07:16 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-15 07:14 - 2012-08-15 07:15 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-08-15 07:14 - 2012-08-15 07:14 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-08-15 07:12 - 2012-08-15 07:13 - 12621696 ____A (Microsoft Corporation) C:\Users\Main\Desktop\mseinstall.exe
    2012-08-09 13:50 - 2012-08-12 06:48 - 00000000 ____D C:\Users\Main\Documents\My Digital Editions
    2012-08-09 13:50 - 2012-08-09 13:50 - 00002013 ____A C:\Users\Public\Desktop\Adobe Digital Editions.lnk
    2012-08-09 13:48 - 2012-08-09 13:48 - 00001784 ____A C:\Users\Main\Desktop\RawFoodQuickandEasyOver100HealthyReci9781578263479.acsm
    2012-08-06 15:03 - 2012-08-06 15:09 - 00000000 ____D C:\Users\All Users\SpeedyPC Software
    2012-08-06 15:03 - 2012-08-06 15:03 - 00000000 ____D C:\Users\Main\AppData\Roaming\SpeedyPC Software
    2012-08-06 15:03 - 2012-08-06 15:03 - 00000000 ____D C:\Users\Main\AppData\Roaming\DriverCure
    2012-08-06 07:06 - 2012-08-06 07:16 - 00000000 ____D C:\Users\Main\Desktop\PHONE PHOTO PHLUSH
    2012-08-05 16:29 - 2012-08-12 12:07 - 00000000 ___SD C:\32788R22FWJFW
    2012-08-05 16:29 - 2012-08-05 16:35 - 00000000 ____D C:\Windows\erdnt
    2012-08-05 16:29 - 2012-08-05 16:35 - 00000000 ____D C:\Qoobox
    2012-08-05 16:13 - 2012-08-05 16:14 - 00000000 ____D C:\Users\Public\Desktop\CC Support
    2012-08-05 14:12 - 2012-08-05 14:12 - 00000000 ____D C:\Windows\pss
    2012-08-01 09:41 - 2012-08-01 09:41 - 00000043 ____A C:\Windows\DAOCONV.T2C
    2012-08-01 09:29 - 2012-08-01 09:41 - 00000000 ____D C:\Program Files (x86)\HT Audio
    2012-08-01 09:29 - 2012-08-01 09:29 - 00000043 ____A C:\Windows\DAOCONV.T1C
    2012-08-01 09:29 - 1998-08-26 13:26 - 01045776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msjet35.dll
    2012-08-01 09:29 - 1998-08-11 15:28 - 00407312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrepl35.dll
    2012-08-01 09:29 - 1997-08-29 12:14 - 00270344 ____A () C:\Windows\SysWOW64\Btn32x10.ocx
    2012-08-01 09:29 - 1997-07-19 14:55 - 01347344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSVBVM50.DLL
    2012-08-01 09:29 - 1997-07-19 14:01 - 00196880 ____N (Microsoft Corporation) C:\Windows\SysWOW64\RICHTX32.OCX
    2012-08-01 09:29 - 1997-07-19 14:01 - 00192784 ____N (Microsoft Corporation) C:\Windows\SysWOW64\TABCTL32.OCX
    2012-08-01 09:29 - 1997-01-23 22:00 - 00078608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\VB5DB.DLL
    2012-08-01 09:29 - 1997-01-13 15:18 - 00037136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSJINT35.DLL
    2012-08-01 09:29 - 1996-12-04 22:00 - 00077824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ODBCTL32.DLL
    2012-08-01 09:29 - 1996-12-02 16:44 - 00251664 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSRD2X35.DLL
    2012-08-01 09:29 - 1996-12-02 16:44 - 00024336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSJTER35.DLL
    2012-08-01 09:29 - 1996-01-11 22:00 - 00200704 ____R (Sheridan Software Systems, Inc.) C:\Windows\SysWOW64\THREED32.OCX
    2012-08-01 08:15 - 2012-08-01 08:15 - 00000000 ____D C:\Users\Main\AppData\Roaming\YourFileDownloader
    2012-07-30 09:42 - 2012-08-16 09:28 - 00001155 ____A C:\Windows\setupact.log
    2012-07-30 09:42 - 2012-08-16 09:28 - 00000000 ____A C:\Windows\setuperr.log
    2012-07-30 09:03 - 2012-07-30 09:03 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2012-07-30 08:43 - 2012-07-30 08:43 - 00000000 ____D C:\Users\Main\AppData\Roaming\WinZip
    2012-07-30 08:38 - 2012-07-30 08:39 - 00000000 ____D C:\Users\Main\AppData\Local\WinZip
    2012-07-30 08:12 - 2012-07-30 08:12 - 00384844 ____A C:\Users\Main\AppData\Local\funmoods-speeddial.crx
    2012-07-30 08:12 - 2012-07-30 08:12 - 00031465 ____A C:\Users\Main\AppData\Local\funmoods.crx
    2012-07-30 08:12 - 2012-07-30 08:12 - 00000000 ____D C:\Program Files (x86)\Funmoods
    2012-07-27 17:38 - 2012-07-31 12:57 - 00000000 ____D C:\Woodworking
    2012-07-26 08:12 - 2012-07-26 08:12 - 04064688 ____A C:\Users\Main\Desktop\Beginning_Game_Level_Design.rar
    2012-07-24 10:58 - 2012-08-15 16:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-07-21 14:23 - 2012-07-21 14:23 - 00000000 ____D C:\Users\Main\AppData\Local\MPlayer
    2012-07-21 14:22 - 2012-07-21 14:24 - 00000000 ____D C:\Users\Main\.umplayer
    2012-07-21 14:22 - 2012-07-21 14:22 - 00000000 ____D C:\Program Files (x86)\UMPlayer
    2012-07-21 12:27 - 2012-07-21 12:28 - 00000000 ____D C:\Users\Main\AppData\Roaming\Real
    2012-07-21 12:27 - 2012-07-21 12:28 - 00000000 ____D C:\Program Files (x86)\Real
    2012-07-21 12:27 - 2012-07-21 12:27 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
    2012-07-21 12:27 - 2012-07-21 12:27 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
    2012-07-21 12:27 - 2012-07-21 12:27 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
    2012-07-21 12:27 - 2012-07-21 12:27 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
    2012-07-21 12:25 - 2012-07-21 12:28 - 00000000 ____D C:\Users\All Users\Real

    ============ 3 Months Modified Files ========================

    2012-08-16 09:45 - 2012-08-16 09:45 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\hsbbdjqn.sys
    2012-08-16 09:45 - 2010-02-11 14:04 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-16 09:44 - 2006-11-02 07:21 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-16 09:44 - 2006-11-02 07:21 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-16 09:43 - 2006-11-02 07:40 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-16 09:34 - 2012-08-16 09:34 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\eumxhleh.sys
    2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagwrn.xml
    2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagerr.xml
    2012-08-16 09:28 - 2012-07-30 09:42 - 00001155 ____A C:\Windows\setupact.log
    2012-08-16 09:28 - 2012-07-30 09:42 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-16 09:24 - 2012-08-16 09:24 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gugoewef.sys
    2012-08-16 09:23 - 2010-02-11 14:04 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-16 09:19 - 2012-08-16 09:19 - 00001099 ____A C:\Users\Main\Desktop\Revo Uninstaller.lnk
    2012-08-16 09:13 - 2012-08-16 09:13 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\earqytlr.sys
    2012-08-16 08:55 - 2012-08-16 08:55 - 00001912 ____A C:\Users\Main\Desktop\JDownloader.lnk
    2012-08-16 08:54 - 2012-08-16 08:54 - 00000304 ____A C:\user.js
    2012-08-15 16:42 - 2012-07-24 10:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-15 16:25 - 2006-11-02 07:39 - 00184450 ____A C:\Windows\PFRO.log
    2012-08-15 08:25 - 2008-01-20 17:53 - 01951679 ____A C:\Windows\WindowsUpdate.log
    2012-08-15 07:16 - 2012-08-15 07:16 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-15 07:14 - 2012-02-16 20:15 - 00725714 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-08-15 07:13 - 2012-08-15 07:12 - 12621696 ____A (Microsoft Corporation) C:\Users\Main\Desktop\mseinstall.exe
    2012-08-15 07:03 - 2006-11-02 04:46 - 00707430 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-14 22:38 - 2012-04-01 16:15 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-14 22:38 - 2011-05-24 10:50 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-14 10:06 - 2009-05-13 08:53 - 00001194 ____A C:\Windows\WINSET32.INI
    2012-08-12 12:48 - 2010-03-30 03:24 - 00000426 _RASH C:\Users\Main\ntuser.pol
    2012-08-11 07:46 - 2009-12-05 18:54 - 00000177 ____H C:\dvmexp.idx
    2012-08-09 13:50 - 2012-08-09 13:50 - 00002013 ____A C:\Users\Public\Desktop\Adobe Digital Editions.lnk
    2012-08-09 13:48 - 2012-08-09 13:48 - 00001784 ____A C:\Users\Main\Desktop\RawFoodQuickandEasyOver100HealthyReci9781578263479.acsm
    2012-08-06 15:04 - 2010-12-02 08:19 - 00000539 ____A C:\Users\Main\AppData\Roaming\Rim.Desktop.Exception.log
    2012-08-06 07:07 - 2012-03-30 07:53 - 00000069 ____A C:\Windows\NeroDigital.ini
    2012-08-06 07:07 - 2011-11-02 03:48 - 00000145 ____A C:\Users\Main\AppData\Roaming\default.rss
    2012-08-05 16:53 - 2006-11-02 07:40 - 00032600 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-01 14:42 - 2009-12-05 18:11 - 00099904 ____A C:\Users\Main\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-08-01 14:42 - 2006-11-02 07:21 - 00379200 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-08-01 09:41 - 2012-08-01 09:41 - 00000043 ____A C:\Windows\DAOCONV.T2C
    2012-08-01 09:29 - 2012-08-01 09:29 - 00000043 ____A C:\Windows\DAOCONV.T1C
    2012-08-01 08:01 - 2010-01-24 06:00 - 00000680 ____A C:\Users\Main\AppData\Local\d3d9caps.dat
    2012-07-30 09:42 - 2009-12-05 18:11 - 00001460 ____A C:\Users\Main\AppData\Local\d3d9caps64.dat
    2012-07-30 09:11 - 2010-01-10 11:52 - 00028160 ____A C:\Users\Main\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-07-30 08:12 - 2012-07-30 08:12 - 00384844 ____A C:\Users\Main\AppData\Local\funmoods-speeddial.crx
    2012-07-30 08:12 - 2012-07-30 08:12 - 00031465 ____A C:\Users\Main\AppData\Local\funmoods.crx
    2012-07-26 08:12 - 2012-07-26 08:12 - 04064688 ____A C:\Users\Main\Desktop\Beginning_Game_Level_Design.rar
    2012-07-21 12:27 - 2012-07-21 12:27 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
    2012-07-21 12:27 - 2012-07-21 12:27 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
    2012-07-21 12:27 - 2012-07-21 12:27 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
    2012-07-21 12:27 - 2012-07-21 12:27 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
    2012-07-21 12:27 - 2010-04-29 01:47 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
    2012-07-21 12:27 - 2010-04-29 01:47 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
    2012-07-11 01:06 - 2006-11-02 04:34 - 00002983 ____A C:\Windows\win.ini
    2012-07-11 01:03 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-06-28 13:13 - 2009-12-21 11:51 - 00375794 ____A C:\Users\Main\AppData\Local\dd_depcheck_NETFX_EXP_35.txt
    2012-06-28 13:13 - 2009-12-21 11:51 - 00323086 ____A C:\Users\Main\AppData\Local\dd_dotnetfx35install.txt
    2012-06-13 05:58 - 2012-07-11 01:01 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-12 05:57 - 2012-06-12 05:57 - 14771880 ____A C:\Users\Main\Documents\cam.zip
    2012-06-08 09:59 - 2012-07-10 20:29 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-08 09:47 - 2012-07-10 20:29 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-06-05 08:47 - 2012-07-10 20:29 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-06-05 08:47 - 2012-07-10 20:29 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-06-05 08:22 - 2012-07-10 20:29 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 08:22 - 2012-07-10 20:29 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-04 07:29 - 2012-07-10 20:29 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-02 14:19 - 2012-06-21 14:51 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 14:51 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 14:51 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 14:51 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 14:51 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 14:51 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:19 - 2012-06-21 14:51 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 14:15 - 2012-06-21 14:51 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-21 14:51 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-21 14:51 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 13:19 - 2012-06-21 14:51 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 13:19 - 2012-06-21 14:51 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 13:15 - 2012-06-21 14:51 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 13:12 - 2012-06-21 14:51 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-06-02 04:49 - 2012-07-11 01:01 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 04:17 - 2012-07-11 01:01 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 04:12 - 2012-07-11 01:01 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 04:05 - 2012-07-11 01:01 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 04:05 - 2012-07-11 01:01 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 04:04 - 2012-07-11 01:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 04:04 - 2012-07-11 01:01 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 04:03 - 2012-07-11 01:01 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 04:01 - 2012-07-11 01:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 04:00 - 2012-07-11 01:01 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 03:59 - 2012-07-11 01:01 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 03:57 - 2012-07-11 01:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 03:57 - 2012-07-11 01:01 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 03:54 - 2012-07-11 01:01 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-02 01:07 - 2012-07-11 01:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-02 00:43 - 2012-07-11 01:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-02 00:33 - 2012-07-11 01:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-02 00:26 - 2012-07-11 01:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-02 00:25 - 2012-07-11 01:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-11 01:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-02 00:23 - 2012-07-11 01:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-02 00:21 - 2012-07-11 01:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-02 00:20 - 2012-07-11 01:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-11 01:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-02 00:19 - 2012-07-11 01:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-02 00:17 - 2012-07-11 01:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-02 00:16 - 2012-07-11 01:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-02 00:14 - 2012-07-11 01:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-01 16:22 - 2012-07-10 20:29 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 16:22 - 2012-07-10 20:29 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-01 16:05 - 2012-07-10 20:29 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-06-01 16:04 - 2012-07-10 20:29 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-06-01 16:03 - 2012-07-10 20:29 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-05-31 10:25 - 2009-12-21 11:54 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
    2012-05-23 14:42 - 2012-05-23 14:42 - 00417088 ____A C:\Users\Main\AppData\Local\dd_vcredistMSI1849.txt
    2012-05-23 14:42 - 2012-05-23 14:42 - 00011184 ____A C:\Users\Main\AppData\Local\dd_vcredistUI1849.txt


    ZeroAccess:
    C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}
    C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\@
    C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\L
    C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U
    C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\L\00000004.@
    C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\L\201d3dde
    C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U\00000008.@

    ZeroAccess:
    C:\Windows\assembly\GAC_32\Desktop.ini

    ZeroAccess:
    C:\Windows\assembly\GAC_64\Desktop.ini

    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe B8844F93D2C5F1DCDB179AAA9AF134B7 ZeroAccess <==== ATTENTION!.
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 11%
    Total physical RAM: 6134.18 MB
    Available physical RAM: 5420.26 MB
    Total Pagefile: 5800.35 MB
    Available Pagefile: 5384.31 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:1397.26 GB) (Free:969.42 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (FRMCXFRE_EN_DVD) (CDROM) (Total:3.66 GB) (Free:0 GB) UDF
    3 Drive e: (SWISSMEMORY) (Removable) (Total:0.49 GB) (Free:0.1 GB) FAT
    8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 1397 GB 0 B
    Disk 1 Online 499 MB 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1397 GB 1024 KB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 1397 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 498 MB 16 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E SWISSMEMORY FAT Removable 498 MB Healthy

    ==================================================================================

    Last Boot: 2012-08-15 08:56

    ======================= End Of Log ==========================
  3. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    Now for "search.txt" for a search on "services.exe".

    Farbar Recovery Scan Tool Version: 15-08-2012
    Ran by SYSTEM at 2012-08-16 13:59:20
    Running from E:\VI_TOOLS

    ================== Search: "services.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
    [2009-12-23 11:57] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
    [2008-01-20 18:49] - [2008-01-20 18:49] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
    [2009-12-23 11:57] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
    [2008-01-20 18:48] - [2008-01-20 18:48] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

    C:\Windows\SysWOW64\services.exe
    [2009-12-23 11:57] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

    C:\Windows\System32\services.exe
    [2009-12-23 11:57] - [2009-04-10 23:10] - 0381952 ____A (Microsoft Corporation) B8844F93D2C5F1DCDB179AAA9AF134B7

    ====== End Of Search ======

    Thank you in advance for helping me and for the work you do on this site!
    Grampz719
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  5. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    Wow! It seems to have worked. In fact, I am now using the computer in question and not my OOOOld Prescott (400Mhz Pentium) from 10 years ago. Thank you very much!

    So here is Fixlog:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
    Ran by SYSTEM at 2012-08-17 10:05:32 Run:1
    Running from I:\VI_TOOLS

    ==============================================

    C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895} moved successfully.
    C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
    C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
    C:\Windows\System32\services.exe moved successfully.
    C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. Well, we better continue disinfection..

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
  7. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    Here is the ComboFix log file:
    ComboFix 12-08-17.03 - Main 08/17/2012 11:23:16.1.8 - x64
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.6134.3990 [GMT -6:00]
    Running from: c:\users\Main\Desktop\svchost.exe.exe
    AV: COMODO Antivirus *Disabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
    FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
    SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\install.exe
    c:\users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\searchplugins\bing-zugo.xml
    c:\users\Main\g2mdlhlpx.exe
    c:\users\Main\GoToAssistDownloadHelper.exe
    c:\windows\XSxS
    .
    c:\windows\SysWow64\userinit.exe . . . is infected!!
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-07-17 to 2012-08-17 )))))))))))))))))))))))))))))))
    .
    .
    2012-08-17 16:43 . 2012-08-17 18:27 -------- d-----w- c:\programdata\CPA_VA
    2012-08-17 16:20 . 2012-08-17 16:42 -------- d-----w- c:\programdata\Comodo
    2012-08-17 15:43 . 2012-08-17 15:43 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-08-17 15:36 . 2012-08-17 16:20 -------- d-----w- c:\program files\COMODO
    2012-08-17 15:36 . 2012-08-17 15:36 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
    2012-08-17 15:36 . 2012-08-17 15:36 1060864 ----a-w- c:\windows\SysWow64\mfc71.dll
    2012-08-16 17:34 . 2012-08-16 17:34 50392 ----a-w- c:\windows\system32\drivers\eumxhleh.sys
    2012-08-16 17:29 . 2012-08-16 17:29 -------- d-----w- C:\$WINDOWS.~BT
    2012-08-16 17:24 . 2012-08-16 17:24 50392 ----a-w- c:\windows\system32\drivers\gugoewef.sys
    2012-08-16 17:19 . 2012-08-16 17:19 -------- d-----w- c:\program files (x86)\VS Revo Group
    2012-08-16 17:13 . 2012-08-16 17:13 50392 ----a-w- c:\windows\system32\drivers\earqytlr.sys
    2012-08-16 17:08 . 2012-08-16 17:44 -------- d-----w- C:\FRST
    2012-08-16 16:54 . 2012-08-16 16:54 304 ----a-w- C:\user.js
    2012-08-16 16:41 . 2012-08-16 16:41 -------- d-----w- c:\users\Main\AppData\Roaming\Babylon
    2012-08-16 16:41 . 2012-08-16 16:41 -------- d-----w- c:\programdata\Babylon
    2012-08-06 23:03 . 2012-08-06 23:03 -------- d-----w- c:\users\Main\AppData\Roaming\SpeedyPC Software
    2012-08-06 23:03 . 2012-08-06 23:03 -------- d-----w- c:\users\Main\AppData\Roaming\DriverCure
    2012-08-06 23:03 . 2012-08-06 23:09 -------- d-----w- c:\programdata\SpeedyPC Software
    2012-08-01 16:15 . 2012-08-01 16:15 -------- d-----w- c:\users\Main\AppData\Roaming\YourFileDownloader
    2012-07-30 17:03 . 2012-07-30 17:03 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2012-07-30 16:43 . 2012-07-30 16:43 -------- d-----w- c:\users\Main\AppData\Roaming\WinZip
    2012-07-30 16:38 . 2012-07-30 16:39 -------- d-----w- c:\users\Main\AppData\Local\WinZip
    2012-07-30 16:15 . 2012-08-01 16:22 -------- d-----w- c:\programdata\Tarma Installer
    2012-07-28 01:38 . 2012-07-31 20:57 -------- d-----w- C:\Woodworking
    2012-07-27 06:36 . 2012-06-29 10:04 9133488 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{819AF1F3-EA56-47B4-8B00-3684B863E99E}\mpengine.dll
    2012-07-21 22:23 . 2012-07-21 22:23 -------- d-----w- c:\users\Main\AppData\Local\MPlayer
    2012-07-21 22:22 . 2012-07-21 22:24 -------- d-----w- c:\users\Main\.umplayer
    2012-07-21 22:22 . 2012-07-21 22:22 -------- d-----w- c:\program files (x86)\UMPlayer
    2012-07-21 20:28 . 2012-07-21 20:28 11776 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nprjplug.dll
    2012-07-21 20:27 . 2012-07-21 20:27 -------- d-----w- c:\program files (x86)\Common Files\xing shared
    2012-07-21 20:27 . 2012-07-21 20:27 150736 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppl3260.dll
    2012-07-21 20:27 . 2012-07-21 20:27 129176 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
    2012-07-21 20:27 . 2012-07-21 20:28 -------- d-----w- c:\program files (x86)\Real
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-15 06:38 . 2012-04-02 00:15 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-15 06:38 . 2011-05-24 18:50 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-21 20:27 . 2010-04-29 09:47 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
    2012-07-21 20:27 . 2010-04-29 09:47 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
    2012-07-11 09:03 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
    2012-07-03 19:46 . 2011-09-03 11:51 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-06-13 13:58 . 2012-07-11 09:01 2769408 ----a-w- c:\windows\system32\win32k.sys
    2012-06-08 17:59 . 2012-07-11 04:29 12899840 ----a-w- c:\windows\system32\shell32.dll
    2012-06-05 16:47 . 2012-07-11 04:29 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll
    2012-06-05 16:47 . 2012-07-11 04:29 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
    2012-06-05 16:22 . 2012-07-11 04:29 1797120 ----a-w- c:\windows\system32\msxml6.dll
    2012-06-05 16:22 . 2012-07-11 04:29 1869824 ----a-w- c:\windows\system32\msxml3.dll
    2012-06-04 15:29 . 2012-07-11 04:29 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys
    2012-06-02 22:19 . 2012-06-21 22:51 38424 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-21 22:51 2428952 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:19 . 2012-06-21 22:51 44056 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-21 22:51 57880 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-21 22:51 35864 ----a-w- c:\windows\SysWow64\wups.dll
    2012-06-02 22:19 . 2012-06-21 22:51 701976 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-21 22:51 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
    2012-06-02 22:15 . 2012-06-21 22:51 2622464 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:15 . 2012-06-21 22:51 99840 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 22:12 . 2012-06-21 22:51 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
    2012-06-02 21:19 . 2012-06-21 22:51 186752 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 21:19 . 2012-06-21 22:51 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
    2012-06-02 21:15 . 2012-06-21 22:51 36864 ----a-w- c:\windows\system32\wuapp.exe
    2012-06-02 21:12 . 2012-06-21 22:51 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
    2012-06-02 12:49 . 2012-07-11 09:01 17807360 ----a-w- c:\windows\system32\mshtml.dll
    2012-06-02 12:17 . 2012-07-11 09:01 10924032 ----a-w- c:\windows\system32\ieframe.dll
    2012-06-02 12:12 . 2012-07-11 09:01 2311680 ----a-w- c:\windows\system32\jscript9.dll
    2012-06-02 12:05 . 2012-07-11 09:01 1346048 ----a-w- c:\windows\system32\urlmon.dll
    2012-06-02 12:05 . 2012-07-11 09:01 1392128 ----a-w- c:\windows\system32\wininet.dll
    2012-06-02 12:04 . 2012-07-11 09:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-06-02 12:04 . 2012-07-11 09:01 237056 ----a-w- c:\windows\system32\url.dll
    2012-06-02 12:03 . 2012-07-11 09:01 85504 ----a-w- c:\windows\system32\jsproxy.dll
    2012-06-02 12:01 . 2012-07-11 09:01 173056 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-06-02 12:00 . 2012-07-11 09:01 818688 ----a-w- c:\windows\system32\jscript.dll
    2012-06-02 11:59 . 2012-07-11 09:01 2144768 ----a-w- c:\windows\system32\iertutil.dll
    2012-06-02 11:57 . 2012-07-11 09:01 96768 ----a-w- c:\windows\system32\mshtmled.dll
    2012-06-02 11:57 . 2012-07-11 09:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-06-02 11:54 . 2012-07-11 09:01 248320 ----a-w- c:\windows\system32\ieui.dll
    2012-06-02 08:33 . 2012-07-11 09:01 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
    2012-06-02 08:25 . 2012-07-11 09:01 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
    2012-06-02 08:25 . 2012-07-11 09:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2012-06-02 08:20 . 2012-07-11 09:01 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2012-06-02 08:16 . 2012-07-11 09:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2012-06-02 00:22 . 2012-07-11 04:29 347136 ----a-w- c:\windows\system32\schannel.dll
    2012-06-02 00:22 . 2012-07-11 04:29 254464 ----a-w- c:\windows\system32\ncrypt.dll
    2012-06-02 00:05 . 2012-07-11 04:29 77312 ----a-w- c:\windows\SysWow64\secur32.dll
    2012-06-02 00:04 . 2012-07-11 04:29 278528 ----a-w- c:\windows\SysWow64\schannel.dll
    2012-06-02 00:03 . 2012-07-11 04:29 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
    2012-05-31 18:25 . 2009-12-21 19:54 279656 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-02-14 22:58 94208 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-02-14 22:58 94208 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-02-14 22:58 94208 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-02-14 22:58 94208 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
    "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-11-20 2363392]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "HydraVisionMDEngine"="c:\program files (x86)\ATI Technologies\HydraVision\HydraMD.exe" [2010-08-04 569344]
    "HydraVisionDesktopManager"="c:\program files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [2010-08-04 393216]
    "Grid"="c:\program files (x86)\ATI Technologies\HydraVision\HydraGrd.exe" [2010-08-04 401408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "TurboV"="c:\program files\ASUS\TurboV\TurboV.exe" [2009-05-25 5391872]
    "PlexUtilities"="c:\program files (x86)\Plextor\PlexUTILITIES\PlexRadar.exe" [2009-05-15 1746944]
    "SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2008-04-15 1310720]
    "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
    "ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]
    "TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-07-21 296096]
    "COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 213304]
    "CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 184120]
    .
    c:\users\Main\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Main\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    WinZip Quick Pick.lnk - c:\program files (x86)\WinZip\WZQKPICK32.EXE [2012-4-4 603536]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\explorer.exe,"
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
    @="Service"
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    .
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2009-11-20 21:28 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-08-17 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 06:38]
    .
    2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-11 22:04]
    .
    2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-11 22:04]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-02-14 22:58 97792 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-02-14 22:58 97792 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-02-14 22:58 97792 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-02-14 22:58 97792 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAX"="c:\program files (x86)\Analog Devices\SoundMAX\SoundMAX.exe" [2008-09-11 3858432]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 9569096]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    "AppInit_DLLs"=c:\windows\System32\guard64.dll
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_ss&mntrId=9e7f146600000000000090e6ba1f8bf8
    mStart Page = hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Open Client to monitor &1 - c:\windows\web\AOpenClient.htm
    IE: Open Client to monitor &2 - c:\windows\web\AOpenClient.htm
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\
    FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=KW_ss&mntrId=9e7f146600000000000090e6ba1f8bf8&q=
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    FF - user.js: extensions.funmoods.hmpg - true
    FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370
    FF - user.js: extensions.funmoods.dfltSrch - true
    FF - user.js: extensions.funmoods.srchPrvdr - Search
    FF - user.js: extensions.funmoods.dnsErr - true
    FF - user.js: extensions.funmoods_i.newTab - true
    FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370
    FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370&q=
    FF - user.js: extensions.funmoods.id - 90E6BA1F8BF91466
    FF - user.js: extensions.funmoods.instlDay - 15551
    FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
    FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
    FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2210:12
    FF - user.js: extensions.funmoods.prtnrId - funmoods
    FF - user.js: extensions.funmoods.prdct - funmoods
    FF - user.js: extensions.funmoods.aflt - nv1
    FF - user.js: extensions.funmoods_i.smplGrp - none
    FF - user.js: extensions.funmoods.tlbrId - base
    FF - user.js: extensions.funmoods.instlRef - nv1
    FF - user.js: extensions.funmoods.dfltLng -
    FF - user.js: extensions.funmoods.excTlbr - false
    FF - user.js: extensions.funmoods.autoRvrt - false
    FF - user.js: extensions.funmoods.envrmnt - production
    FF - user.js: extensions.funmoods.isdcmntcmplt - true
    FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
    FF - user.js: extensions.autoDisableScopes - 14
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110796&tt=3312_2
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://www.google.com/search?babsrc=TB_ggl&q=
    FF - user.js: extensions.BabylonToolbar.id - 9e7f146600000000000090e6ba1f8bf8
    FF - user.js: extensions.BabylonToolbar.instlDay - 15568
    FF - user.js: extensions.BabylonToolbar.vrsn - 1.6.4.6
    FF - user.js: extensions.BabylonToolbar.vrsni - 1.6.4.6
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.6.4.610:54
    FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar.instlRef - sst
    FF - user.js: extensions.BabylonToolbar.dfltLng - en
    FF - user.js: extensions.BabylonToolbar.excTlbr - false
    FF - user.js: extensions.BabylonToolbar.admin - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Notify-GoToAssist - (no file)
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-MozillaMaintenanceService - c:\program files (x86)\Mozilla Maintenance Service\uninstall.exe
    AddRemove-Prism - c:\program files (x86)\NCH Software\Prism\uninst.exe
    AddRemove-Switch - c:\program files (x86)\NCH Swift Sound\Switch\uninst.exe
    AddRemove-WavePad - c:\program files (x86)\NCH Swift Sound\WavePad\uninst.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
    c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
    c:\asus.sys\CONFIG\DVMExportService.exe
    c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe
    .
    **************************************************************************
    .
    Completion time: 2012-08-17 12:33:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-08-17 18:33
    .
    Pre-Run: 1,037,579,714,560 bytes free
    Post-Run: 1,038,735,683,584 bytes free
    .
    - - End Of File - - 74EA7DF2FDD206297564EA061E5D51B2
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
  9. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    I can't get this to complete. I drag the "CFScript.txt" into the ComboFix.exe icon on my desktop and it starts a scan for infected files. It completes stage 50 then comes up with the message "System file is infected!! Attempting to restore "C:\Windows\system32\services.exe"" It sits there for a long time, then the computer reboots. It keeps installing a weird looking internet explorer icon on my desktop that has Babylon search installed. I keep trashing this, but it keeps coming back on reboot. I have looked for the "ComboFix.txt" and can't find it (even using the search function).
  10. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Exit out of all windows and then double-click ComboFix to run, and then post a new log.
  11. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    Here is the combo fix log, I found this in the c:\svchost.exe sub-directory.

    ComboFix 12-08-20.01 - Main 08/20/2012 7:18:17.5.8 - x64
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.6134.4032 [GMT -6:00]
    Running from: C:\Users\Main\Desktop\svchost.exe.exe
    Command switches used :: C:\Users\Main\Desktop\CFScript.txt
    AV: COMODO Antivirus *Disabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
    FW: COMODO Firewall *Disabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
    SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
  12. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay. That didn't work...

    • Please download Hitman Pro by Surfright from here and save it to your desktop.
    • Double click HitmanPro36.exe to run the scanner
    • Click Next
    • Accept the license conditions and click Next
    • Choose to do only a single scan. Do not enter any e-mail address and click Next
    • Hitman Pro will now scan your computer
    • After the scan, choose to ignore all threats - I want to have a look first, before deciding what to do
    • Click Next
    • You will now find an option to export the results of the scan to an XML file (log.xml). Please do so. Close Hitman Pro.
    • Please copy and paste the contents of log.xml into your next reply (You can open XML files with notepad)

    Note: For best results, keep Hitman Pro for the future to prevent re-infection. Consider purchasing it now.
  13. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    Hitman Pro Log:

    <Log computer="COREI7" scan="Normal" version="3.6.1.164" date="2012-08-21T09:14:43" timeSpentInSecs="322" filesProcessed="48926"><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:a1.interclick.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.nascar.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:content.yieldmanager.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:interclick.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:questionmarket.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:yadro.ru" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Microsoft\Windows\Cookies\2F6660ZK.txt" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Microsoft\Windows\Cookies\AUSS38KY.txt" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Microsoft\Windows\Cookies\SLWQI8FQ.txt" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Microsoft\Windows\Cookies\V81P6J9W.txt" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:247realmedia.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:7search.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:a1.interclick.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ad.360yield.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:adbrite.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ads.nascar.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ads.pointroll.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ads.pubmatic.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ads.undertone.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ads.us.e-planning.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:adserver.adtechus.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ar.atwola.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:at.atwola.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:atwola.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:clicksor.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:collective-media.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:dmtracker.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:interclick.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:invitemedia.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:livejasmin.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:matcher.realmedia.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:media6degrees.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:myroitracking.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:network.realmedia.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:pointroll.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:questionmarket.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:realmedia.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:revsci.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ru4.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:serving-sys.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:specificclick.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:stats.bokf.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:tacoda.at.atwola.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:tacoda.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:track.prd1.netshelter.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:trafficmp.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:tribalfusion.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:www.etracker.de" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:xiti.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:yieldmanager.net" /></Item></Log>
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  15. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    Here is the SystemLook.txt log file:

    SystemLook 30.07.11 by jpshortstuff
    Log created at 16:08 on 21/08/2012 by Main
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "userinit.*"
    C:\Windows\erdnt\cache64\userinit.exe --a---- 28160 bytes [18:31 17/08/2012] [02:48 21/01/2008] A0AB2BB9A92293D9CE66E252719AB5FE
    C:\Windows\erdnt\cache86\userinit.exe --a---- 25088 bytes [18:31 17/08/2012] [02:49 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9
    C:\Windows\System32\userinit.exe --a---- 28160 bytes [02:48 21/01/2008] [02:48 21/01/2008] A0AB2BB9A92293D9CE66E252719AB5FE
    C:\Windows\System32\en-US\userinit.exe.mui --a---- 3584 bytes [15:13 02/11/2006] [15:13 02/11/2006] 7A820F1B24D266DE11444D6C8FA8AC8A
    C:\Windows\SysWOW64\userinit.exe --a---- 25088 bytes [02:49 21/01/2008] [02:49 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9
    C:\Windows\SysWOW64\en-US\userinit.exe.mui --a---- 4096 bytes [15:13 02/11/2006] [15:13 02/11/2006] F058F2BAE89E70B2A79D5EB820092EEB
    C:\Windows\winsxs\amd64_microsoft-windows-userinit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_e9d87fb38dc4f328\userinit.exe.mui --a---- 3584 bytes [15:13 02/11/2006] [15:13 02/11/2006] 7A820F1B24D266DE11444D6C8FA8AC8A
    C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941\userinit.exe --a---- 28160 bytes [02:48 21/01/2008] [02:48 21/01/2008] A0AB2BB9A92293D9CE66E252719AB5FE
    C:\Windows\winsxs\x86_microsoft-windows-userinit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8db9e42fd56781f2\userinit.exe.mui --a---- 4096 bytes [15:13 02/11/2006] [15:13 02/11/2006] F058F2BAE89E70B2A79D5EB820092EEB
    C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe --a---- 25088 bytes [02:49 21/01/2008] [02:49 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9

    -= EOF =-
  16. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix Script

    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the codebox below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
  17. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    Here it is...doesn't look like much

    ComboFix 12-08-22.03 - Main 08/22/2012 16:01:30.7.8 - x64
    Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.6134.4622 [GMT -6:00]
    Running from: C:\Users\Main\Desktop\ComboFix.exe
    Command switches used :: C:\Users\Main\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
  19. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    Now we are talking, found the little buggers:

    C:\FRST\Quarantine\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U\000000cb.@ Win64/Conedex.B trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U\80000000.@ Win64/Sirefef.AP trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U\80000032.@ a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
    C:\FRST\Quarantine\services.exe Win64/Patched.A trojan deleted - quarantined
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Nah. Just quarantine. They were already safely killed earlier. No biggie.

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  21. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    The only weirdness is when attempting to open IE or Firefox, there seems to be a problem writing the graphics. For example if you drag a dialog window over the open browser a series of tracers are written across the window, that never clear. Google Chrome does not seem to have these problems.

    I also have the graphics write issue with Windows Photo Gallery. It shows a picture in the side bar preview pane (as normal), but then never displays the photo in the main viewing pane, so that you can adjust exposure/contrast/saturation, etc.

    There is also Babylon infesting the browsers. For example in Firefox, when you open a new tab it goes to a Babylon search rather than displaying the "pined" sites designated. Both IE & Firefox have an odd home page, instead of the pages I had specified. Firefox home was specified as www.google.com and IE was for the local real estate MLS. Here is the URL:

    http://webhelper.centurylink.com/index.php?origURL=http://www.google.ocm/&r=

    note the ".ocm" instead of ".com" in the end google part.

    I have DSL through Century Link, but I don't know if that has anything to do with this.

    I have played Need for Speed, Most Wanted (an oldie but a goodie), and it runs flawlessly with all graphic settings maxed out. I told my wife I was testing the system, but she didn't buy that...oh well.

    The photo desk top background image and all other graphic functions seem normal.

    When looking at the task manager processes, "System Idle Process" is around 97-98% with "Winword.exe" and wnpetwk.exe at 1% each (also taskmngr.exe is 1% when in use as expected).

    No BSOD, Slowness, Antivirus or crashes.

    I have downloaded the video card drivers (AMD/ATI) to my flash drive, but wanted to touch base with you before reinstalling the video drivers.

    Thank you again, so much for all of your help.

    Sincerely,

    Granpz719
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.


    Additional FRST Scan

    Once again, please boot to the System Recovery Options and run FRST, as done previously.

    Type the following text in the blank box after Search:

    userinit.exe

    Click: Search file(s)

    [​IMG]

    When done searching, FRST makes a log, Search.txt, on the C:\ drive.

    Please provide the Search.txt in your reply.
  23. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    Here we go...Logs, logs and more logs.

    First the AdwCleaner[R1].txt log:

    # AdwCleaner v1.801 - Logfile created 08/24/2012 at 13:03:50
    # Updated 14/08/2012 by Xplode
    # Operating system : Windows (TM) Vista Ultimate Service Pack 2 (64 bits)
    # User : Main - COREI7
    # Boot Mode : Normal
    # Running from : J:\VI_TOOLS\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Folder Found : C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Folder Found : C:\Users\Main\AppData\LocalLow\AskToolbar
    Folder Found : C:\Users\Main\AppData\Roaming\Babylon
    Folder Found : C:\ProgramData\Babylon
    Folder Found : C:\ProgramData\InstallMate
    Folder Found : C:\ProgramData\Tarma Installer
    Folder Found : C:\ProgramData\Premium
    File Found : C:\Users\Main\AppData\Local\funmoods.crx
    File Found : C:\Users\Main\AppData\Local\funmoods-speeddial.crx
    File Found : C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\searchplugins\Askcom.xml
    File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\avg-secure-search.xml
    File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
    File Found : C:\user.js

    ***** [Registry] *****

    Key Found : HKCU\Software\Conduit
    Key Found : HKLM\SOFTWARE\Babylon
    Key Found : HKLM\SOFTWARE\bflixtoolbar
    Key Found : HKLM\SOFTWARE\Classes\f
    Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore
    Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1
    Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
    Key Found : HKLM\SOFTWARE\Conduit
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Found : HKLM\SOFTWARE\Iminent
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
    [x64] Key Found : HKCU\Software\Conduit
    [x64] Key Found : HKLM\SOFTWARE\Classes\f
    [x64] Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore
    [x64] Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1
    [x64] Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    [x64] Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\funmoods

    ***** [Registre - GUID] *****

    Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
    [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
    [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
    [x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    [x64] Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}
    [x64] Key Found : HKLM\SOFTWARE\Classes\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
    [x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
    [x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}
    [x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    [x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    [x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370

    -\\ Mozilla Firefox v14.0.1 (en-US)

    Profile name : default
    File : C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\prefs.js

    Found : user_pref("backup.old.browser.startup.homepage", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&[...]
    Found : user_pref("browser.babylon.HPOnNewTab", "");
    Found : user_pref("browser.newtab.url", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=NT_ss&mntr[...]
    Found : user_pref("browser.search.defaultengine", "Ask.com");
    Found : user_pref("browser.search.defaultenginename", "Search the web (Babylon)");
    Found : user_pref("browser.search.order.1", "Search the web (Babylon)");
    Found : user_pref("browser.search.selectedEngine", "Search the web (Babylon)");
    Found : user_pref("extensions.BabylonToolbar.admin", false);
    Found : user_pref("extensions.BabylonToolbar.aflt", "babsst");
    Found : user_pref("extensions.BabylonToolbar.dfltLng", "en");
    Found : user_pref("extensions.BabylonToolbar.excTlbr", false);
    Found : user_pref("extensions.BabylonToolbar.id", "9e7f146600000000000090e6ba1f8bf8");
    Found : user_pref("extensions.BabylonToolbar.instlDay", "15568");
    Found : user_pref("extensions.BabylonToolbar.instlRef", "sst");
    Found : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
    Found : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
    Found : user_pref("extensions.BabylonToolbar.tlbrId", "tb9");
    Found : user_pref("extensions.BabylonToolbar.tlbrSrchUrl", "hxxp://www.google.com/search?babsrc=TB_ggl&q=");
    Found : user_pref("extensions.BabylonToolbar.vrsn", "1.6.4.6");
    Found : user_pref("extensions.BabylonToolbar.vrsni", "1.6.4.6");
    Found : user_pref("extensions.BabylonToolbar_i.babExt", "");
    Found : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=110796&tt=3312_2");
    Found : user_pref("extensions.BabylonToolbar_i.newTab", true);
    Found : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=110796&tt=3312_[...]
    Found : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
    Found : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
    Found : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.6.4.610:54:30");
    Found : user_pref("extensions.funmoods.aflt", "nv1");
    Found : user_pref("extensions.funmoods.autoRvrt", false);
    Found : user_pref("extensions.funmoods.brwsrsrc", "ietlbr");
    Found : user_pref("extensions.funmoods.cntry", "US");
    Found : user_pref("extensions.funmoods.cv", "cv5");
    Found : user_pref("extensions.funmoods.dfltLng", "");
    Found : user_pref("extensions.funmoods.dfltSrch", true);
    Found : user_pref("extensions.funmoods.dfltlng", "en");
    Found : user_pref("extensions.funmoods.dfltsrch", true);
    Found : user_pref("extensions.funmoods.dnsErr", true);
    Found : user_pref("extensions.funmoods.envrmnt", "production");
    Found : user_pref("extensions.funmoods.excTlbr", false);
    Found : user_pref("extensions.funmoods.hdrMd5", "F3C2ADFE15F591416430C001CC606ACF");
    Found : user_pref("extensions.funmoods.hmpg", true);
    Found : user_pref("extensions.funmoods.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2[...]
    Found : user_pref("extensions.funmoods.hrdid", "90E6BA1F8BF91466");
    Found : user_pref("extensions.funmoods.id", "90E6BA1F8BF91466");
    Found : user_pref("extensions.funmoods.instlDay", "15551");
    Found : user_pref("extensions.funmoods.instlRef", "nv1");
    Found : user_pref("extensions.funmoods.instlday", "15551");
    Found : user_pref("extensions.funmoods.instlref", "nv1");
    Found : user_pref("extensions.funmoods.isdcmntcmplt", true);
    Found : user_pref("extensions.funmoods.keywordurl", "");
    Found : user_pref("extensions.funmoods.lastVrsnTs", "1.5.23.2210:12:23");
    Found : user_pref("extensions.funmoods.mntrvrsn", "1.3.0");
    Found : user_pref("extensions.funmoods.newTab", true);
    Found : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEt[...]
    Found : user_pref("extensions.funmoods.newtab", true);
    Found : user_pref("extensions.funmoods.newtaburl", "hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEt[...]
    Found : user_pref("extensions.funmoods.prdct", "funmoods");
    Found : user_pref("extensions.funmoods.prtnrId", "funmoods");
    Found : user_pref("extensions.funmoods.prtnrid", "funmoods");
    Found : user_pref("extensions.funmoods.savedVrsnTs", "1");
    Found : user_pref("extensions.funmoods.sg", "none");
    Found : user_pref("extensions.funmoods.smplGrp", "none");
    Found : user_pref("extensions.funmoods.smplgrp", "none");
    Found : user_pref("extensions.funmoods.srch", "");
    Found : user_pref("extensions.funmoods.srchPrvdr", "Search");
    Found : user_pref("extensions.funmoods.srchprvdr", "Search");
    Found : user_pref("extensions.funmoods.tlbrId", "base");
    Found : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2Xzuy[...]
    Found : user_pref("extensions.funmoods.tlbrid", "base");
    Found : user_pref("extensions.funmoods.tlbrsrchurl", "hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2Xzuy[...]
    Found : user_pref("extensions.funmoods.vrsn", "1.5.23.22");
    Found : user_pref("extensions.funmoods.vrsnTs", "1.5.23.2210:12:23");
    Found : user_pref("extensions.funmoods.vrsni", "1.5.23.22");
    Found : user_pref("extensions.funmoods.vrsnts", "1.5.23.2210:12:23");
    Found : user_pref("extensions.funmoods.xpestat\\xpereportdata", "30-6-2012");
    Found : user_pref("extensions.funmoods_i.newTab", true);
    Found : user_pref("extensions.funmoods_i.smplGrp", "none");
    Found : user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.2210:12:23");
    Found : user_pref("keyword.URL", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=KW_ss&mntrId=9e7f[...]

    -\\ Google Chrome v21.0.1180.83

    File : C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Preferences

    Found : "homepage": "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_ss&mntrId=9e7f1466000[...]
    Found : "urls_to_restore_on_startup": [ "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=H[...]
    Found : "name": "Funmoods",
    Found : "update_url": "hxxp://funmoods.com/public/download/chrome/update.xml",
    Found : "baseUrl": "hxxp://start.funmoods.com/results.php?",
    Found : "update_url": "hxxp://update.funmoods.com/speeddial/update.xml?bu=st",
    Found : "homepage": "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_ss&mntrId=9e7f1466000000[...]
    Found : "urls_to_restore_on_startup": [ "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_s[...]

    *************************

    AdwCleaner[R1].txt - [13767 octets] - [24/08/2012 13:03:50]

    ########## EOF - C:\AdwCleaner[R1].txt - [13896 octets] ##########















    Next the FRST.txt


    Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
    Ran by SYSTEM at 24-08-2012 13:17:00
    Running from F:\VI_TOOLS
    Windows Vista (TM) Ultimate Service Pack 1 (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ========================== Registry (Whitelisted) =============

    HKLM-x32\...\Run: [TurboV] "C:\Program Files\ASUS\TurboV\TurboV.exe" [5391872 2009-05-25] ()
    HKLM-x32\...\Run: [PlexUtilities] "C:\Program Files (x86)\Plextor\PlexUTILITIES\PlexRadar.exe" [1746944 2009-05-15] ()
    HKLM-x32\...\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1310720 2008-04-15] (Analog Devices, Inc.)
    HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [311296 2010-03-04] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
    HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
    HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [296096 2012-07-21] (RealNetworks, Inc.)
    HKLM-x32\...\Run: [combofix] C:\ComboFix\CF14863.3XE /c C:\ComboFix\Combobatch.bat [8272 2012-08-22] ()
    HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
    HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
    HKU\Main\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-11-20] (Hewlett-Packard Company)
    HKU\Main\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
    HKU\Main\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
    HKU\Main\...\Run: [HydraVisionMDEngine] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe" [569344 2010-08-03] (AMD)
    HKU\Main\...\Run: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [393216 2010-08-03] (AMD)
    HKU\Main\...\Run: [Grid] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraGrd.exe" [401408 2010-08-03] ()
    HKLM-x32\...\Runonce: [combofix] C:\ComboFix\CF14863.3XE /c C:\ComboFixCombobatch.bat [x]
    HKLM-x32\...\runonceex: [flags] 8
    HKLM\...\Winlogon: [Userinit] C:\Windows\explorer.exe, [3079168 2009-04-10] (Microsoft Corporation)
    Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25
    AppInit_DLLs: C:\Windows\System32\guard64.dll
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files (x86)\WinZip\WZQKPICK32.EXE (WinZip Computing, S.L.)
    Startup: C:\Users\Main\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)
    Startup: C:\Users\Main\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

    ==================== Services (Whitelisted) ======

    2 AEADIFilters; C:\Windows\System32\AEADISRV.EXE [111616 2008-07-14] (Andrea Electronics Corporation)
    2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [90112 2009-04-01] ()
    2 MDES; C:\ASUS.SYS\CONFIG\DVMExportService.exe [315392 2009-02-18] (DeviceVM)
    2 Net Driver HPZ12; C:\Windows\System32\svchost.exe -k HPZ12 [27648 2008-01-20] (Microsoft Corporation)
    2 Net Driver HPZ12; C:\Windows\SysWow64\svchost.exe -k HPZ12 [21504 2008-01-20] (Microsoft Corporation)
    3 NtmsSvc; C:\Windows\System32\ntmssvc.dll [521216 2008-01-20] (Microsoft Corporation)
    2 Pml Driver HPZ12; C:\Windows\System32\svchost.exe -k HPZ12 [27648 2008-01-20] (Microsoft Corporation)
    2 Pml Driver HPZ12; C:\Windows\SysWow64\svchost.exe -k HPZ12 [21504 2008-01-20] (Microsoft Corporation)
    2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
    3 WinDefend; C:\Program Files (x86)\Windows Defender\mpsvc.dll [x]

    ========================== Drivers (Whitelisted) =============

    3 ADIHdAudAddService; C:\Windows\System32\drivers\ADIHdAud.sys [472576 2008-08-20] (Analog Devices, Inc.)
    1 Amfilter; C:\Windows\System32\DRIVERS\Amfltx64.sys [12288 2007-10-15] ((Standard mouse types))
    3 Amusbprt; C:\Windows\System32\DRIVERS\Amusbx64.sys [17920 2008-02-13] (A4Tech Co.,Ltd.)
    1 AsIO; C:\Windows\SysWow64\Drivers\AsIO.sys [13368 2009-04-05] ()
    0 mrdd; C:\Windows\System32\Drivers\mrdd.sys [22568 2008-11-11] (Marvell Semiconductor, Inc.)
    3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15680 2006-10-31] ()
    0 mv61xx; C:\Windows\System32\Drivers\mv61xx.sys [176680 2009-02-08] (Marvell Semiconductor, Inc.)
    1 Beep; [x]
    3 catchme; [x]
    2 cpuz132; [x]
    3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
    1 isjarjoc; [x]
    3 MozillaMaintenance; [x]
    3 NAVENG; [x]
    3 NAVEX15; [x]
    2 Norton Internet Security; [x]
    3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
    3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
    1 SRTSP; [x]
    1 SRTSPX; [x]

    ========================== NetSvcs (Whitelisted) ===========


    ============ One Month Created Files and Folders ==============

    2012-08-24 11:03 - 2012-08-24 11:03 - 00013836 ____A C:\AdwCleaner[R1].txt
    2012-08-23 06:21 - 2012-08-23 06:21 - 00000000 ____D C:\Program Files (x86)\ESET
    2012-08-22 13:55 - 2012-08-24 07:06 - 00000000 ___SD C:\ComboFix
    2012-08-22 12:10 - 2012-08-22 12:10 - 00000000 ____D C:\Program Files\COMODO
    2012-08-21 07:21 - 2012-08-21 07:21 - 00020606 ____A C:\HitmanPro_20120821_0921.log
    2012-08-21 07:14 - 2012-08-21 07:14 - 00000000 ____D C:\Users\All Users\HitmanPro
    2012-08-17 09:17 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-08-17 09:17 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-08-17 09:17 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-08-17 09:17 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-08-17 09:17 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-08-17 09:17 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
    2012-08-17 09:17 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
    2012-08-17 09:17 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
    2012-08-17 08:43 - 2012-08-22 12:06 - 00000000 ____D C:\Users\All Users\CPA_VA
    2012-08-17 08:42 - 2012-08-17 08:42 - 00000000 ____D C:\Users\Public\Documents\COMODO
    2012-08-17 08:40 - 2012-08-17 09:11 - 00505232 ____A C:\Windows\System32\Drivers\sfi.dat
    2012-08-17 07:36 - 2012-08-17 07:36 - 01700352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gdiplus.dll
    2012-08-17 07:36 - 2012-08-17 07:36 - 01060864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc71.dll
    2012-08-16 09:34 - 2012-08-16 09:34 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\eumxhleh.sys
    2012-08-16 09:29 - 2012-08-16 09:29 - 00000000 ____D C:\$WINDOWS.~BT
    2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagwrn.xml
    2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagerr.xml
    2012-08-16 09:24 - 2012-08-16 09:24 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gugoewef.sys
    2012-08-16 09:19 - 2012-08-16 09:19 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
    2012-08-16 09:13 - 2012-08-16 09:13 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\earqytlr.sys
    2012-08-16 09:08 - 2012-08-16 09:44 - 00000000 ____D C:\FRST
    2012-08-16 08:54 - 2012-08-16 08:54 - 00000304 ____A C:\user.js
    2012-08-16 08:41 - 2012-08-16 08:41 - 00000000 ____D C:\Users\Main\AppData\Roaming\Babylon
    2012-08-16 08:41 - 2012-08-16 08:41 - 00000000 ____D C:\Users\All Users\Babylon
    2012-08-15 07:16 - 2012-08-17 09:09 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-09 13:50 - 2012-08-20 05:14 - 00000000 ____D C:\Users\Main\Documents\My Digital Editions
    2012-08-09 13:48 - 2012-08-09 13:48 - 00001784 ____A C:\Users\Main\Desktop\RawFoodQuickandEasyOver100HealthyReci9781578263479.acsm
    2012-08-06 15:03 - 2012-08-06 15:09 - 00000000 ____D C:\Users\All Users\SpeedyPC Software
    2012-08-06 15:03 - 2012-08-06 15:03 - 00000000 ____D C:\Users\Main\AppData\Roaming\SpeedyPC Software
    2012-08-06 15:03 - 2012-08-06 15:03 - 00000000 ____D C:\Users\Main\AppData\Roaming\DriverCure
    2012-08-05 16:29 - 2012-08-22 14:00 - 00000000 ____D C:\Qoobox
    2012-08-05 16:29 - 2012-08-18 10:12 - 00000000 ____D C:\Windows\erdnt
    2012-08-05 14:12 - 2012-08-05 14:12 - 00000000 ____D C:\Windows\pss
    2012-08-01 09:41 - 2012-08-01 09:41 - 00000043 ____A C:\Windows\DAOCONV.T2C
    2012-08-01 09:29 - 2012-08-01 09:41 - 00000000 ____D C:\Program Files (x86)\HT Audio
    2012-08-01 09:29 - 2012-08-01 09:29 - 00000043 ____A C:\Windows\DAOCONV.T1C
    2012-08-01 09:29 - 1998-08-26 13:26 - 01045776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msjet35.dll
    2012-08-01 09:29 - 1998-08-11 15:28 - 00407312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrepl35.dll
    2012-08-01 09:29 - 1997-08-29 12:14 - 00270344 ____A () C:\Windows\SysWOW64\Btn32x10.ocx
    2012-08-01 09:29 - 1997-07-19 14:55 - 01347344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSVBVM50.DLL
    2012-08-01 09:29 - 1997-07-19 14:01 - 00196880 ____N (Microsoft Corporation) C:\Windows\SysWOW64\RICHTX32.OCX
    2012-08-01 09:29 - 1997-07-19 14:01 - 00192784 ____N (Microsoft Corporation) C:\Windows\SysWOW64\TABCTL32.OCX
    2012-08-01 09:29 - 1997-01-23 22:00 - 00078608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\VB5DB.DLL
    2012-08-01 09:29 - 1997-01-13 15:18 - 00037136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSJINT35.DLL
    2012-08-01 09:29 - 1996-12-04 22:00 - 00077824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ODBCTL32.DLL
    2012-08-01 09:29 - 1996-12-02 16:44 - 00251664 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSRD2X35.DLL
    2012-08-01 09:29 - 1996-12-02 16:44 - 00024336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSJTER35.DLL
    2012-08-01 09:29 - 1996-01-11 22:00 - 00200704 ____R (Sheridan Software Systems, Inc.) C:\Windows\SysWOW64\THREED32.OCX
    2012-08-01 08:15 - 2012-08-01 08:15 - 00000000 ____D C:\Users\Main\AppData\Roaming\YourFileDownloader
    2012-07-30 09:42 - 2012-08-16 09:28 - 00001155 ____A C:\Windows\setupact.log
    2012-07-30 09:42 - 2012-08-16 09:28 - 00000000 ____A C:\Windows\setuperr.log
    2012-07-30 09:03 - 2012-07-30 09:03 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
    2012-07-30 08:43 - 2012-07-30 08:43 - 00000000 ____D C:\Users\Main\AppData\Roaming\WinZip
    2012-07-30 08:38 - 2012-07-30 08:39 - 00000000 ____D C:\Users\Main\AppData\Local\WinZip
    2012-07-30 08:12 - 2012-07-30 08:12 - 00384844 ____A C:\Users\Main\AppData\Local\funmoods-speeddial.crx
    2012-07-30 08:12 - 2012-07-30 08:12 - 00031465 ____A C:\Users\Main\AppData\Local\funmoods.crx
    2012-07-27 17:38 - 2012-07-31 12:57 - 00000000 ____D C:\Woodworking
    2012-07-26 08:12 - 2012-07-26 08:12 - 04064688 ____A C:\Users\Main\Desktop\Beginning_Game_Level_Design.rar

    ============ 3 Months Modified Files ========================

    2012-08-24 11:05 - 2008-01-20 17:53 - 01874307 ____A C:\Windows\WindowsUpdate.log
    2012-08-24 11:05 - 2006-11-02 07:40 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-08-24 11:05 - 2006-11-02 07:40 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-08-24 11:05 - 2006-11-02 07:21 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    2012-08-24 11:05 - 2006-11-02 07:21 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    2012-08-24 11:05 - 2006-11-02 04:46 - 00707430 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-08-24 11:03 - 2012-08-24 11:03 - 00013836 ____A C:\AdwCleaner[R1].txt
    2012-08-24 10:37 - 2012-07-24 10:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-08-24 10:23 - 2010-02-11 14:04 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2012-08-24 10:22 - 2010-02-11 14:04 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2012-08-24 08:45 - 2010-03-30 03:24 - 00000426 _RASH C:\Users\Main\ntuser.pol
    2012-08-23 12:43 - 2009-05-13 08:53 - 00001194 ____A C:\Windows\WINSET32.INI
    2012-08-23 11:00 - 2010-01-10 11:52 - 00029184 ____A C:\Users\Main\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2012-08-22 14:19 - 2009-12-05 18:54 - 00000177 ____H C:\dvmexp.idx
    2012-08-22 14:09 - 2006-11-02 07:39 - 00193006 ____A C:\Windows\PFRO.log
    2012-08-21 07:21 - 2012-08-21 07:21 - 00020606 ____A C:\HitmanPro_20120821_0921.log
    2012-08-17 10:25 - 2006-11-02 04:34 - 00000215 ____A C:\Windows\system.ini
    2012-08-17 09:11 - 2012-08-17 08:40 - 00505232 ____A C:\Windows\System32\Drivers\sfi.dat
    2012-08-17 09:09 - 2012-08-15 07:16 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-08-17 07:36 - 2012-08-17 07:36 - 01700352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gdiplus.dll
    2012-08-17 07:36 - 2012-08-17 07:36 - 01060864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc71.dll
    2012-08-16 09:34 - 2012-08-16 09:34 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\eumxhleh.sys
    2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagwrn.xml
    2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagerr.xml
    2012-08-16 09:28 - 2012-07-30 09:42 - 00001155 ____A C:\Windows\setupact.log
    2012-08-16 09:28 - 2012-07-30 09:42 - 00000000 ____A C:\Windows\setuperr.log
    2012-08-16 09:24 - 2012-08-16 09:24 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gugoewef.sys
    2012-08-16 09:13 - 2012-08-16 09:13 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\earqytlr.sys
    2012-08-16 08:54 - 2012-08-16 08:54 - 00000304 ____A C:\user.js
    2012-08-15 07:14 - 2012-02-16 20:15 - 00725714 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-08-14 22:38 - 2012-04-01 16:15 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-14 22:38 - 2011-05-24 10:50 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-09 13:48 - 2012-08-09 13:48 - 00001784 ____A C:\Users\Main\Desktop\RawFoodQuickandEasyOver100HealthyReci9781578263479.acsm
    2012-08-06 15:04 - 2010-12-02 08:19 - 00000539 ____A C:\Users\Main\AppData\Roaming\Rim.Desktop.Exception.log
    2012-08-06 07:07 - 2012-03-30 07:53 - 00000069 ____A C:\Windows\NeroDigital.ini
    2012-08-06 07:07 - 2011-11-02 03:48 - 00000145 ____A C:\Users\Main\AppData\Roaming\default.rss
    2012-08-01 14:42 - 2009-12-05 18:11 - 00099904 ____A C:\Users\Main\AppData\Local\GDIPFONTCACHEV1.DAT
    2012-08-01 14:42 - 2006-11-02 07:21 - 00379200 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-08-01 09:41 - 2012-08-01 09:41 - 00000043 ____A C:\Windows\DAOCONV.T2C
    2012-08-01 09:29 - 2012-08-01 09:29 - 00000043 ____A C:\Windows\DAOCONV.T1C
    2012-08-01 08:01 - 2010-01-24 06:00 - 00000680 ____A C:\Users\Main\AppData\Local\d3d9caps.dat
    2012-07-30 09:42 - 2009-12-05 18:11 - 00001460 ____A C:\Users\Main\AppData\Local\d3d9caps64.dat
    2012-07-30 08:12 - 2012-07-30 08:12 - 00384844 ____A C:\Users\Main\AppData\Local\funmoods-speeddial.crx
    2012-07-30 08:12 - 2012-07-30 08:12 - 00031465 ____A C:\Users\Main\AppData\Local\funmoods.crx
    2012-07-26 08:12 - 2012-07-26 08:12 - 04064688 ____A C:\Users\Main\Desktop\Beginning_Game_Level_Design.rar
    2012-07-21 12:27 - 2012-07-21 12:27 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
    2012-07-21 12:27 - 2012-07-21 12:27 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
    2012-07-21 12:27 - 2012-07-21 12:27 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
    2012-07-21 12:27 - 2012-07-21 12:27 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
    2012-07-21 12:27 - 2010-04-29 01:47 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
    2012-07-21 12:27 - 2010-04-29 01:47 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
    2012-07-11 01:06 - 2006-11-02 04:34 - 00002983 ____A C:\Windows\win.ini
    2012-07-11 01:03 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
    2012-06-28 13:13 - 2009-12-21 11:51 - 00375794 ____A C:\Users\Main\AppData\Local\dd_depcheck_NETFX_EXP_35.txt
    2012-06-28 13:13 - 2009-12-21 11:51 - 00323086 ____A C:\Users\Main\AppData\Local\dd_dotnetfx35install.txt
    2012-06-13 05:58 - 2012-07-11 01:01 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-12 05:57 - 2012-06-12 05:57 - 14771880 ____A C:\Users\Main\Documents\cam.zip
    2012-06-08 09:59 - 2012-07-10 20:29 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-08 09:47 - 2012-07-10 20:29 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    2012-06-05 08:47 - 2012-07-10 20:29 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
    2012-06-05 08:47 - 2012-07-10 20:29 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
    2012-06-05 08:22 - 2012-07-10 20:29 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
    2012-06-05 08:22 - 2012-07-10 20:29 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
    2012-06-04 07:29 - 2012-07-10 20:29 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
    2012-06-02 14:19 - 2012-06-21 14:51 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
    2012-06-02 14:19 - 2012-06-21 14:51 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 14:51 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
    2012-06-02 14:19 - 2012-06-21 14:51 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
    2012-06-02 14:19 - 2012-06-21 14:51 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
    2012-06-02 14:19 - 2012-06-21 14:51 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
    2012-06-02 14:19 - 2012-06-21 14:51 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
    2012-06-02 14:15 - 2012-06-21 14:51 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
    2012-06-02 14:15 - 2012-06-21 14:51 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
    2012-06-02 14:12 - 2012-06-21 14:51 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
    2012-06-02 13:19 - 2012-06-21 14:51 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
    2012-06-02 13:19 - 2012-06-21 14:51 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
    2012-06-02 13:15 - 2012-06-21 14:51 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
    2012-06-02 13:12 - 2012-06-21 14:51 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
    2012-06-02 04:49 - 2012-07-11 01:01 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
    2012-06-02 04:17 - 2012-07-11 01:01 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
    2012-06-02 04:12 - 2012-07-11 01:01 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
    2012-06-02 04:05 - 2012-07-11 01:01 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
    2012-06-02 04:05 - 2012-07-11 01:01 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
    2012-06-02 04:04 - 2012-07-11 01:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
    2012-06-02 04:04 - 2012-07-11 01:01 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
    2012-06-02 04:03 - 2012-07-11 01:01 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
    2012-06-02 04:01 - 2012-07-11 01:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
    2012-06-02 04:00 - 2012-07-11 01:01 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
    2012-06-02 03:59 - 2012-07-11 01:01 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
    2012-06-02 03:57 - 2012-07-11 01:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
    2012-06-02 03:57 - 2012-07-11 01:01 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
    2012-06-02 03:54 - 2012-07-11 01:01 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
    2012-06-02 01:07 - 2012-07-11 01:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
    2012-06-02 00:43 - 2012-07-11 01:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
    2012-06-02 00:33 - 2012-07-11 01:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
    2012-06-02 00:26 - 2012-07-11 01:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
    2012-06-02 00:25 - 2012-07-11 01:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
    2012-06-02 00:25 - 2012-07-11 01:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
    2012-06-02 00:23 - 2012-07-11 01:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
    2012-06-02 00:21 - 2012-07-11 01:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
    2012-06-02 00:20 - 2012-07-11 01:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
    2012-06-02 00:19 - 2012-07-11 01:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
    2012-06-02 00:19 - 2012-07-11 01:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
    2012-06-02 00:17 - 2012-07-11 01:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
    2012-06-02 00:16 - 2012-07-11 01:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
    2012-06-02 00:14 - 2012-07-11 01:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
    2012-06-01 16:22 - 2012-07-10 20:29 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
    2012-06-01 16:22 - 2012-07-10 20:29 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
    2012-06-01 16:05 - 2012-07-10 20:29 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
    2012-06-01 16:04 - 2012-07-10 20:29 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
    2012-06-01 16:03 - 2012-07-10 20:29 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
    2012-05-31 10:25 - 2009-12-21 11:54 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


    ========================= Known DLLs (Whitelisted) ============


    ========================= Bamital & volsnap Check ============

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ========================= Memory info ======================

    Percentage of memory in use: 13%
    Total physical RAM: 6134.18 MB
    Available physical RAM: 5294.03 MB
    Total Pagefile: 5800.35 MB
    Available Pagefile: 5257.14 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:1397.26 GB) (Free:968.9 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (FRMCXFRE_EN_DVD) (CDROM) (Total:3.66 GB) (Free:0 GB) UDF
    3 Drive e: (UDISK) (Removable) (Total:1.89 GB) (Free:0.26 GB) FAT32
    4 Drive f: (SWISSMEMORY) (Removable) (Total:0.49 GB) (Free:0.28 GB) FAT
    9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 1397 GB 0 B
    Disk 1 Online 1944 MB 0 B
    Disk 2 Online 499 MB 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Disk 5 No Media 0 B 0 B
    Disk 6 No Media 0 B 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1397 GB 1024 KB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 1397 GB Healthy

    ==================================================================================

    Partitions of Disk 1:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 1944 MB 32 KB

    ==================================================================================

    Disk: 1
    Partition 1
    Type : 0C
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 E UDISK FAT32 Removable 1944 MB Healthy

    ==================================================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 498 MB 16 KB

    ==================================================================================

    Disk: 2
    Partition 1
    Type : 06
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F SWISSMEMORY FAT Removable 498 MB Healthy

    ==================================================================================

    Last Boot: 2012-08-24 02:25

    ======================= End Of Log ==========================







    Now the search.txt log for userinit.exe

    Farbar Recovery Scan Tool Version: 15-08-2012
    Ran by SYSTEM at 2012-08-24 14:00:19
    Running from F:\VI_TOOLS

    ================== Search: "userinit.exe" ===================

    C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
    [2008-01-20 18:49] - [2008-01-20 18:49] - 0025088 ____A (Microsoft Corporation) 0E135526E9785D085BCD9AEDE6FBCBF9

    C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941\userinit.exe
    [2008-01-20 18:48] - [2008-01-20 18:48] - 0028160 ____A (Microsoft Corporation) A0AB2BB9A92293D9CE66E252719AB5FE

    C:\Windows\SysWOW64\userinit.exe
    [2008-01-20 18:49] - [2008-01-20 18:49] - 0025088 ____A (Microsoft Corporation) 0E135526E9785D085BCD9AEDE6FBCBF9

    C:\Windows\System32\userinit.exe
    [2008-01-20 18:48] - [2008-01-20 18:48] - 0028160 ____A (Microsoft Corporation) A0AB2BB9A92293D9CE66E252719AB5FE

    C:\Windows\erdnt\cache86\userinit.exe
    [2012-08-17 10:31] - [2008-01-20 18:49] - 0025088 ____N (Microsoft Corporation) 0E135526E9785D085BCD9AEDE6FBCBF9

    C:\Windows\erdnt\cache64\userinit.exe
    [2012-08-17 10:31] - [2008-01-20 18:48] - 0028160 ____A (Microsoft Corporation) A0AB2BB9A92293D9CE66E252719AB5FE

    ====== End Of Search ======
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.


    Remove the Adware.
    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
    Please post the log.
  25. Grampz719

    Grampz719 Newcomer, in training Topic Starter Posts: 26

    Upon reboot the IE/Firefox/Photo Gallery stuff is all the same. IE and Chrome had error messages about the preference files being corrupt or invalid. Also note the "funmoods" & "Babylon" crap seems to be gone.

    Here are the logs, first Fixlog.txt

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
    Ran by SYSTEM at 2012-08-26 09:59:41 Run:2
    Running from I:\VI_TOOLS

    ==============================================

    C:\Windows\System32\userinit.exe moved successfully.
    C:\Windows\SysWOW64\userinit.exe copied successfully to C:\Windows\System32\userinit.exe

    ==== End of Fixlog ====




    Now for AdwCleaner[S1].txt


    # AdwCleaner v1.801 - Logfile created 08/26/2012 at 10:03:50
    # Updated 14/08/2012 by Xplode
    # Operating system : Windows (TM) Vista Ultimate Service Pack 2 (64 bits)
    # User : Main - COREI7
    # Boot Mode : Normal
    # Running from : J:\VI_TOOLS\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Deleted on reboot : C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Deleted on reboot : C:\Users\Main\AppData\LocalLow\AskToolbar
    Deleted on reboot : C:\Users\Main\AppData\Roaming\Babylon
    Deleted on reboot : C:\ProgramData\Babylon
    Deleted on reboot : C:\ProgramData\InstallMate
    Deleted on reboot : C:\ProgramData\Tarma Installer
    Deleted on reboot : C:\ProgramData\Premium
    File Deleted : C:\Users\Main\AppData\Local\funmoods.crx
    File Deleted : C:\Users\Main\AppData\Local\funmoods-speeddial.crx
    File Deleted : C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\searchplugins\Askcom.xml
    File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\avg-secure-search.xml
    File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
    File Deleted : C:\user.js

    ***** [Registry] *****

    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKLM\SOFTWARE\Babylon
    Key Deleted : HKLM\SOFTWARE\bflixtoolbar
    Key Deleted : HKLM\SOFTWARE\Classes\f
    Key Deleted : HKLM\SOFTWARE\Classes\funmoodsApp.appCore
    Key Deleted : HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1
    Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
    Key Deleted : HKLM\SOFTWARE\Conduit
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Deleted : HKLM\SOFTWARE\Iminent
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
    [x64] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    [x64] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\funmoods

    ***** [Registre - GUID] *****

    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
    [x64] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
    [x64] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370 --> hxxp://www.google.com

    -\\ Mozilla Firefox v14.0.1 (en-US)

    Profile name : default
    File : C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\prefs.js

    C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\user.js ... Deleted !

    Deleted : user_pref("backup.old.browser.startup.homepage", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&[...]
    Deleted : user_pref("browser.babylon.HPOnNewTab", "");
    Deleted : user_pref("browser.newtab.url", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=NT_ss&mntr[...]
    Deleted : user_pref("browser.search.defaultengine", "Ask.com");
    Deleted : user_pref("browser.search.defaultenginename", "Search the web (Babylon)");
    Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");
    Deleted : user_pref("browser.search.selectedEngine", "Search the web (Babylon)");
    Deleted : user_pref("extensions.BabylonToolbar.admin", false);
    Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");
    Deleted : user_pref("extensions.BabylonToolbar.dfltLng", "en");
    Deleted : user_pref("extensions.BabylonToolbar.excTlbr", false);
    Deleted : user_pref("extensions.BabylonToolbar.id", "9e7f146600000000000090e6ba1f8bf8");
    Deleted : user_pref("extensions.BabylonToolbar.instlDay", "15568");
    Deleted : user_pref("extensions.BabylonToolbar.instlRef", "sst");
    Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
    Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
    Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "tb9");
    Deleted : user_pref("extensions.BabylonToolbar.tlbrSrchUrl", "hxxp://www.google.com/search?babsrc=TB_ggl&q=");
    Deleted : user_pref("extensions.BabylonToolbar.vrsn", "1.6.4.6");
    Deleted : user_pref("extensions.BabylonToolbar.vrsni", "1.6.4.6");
    Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
    Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=110796&tt=3312_2");
    Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
    Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=110796&tt=3312_[...]
    Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
    Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
    Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.6.4.610:54:30");
    Deleted : user_pref("extensions.funmoods.aflt", "nv1");
    Deleted : user_pref("extensions.funmoods.autoRvrt", false);
    Deleted : user_pref("extensions.funmoods.brwsrsrc", "ietlbr");
    Deleted : user_pref("extensions.funmoods.cntry", "US");
    Deleted : user_pref("extensions.funmoods.cv", "cv5");
    Deleted : user_pref("extensions.funmoods.dfltLng", "");
    Deleted : user_pref("extensions.funmoods.dfltSrch", true);
    Deleted : user_pref("extensions.funmoods.dfltlng", "en");
    Deleted : user_pref("extensions.funmoods.dfltsrch", true);
    Deleted : user_pref("extensions.funmoods.dnsErr", true);
    Deleted : user_pref("extensions.funmoods.envrmnt", "production");
    Deleted : user_pref("extensions.funmoods.excTlbr", false);
    Deleted : user_pref("extensions.funmoods.hdrMd5", "F3C2ADFE15F591416430C001CC606ACF");
    Deleted : user_pref("extensions.funmoods.hmpg", true);
    Deleted : user_pref("extensions.funmoods.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2[...]
    Deleted : user_pref("extensions.funmoods.hrdid", "90E6BA1F8BF91466");
    Deleted : user_pref("extensions.funmoods.id", "90E6BA1F8BF91466");
    Deleted : user_pref("extensions.funmoods.instlDay", "15551");
    Deleted : user_pref("extensions.funmoods.instlRef", "nv1");
    Deleted : user_pref("extensions.funmoods.instlday", "15551");
    Deleted : user_pref("extensions.funmoods.instlref", "nv1");
    Deleted : user_pref("extensions.funmoods.isdcmntcmplt", true);
    Deleted : user_pref("extensions.funmoods.keywordurl", "");
    Deleted : user_pref("extensions.funmoods.lastVrsnTs", "1.5.23.2210:12:23");
    Deleted : user_pref("extensions.funmoods.mntrvrsn", "1.3.0");
    Deleted : user_pref("extensions.funmoods.newTab", true);
    Deleted : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEt[...]
    Deleted : user_pref("extensions.funmoods.newtab", true);
    Deleted : user_pref("extensions.funmoods.newtaburl", "hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEt[...]
    Deleted : user_pref("extensions.funmoods.prdct", "funmoods");
    Deleted : user_pref("extensions.funmoods.prtnrId", "funmoods");
    Deleted : user_pref("extensions.funmoods.prtnrid", "funmoods");
    Deleted : user_pref("extensions.funmoods.savedVrsnTs", "1");
    Deleted : user_pref("extensions.funmoods.sg", "none");
    Deleted : user_pref("extensions.funmoods.smplGrp", "none");
    Deleted : user_pref("extensions.funmoods.smplgrp", "none");
    Deleted : user_pref("extensions.funmoods.srch", "");
    Deleted : user_pref("extensions.funmoods.srchPrvdr", "Search");
    Deleted : user_pref("extensions.funmoods.srchprvdr", "Search");
    Deleted : user_pref("extensions.funmoods.tlbrId", "base");
    Deleted : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2Xzuy[...]
    Deleted : user_pref("extensions.funmoods.tlbrid", "base");
    Deleted : user_pref("extensions.funmoods.tlbrsrchurl", "hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2Xzuy[...]
    Deleted : user_pref("extensions.funmoods.vrsn", "1.5.23.22");
    Deleted : user_pref("extensions.funmoods.vrsnTs", "1.5.23.2210:12:23");
    Deleted : user_pref("extensions.funmoods.vrsni", "1.5.23.22");
    Deleted : user_pref("extensions.funmoods.vrsnts", "1.5.23.2210:12:23");
    Deleted : user_pref("extensions.funmoods.xpestat\\xpereportdata", "30-6-2012");
    Deleted : user_pref("extensions.funmoods_i.newTab", true);
    Deleted : user_pref("extensions.funmoods_i.smplGrp", "none");
    Deleted : user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.2210:12:23");
    Deleted : user_pref("keyword.URL", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=KW_ss&mntrId=9e7f[...]

    -\\ Google Chrome v21.0.1180.83

    File : C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Preferences

    Deleted : "homepage": "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_ss&mntrId=9e7f1466000[...]
    Deleted : "urls_to_restore_on_startup": [ "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=H[...]
    Deleted : "name": "Funmoods",
    Deleted : "update_url": "hxxp://funmoods.com/public/download/chrome/update.xml",
    Deleted : "baseUrl": "hxxp://start.funmoods.com/results.php?",
    Deleted : "update_url": "hxxp://update.funmoods.com/speeddial/update.xml?bu=st",
    Deleted : "homepage": "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_ss&mntrId=9e7f1466000000[...]
    Deleted : "urls_to_restore_on_startup": [ "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_s[...]

    *************************

    AdwCleaner[R1].txt - [13836 octets] - [24/08/2012 13:03:50]
    AdwCleaner[S1].txt - [11905 octets] - [26/08/2012 10:03:50]

    ########## EOF - C:\AdwCleaner[S1].txt - [12034 octets] ##########


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.