Malware sirefef.y and similar found in MSE on Vista HP x86

Solved
By Johnny270268
Jul 13, 2012
  1. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Still running and picking up infections. Will post as soon as scan completes.
  2. Broni

    Broni Malware Annihilator Posts: 45,226   +243

  3. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Here you go Broni, scan successfully completed. ASW.dat saved to desktop as well. Thanks for your patience... you're a diamond my friend :)


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-07-16 03:58:36
    -----------------------------
    03:58:36.752 OS Version: Windows 6.0.6002 Service Pack 2
    03:58:36.752 Number of processors: 2 586 0x1706
    03:58:36.752 ComputerName: GREG-PC UserName: Greg
    03:58:53.850 Initialize success
    04:00:12.806 AVAST engine defs: 12071500
    04:00:37.001 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    04:00:37.001 Disk 0 Vendor: SAMSUNG_HD502IJ 1AA01113 Size: 476940MB BusType: 3
    04:00:37.017 Disk 0 MBR read successfully
    04:00:37.017 Disk 0 MBR scan
    04:00:37.017 Disk 0 Windows VISTA default MBR code
    04:00:37.033 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
    04:00:37.048 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 129024
    04:00:37.064 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 461516 MB offset 31586304
    04:00:37.095 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 1 MB offset 976771072
    04:00:37.095 Disk 0 Partition 4 **INFECTED** MBR:Alureon-K [Rtk]
    04:00:37.126 Disk 0 scanning sectors +976773152
    04:00:37.204 Disk 0 scanning C:\Windows\system32\drivers
    04:01:10.900 Service scanning
    04:02:28.838 Modules scanning
    04:02:49.742 Disk 0 trace - called modules:
    04:02:49.773 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys
    04:02:49.773 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ce3780]
    04:02:49.789 3 CLASSPNP.SYS[8bbac8b3] -> nt!IofCallDriver -> [0x86b2bb58]
    04:02:49.789 5 acpi.sys[805bc6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x86b06b98]
    04:02:58.119 AVAST engine scan C:\Windows
    04:03:11.675 AVAST engine scan C:\Windows\system32
    04:07:12.169 AVAST engine scan C:\Windows\system32\drivers
    04:07:32.153 AVAST engine scan C:\Users\Greg
    04:08:06.426 File: C:\Users\Greg\AppData\Local\Apps\2.0\KCEKG8JM.QTD\650PDRZ4.GZ0\cros..tion_18dde0b6f0266e94_0001.0000_60f416b8a42422e9\CrossFire Hack.exe **INFECTED** Win32:Malware-gen
    04:08:34.100 File: C:\Users\Greg\AppData\Local\hqopmya.exe **INFECTED** Win32:Susn-AK [Trj]
    04:08:37.891 File: C:\Users\Greg\AppData\Local\jkpcpukocn.exe **INFECTED** Win32:FakeAV-DNP [Trj]
    04:14:26.896 File: C:\Users\Greg\AppData\Local\Temp\cdoqovxndc.exe **INFECTED** Win32:Malware-gen
    04:59:02.988 File: C:\Users\Greg\Music\iTunes\iTunes Music\CrossFire Afk Bot\CrossFire Afk Bot\CrossFire d3d v.6.exe **INFECTED** Win32:Malware-gen
    05:03:49.258 AVAST engine scan C:\ProgramData
    05:17:05.453 Scan finished successfully
    05:18:26.973 Disk 0 MBR has been saved successfully to "C:\Users\Greg\Desktop\MBR.dat"
    05:18:26.973 The log file has been saved successfully to "C:\Users\Greg\Desktop\aswMBR.txt"
  4. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    OK, we still have that infected partition.

    For x86 (x32) bit systems please download Listparts to your Desktop.
    For x64 bit systems please download Listparts64 to your Desktop.
    Double click on downloaded file to start the program.

    Click on Scan button.

    Scan result will open in Notepad (Result.txt).
    Post it in your next reply.
  5. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Results for your perusal :)


    ListParts by Farbar Version: 15-07-2012
    Ran by Greg (administrator) on 16-07-2012 at 05:41:57
    Windows Vista (X86)
    Running From: C:\Users\Greg\Desktop
    Language: 0409
    ************************************************************
    ========================= Memory info ======================
    Percentage of memory in use: 42%
    Total physical RAM: 3070.45 MB
    Available physical RAM: 1759.82 MB
    Total Pagefile: 6369.88 MB
    Available Pagefile: 5188.91 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1976.38 MB
    ======================= Partitions =========================
    1 Drive c: (OS) (Fixed) (Total:450.7 GB) (Free:178.96 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:6.25 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 63 MB 32 KB
    Partition 2 Primary 15 GB 63 MB
    Partition 3 Primary 451 GB 15 GB
    Partition 4 Primary 1040 KB 466 GB
    ======================================================================================================
    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No
    There is no volume associated with this partition.
    ======================================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D RECOVERY NTFS Partition 15 GB Healthy
    ======================================================================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 451 GB Healthy System (partition with boot components)
    ======================================================================================================
    Disk: 0
    Partition 4
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F RAW Partition 1040 KB Healthy
    ======================================================================================================
    ****** End Of Log ******
  6. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    • Please open Notepad (Start>All Programs>Accessories>Notepad).
    • Copy and paste the contents of the quote box below into Notepad.

    • Save as Fix.txt to your Desktop (must be in this location).

    Next

    • Double click ListParts.exe/ListParts64.exe to launch the program.
    • Press the Fix button.
    • ListParts will process the script in Fix.txt
    • When finished please press the Scan button.
    • A log Result.txt will open on your Desktop.
    • Please post me the contents of the log.
  7. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Result log,


    ListParts by Farbar Version: 15-07-2012
    Ran by Greg (administrator) on 16-07-2012 at 05:57:48
    Windows Vista (X86)
    Running From: C:\Users\Greg\Desktop
    Language: 0409
    ************************************************************
    ========================= Memory info ======================
    Percentage of memory in use: 43%
    Total physical RAM: 3070.45 MB
    Available physical RAM: 1748 MB
    Total Pagefile: 6369.88 MB
    Available Pagefile: 5186.45 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1983.2 MB
    ======================= Partitions =========================
    1 Drive c: (OS) (Fixed) (Total:450.7 GB) (Free:178.96 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:6.25 GB) NTFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 466 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 No Media 0 B 0 B
    Disk 3 No Media 0 B 0 B
    Disk 4 No Media 0 B 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 63 MB 32 KB
    Partition 2 Primary 15 GB 63 MB
    Partition 3 Primary 451 GB 15 GB
    ======================================================================================================
    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No
    There is no volume associated with this partition.
    ======================================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 D RECOVERY NTFS Partition 15 GB Healthy
    ======================================================================================================
    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 451 GB Healthy System (partition with boot components)
    ======================================================================================================
    ****** End Of Log ******
  8. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Good job :)

    Delete your Combofix file, download fresh one and try to run it again (try safe mode if needed).

    If still no go post new FRST log.
  9. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Thanks Broni,

    Should I save it to desktop as your_name.exe or jsut run as natural file name?
  10. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Disregard my last post :confused: . ComboFix is happening. Will post results ASAP :)
  11. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Cool beans :)
  12. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Combo Fix scan log for your perusal Broni :)


    ComboFix 12-07-14.01 - Greg 16/07/2012 6:31.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3070.1735 [GMT 10:00]
    Running from: c:\users\Greg\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\CFLog
    c:\cflog\CrashLog_20100807.txt
    c:\cflog\CrashLog_20100810.txt
    c:\cflog\CrashLog_20100811.txt
    c:\cflog\CrashLog_20100821.txt
    c:\cflog\CrashLog_20100826.txt
    c:\cflog\CrashLog_20100827.txt
    c:\cflog\CrashLog_20100830.txt
    c:\cflog\CrashLog_20100902.txt
    c:\cflog\CrashLog_20100907.txt
    c:\cflog\CrashLog_20100909.txt
    c:\cflog\CrashLog_20100911.txt
    c:\cflog\CrashLog_20100912.txt
    c:\cflog\CrashLog_20100913.txt
    c:\cflog\CrashLog_20100921.txt
    c:\cflog\CrashLog_20100924.txt
    c:\cflog\CrashLog_20100925.txt
    c:\cflog\CrashLog_20100926.txt
    c:\cflog\CrashLog_20100927.txt
    c:\cflog\CrashLog_20100930.txt
    c:\cflog\CrashLog_20101010.txt
    c:\cflog\CrashLog_20101011.txt
    c:\cflog\CrashLog_20101016.txt
    c:\cflog\CrashLog_20101017.txt
    c:\cflog\CrashLog_20101018.txt
    c:\cflog\CrashLog_20101023.txt
    c:\cflog\CrashLog_20101024.txt
    c:\cflog\CrashLog_20101030.txt
    c:\cflog\CrashLog_20101103.txt
    c:\cflog\CrashLog_20101104.txt
    c:\cflog\CrashLog_20101106.txt
    c:\cflog\CrashLog_20101107.txt
    c:\cflog\CrashLog_20101108.txt
    c:\cflog\CrashLog_20101114.txt
    c:\cflog\CrashLog_20101201.txt
    c:\cflog\CrashLog_20101204.txt
    c:\cflog\CrashLog_20101208.txt
    c:\cflog\CrashLog_20101209.txt
    c:\cflog\CrashLog_20101211.txt
    c:\cflog\CrashLog_20101214.txt
    c:\cflog\CrashLog_20101215.txt
    c:\cflog\CrashLog_20101218.txt
    c:\cflog\CrashLog_20101220.txt
    c:\cflog\CrashLog_20101221.txt
    c:\cflog\CrashLog_20101225.txt
    c:\cflog\CrashLog_20101227.txt
    c:\cflog\CrashLog_20101230.txt
    c:\cflog\CrashLog_20101231.txt
    c:\cflog\CrashLog_20110101.txt
    c:\cflog\CrashLog_20110103.txt
    c:\cflog\CrashLog_20110104.txt
    c:\cflog\CrashLog_20110105.txt
    c:\cflog\CrashLog_20110106.txt
    c:\cflog\CrashLog_20110108.txt
    c:\cflog\CrashLog_20110113.txt
    c:\cflog\CrashLog_20110115.txt
    c:\cflog\CrashLog_20110116.txt
    c:\cflog\CrashLog_20110118.txt
    c:\cflog\CrashLog_20110217.txt
    c:\cflog\CrashLog_20110218.txt
    c:\cflog\CrashLog_20110304.txt
    c:\cflog\CrashLog_20110305.txt
    c:\cflog\CrashLog_20110328.txt
    c:\cflog\CrashLog_20110426.txt
    c:\cflog\CrashLog_20110427.txt
    c:\cflog\CrashLog_20110428.txt
    c:\cflog\CrashLog_20110429.txt
    c:\cflog\CrashLog_20111119.txt
    c:\cflog\CrashLog_20111122.txt
    c:\cflog\CrashLog_20111124.txt
    c:\cflog\CrashLog_20111125.txt
    c:\cflog\CrashLog_20111129.txt
    c:\cflog\CrashLog_20111130.txt
    c:\cflog\CrashLog_20111201.txt
    c:\cflog\CrashLog_20111213.txt
    c:\cflog\CrashLog_20111214.txt
    c:\cflog\CrashLog_20111216.txt
    c:\cflog\CrashLog_20111218.txt
    c:\cflog\CrashLog_20111219.txt
    c:\cflog\CrashLog_20111221.txt
    c:\cflog\CrashLog_20120411.txt
    c:\cflog\CrashLog_20120416.txt
    c:\cflog\CrashLog_20120502.txt
    c:\program files\Automated Content Enhancer
    c:\program files\Automated Content Enhancer\4.2.0.5360\ACEIeaddon.dll
    c:\program files\Automated Content Enhancer\4.2.0.5360\Data\config.md
    c:\program files\Automated Content Enhancer\4.2.0.5360\FF\chrome.manifest
    c:\program files\Automated Content Enhancer\4.2.0.5360\FF\chrome\ACEAddOn.jar
    c:\program files\Automated Content Enhancer\4.2.0.5360\FF\chrome\content\ACEAddOn.js
    c:\program files\Automated Content Enhancer\4.2.0.5360\FF\chrome\content\ACEAddOn.xul
    c:\program files\Automated Content Enhancer\4.2.0.5360\FF\components\ACEFFAddOn.dll
    c:\program files\Automated Content Enhancer\4.2.0.5360\FF\components\ACEFFAddOn.xpt
    c:\program files\Automated Content Enhancer\4.2.0.5360\FF\components\ACEFFHelperComponent.js
    c:\program files\Automated Content Enhancer\4.2.0.5360\FF\install.rdf
    c:\program files\Automated Content Enhancer\4.2.0.5360\unins000.dat
    c:\program files\Automated Content Enhancer\4.2.0.5360\unins000.exe
    c:\program files\BasicScan
    c:\program files\BasicScan\uninstall.exe
    c:\program files\Content Management Wizard
    c:\program files\Content Management Wizard\1.2.0.2080\CMWIe.dll
    c:\program files\Content Management Wizard\1.2.0.2080\cmwsh.dll
    c:\program files\Content Management Wizard\1.2.0.2080\config.mx
    c:\program files\Content Management Wizard\1.2.0.2080\data.mx
    c:\program files\Content Management Wizard\1.2.0.2080\exclude.mx
    c:\program files\Content Management Wizard\1.2.0.2080\MatchingData.zd5
    c:\program files\Content Management Wizard\1.2.0.2080\pxtmpdata.mx
    c:\program files\Content Management Wizard\1.2.0.2080\unins000.dat
    c:\program files\Content Management Wizard\1.2.0.2080\unins000.exe
    c:\program files\Customized Platform Advancer
    c:\program files\Customized Platform Advancer\4.2.0.2050\CPACommon.dll
    c:\program files\Customized Platform Advancer\4.2.0.2050\CPAIEAddOn.dll
    c:\program files\Customized Platform Advancer\4.2.0.2050\Data\config.md
    c:\program files\Customized Platform Advancer\4.2.0.2050\FF\chrome.manifest
    c:\program files\Customized Platform Advancer\4.2.0.2050\FF\chrome\content\CPAAddOn.js
    c:\program files\Customized Platform Advancer\4.2.0.2050\FF\chrome\content\CPAAddOn.xul
    c:\program files\Customized Platform Advancer\4.2.0.2050\FF\chrome\CPAAddOn.jar
    c:\program files\Customized Platform Advancer\4.2.0.2050\FF\components\CPAFFAddOn.dll
    c:\program files\Customized Platform Advancer\4.2.0.2050\FF\components\CPAFFAddOn.xpt
    c:\program files\Customized Platform Advancer\4.2.0.2050\FF\components\CPAFFHelperComponent.js
    c:\program files\Customized Platform Advancer\4.2.0.2050\FF\install.rdf
    c:\program files\Customized Platform Advancer\4.2.0.2050\unins000.dat
    c:\program files\Customized Platform Advancer\4.2.0.2050\unins000.exe
    c:\program files\FunWebProducts
    c:\program files\HyperCam Toolbar\tbHElper.dll
    c:\program files\Internet Today
    c:\program files\Internet Today\1.2.0.1420\InternetToday.ico
    c:\program files\Internet Today\1.2.0.1420\InternetToday.skf
    c:\program files\Internet Today\1.2.0.1420\mfc80.dll
    c:\program files\Internet Today\1.2.0.1420\Microsoft.VC80.CRT.manifest
    c:\program files\Internet Today\1.2.0.1420\Microsoft.VC80.MFC.manifest
    c:\program files\Internet Today\1.2.0.1420\msvcr80.dll
    c:\program files\Internet Today\1.2.0.1420\SkinCrafterDll.dll
    c:\program files\Internet Today\1.2.0.1420\unins000.dat
    c:\program files\Internet Today\1.2.0.1420\unins000.exe
    c:\program files\IObitBar\toolbar\1.bin\i0SRcas.dll
    c:\program files\MyWebSearch
    c:\program files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
    c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
    c:\program files\MyWebSearch\bar\2.bin\CHROME.MANIFEST
    c:\program files\MyWebSearch\bar\2.bin\chrome\M3FFXTBR.JAR
    c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
    c:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3DTactl.dll
    c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3HKSTUB.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3HTmlmu.dll
    c:\program files\MyWebSearch\bar\2.bin\F3HTtpct.dll
    c:\program files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
    c:\program files\MyWebSearch\bar\2.bin\F3REGHK.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
    c:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
    c:\program files\MyWebSearch\bar\2.bin\F3SCrctr.dll
    c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
    c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
    c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
    c:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
    c:\program files\MyWebSearch\bar\2.bin\INSTALL.RDF
    c:\program files\MyWebSearch\bar\2.bin\M3AUXSTB.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3DLGHK.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
    c:\program files\MyWebSearch\bar\2.bin\M3HTML.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
    c:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
    c:\program files\MyWebSearch\bar\2.bin\M3MSG.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
    c:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
    c:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
    c:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
    c:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    c:\program files\MyWebSearch\bar\2.bin\MWSMLBTN.DLL
    c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
    c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
    c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
    c:\program files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
    c:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
    c:\program files\MyWebSearch\bar\2.bin\MWSUABTN.DLL
    c:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
    c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
    c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
    c:\program files\MyWebSearch\bar\Game\CHESS.F3S
    c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
    c:\program files\MyWebSearch\bar\icons\CM.ICO
    c:\program files\MyWebSearch\bar\icons\MFC.ICO
    c:\program files\MyWebSearch\bar\icons\PSS.ICO
    c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
    c:\program files\MyWebSearch\bar\icons\WB.ICO
    c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
    c:\program files\MyWebSearch\bar\Message\COMMON.F3S
    c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
    c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
    c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
    c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
    c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
    c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
    c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
    c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
    c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
    c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
    c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
    c:\program files\MyWebSearch\bar\Overlay\COMMON.F3S
    c:\program files\MyWebSearch\bar\Settings\s_pid.dat
    c:\program files\Textual Content Provider
    c:\program files\Textual Content Provider\1.2.0.2040\data\pxtmpdata.mx
    c:\program files\Textual Content Provider\1.2.0.2040\data\TP_Config.mx
    c:\program files\Textual Content Provider\1.2.0.2040\data\TP_Data.mx
    c:\program files\Textual Content Provider\1.2.0.2040\data\TP_DomainExcludeList.mx
    c:\program files\Textual Content Provider\1.2.0.2040\data\TP_DomainInterval.mx
    c:\program files\Textual Content Provider\1.2.0.2040\data\TP_KeywordInterval.mx
    c:\program files\Textual Content Provider\1.2.0.2040\unins000.dat
    c:\program files\Textual Content Provider\1.2.0.2040\unins000.exe
    c:\program files\Web Search Operator
    c:\program files\Web Search Operator\4.2.0.2150\Data\config.md
    c:\program files\Web Search Operator\4.2.0.2150\FF\chrome.manifest
    c:\program files\Web Search Operator\4.2.0.2150\FF\chrome\content\WSOAddOn.js
    c:\program files\Web Search Operator\4.2.0.2150\FF\chrome\content\WSOAddOn.xul
    c:\program files\Web Search Operator\4.2.0.2150\FF\chrome\WSOAddOn.jar
    c:\program files\Web Search Operator\4.2.0.2150\FF\components\WSOFFAddOn.dll
    c:\program files\Web Search Operator\4.2.0.2150\FF\components\WSOFFAddOn.xpt
    c:\program files\Web Search Operator\4.2.0.2150\FF\components\WSOFFHelperComponent.js
    c:\program files\Web Search Operator\4.2.0.2150\FF\install.rdf
    c:\program files\Web Search Operator\4.2.0.2150\unins000.dat
    c:\program files\Web Search Operator\4.2.0.2150\unins000.exe
    c:\program files\Web Search Operator\4.2.0.2150\WSOCommon.dll
    c:\program files\YouTube Downloader Toolbar\SeARchsettings.dll
    c:\programdata\17dc64539899890e926c4339ab349fa3_c
    c:\programdata\SPL408C.tmp
    c:\programdata\SPL442E.tmp
    c:\programdata\SPL7CDC.tmp
    c:\programdata\SPL9432.tmp
    c:\programdata\SPL9A4B.tmp
    c:\users\Greg\AppData\Local\hqopmya.exe
    c:\users\Greg\AppData\Local\Internet Today
    c:\users\Greg\AppData\Local\jkpcpukocn.exe
    c:\users\Greg\AppData\Roaming\ac.exe
    c:\users\Greg\AppData\Roaming\appdata
    c:\users\Greg\AppData\Roaming\Greglog.dat
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\cb.sys
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.dll
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.drv
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.sys
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\ddv.exe
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\ddv.tmp
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\delfile.drv
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\delfile.sys
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\dudl.dll
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\eb.drv
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\eb.tmp
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\energy.sys
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\exec.tmp
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\fix.sys
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\FS.dll
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\hymt.sys
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\kernel32.sys
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\pal.exe
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\pal.tmp
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\ppal.drv
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.tmp
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.exe
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.tmp
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\sld.dll
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\sld.exe
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\sld.tmp
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\SM.dll
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\std.drv
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\std.sys
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.dll
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\tjd.dll
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
    c:\users\Greg\AppData\Roaming\Poum
    c:\users\Greg\AppData\Roaming\Poum\ulih.exe
    c:\users\Greg\AppData\Roaming\rundll32.exe
    c:\users\Greg\Favorites\actiontrip girls - Google Search.ur
    c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
    c:\windows\SwSys1.bmp
    c:\windows\SwSys2.bmp
    c:\windows\system32\DEBUG.log
    c:\windows\system32\f3PSSavr.scr
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-15 to 2012-07-15 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-15 20:39 . 2012-07-15 20:46 -------- d-----w- c:\users\Greg\AppData\Local\temp
    2012-07-15 20:39 . 2012-07-15 20:39 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-15 07:23 . 2012-07-15 07:23 -------- d-----w- C:\FRST
    2012-07-10 11:31 . 2012-07-10 11:31 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-08 07:59 . 2012-07-08 07:59 -------- d-----w- c:\users\Greg\AppData\Local\etax2012
    2012-07-07 06:08 . 2012-07-07 06:20 -------- d-----w- c:\users\Greg\AppData\Roaming\Ovwua
    2012-07-04 08:46 . 2012-07-04 08:46 -------- d-----w- c:\program files\Lame For Audacity
    2012-07-04 02:19 . 2012-07-04 02:19 -------- d-----w- c:\programdata\Sony
    2012-07-03 07:37 . 2012-07-08 07:59 -------- d-----w- c:\program files\etax2012
    2012-07-03 07:14 . 2012-07-03 07:14 -------- d-----w- c:\users\Greg\AppData\Roaming\Publish Providers
    2012-07-03 07:11 . 2012-07-03 07:12 -------- d-----w- c:\users\Greg\AppData\Local\Sony
    2012-07-03 07:11 . 2012-07-03 07:11 -------- d-----w- c:\program files\Sony
    2012-07-03 07:10 . 2012-07-04 02:18 -------- d-----w- c:\users\Greg\AppData\Roaming\Sony
    2012-07-02 10:36 . 2012-07-02 10:36 -------- d-----w- c:\program files\Ask.com
    2012-07-02 10:34 . 2012-07-02 10:34 -------- d-----w- c:\program files\FreeTime
    2012-06-27 00:12 . 2012-06-30 03:09 -------- d-----w- C:\Log
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-15 19:02 . 2012-04-04 07:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-15 19:02 . 2011-08-14 01:40 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-17 17:14 . 2012-07-15 18:11 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{300AB105-98E1-4012-879C-C5EC6F777073}\mpengine.dll
    2012-06-02 22:19 . 2012-06-08 23:29 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-08 23:29 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-08 23:28 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-08 23:28 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-08 23:29 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-08 23:29 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-08 23:28 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 05:19 . 2012-06-08 23:28 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 05:12 . 2012-06-08 23:28 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-31 02:25 . 2010-04-11 09:16 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-17 22:45 . 2012-06-13 10:03 1800192 ----a-w- c:\windows\system32\jscript9.dll
    2012-05-17 22:35 . 2012-06-13 10:03 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-05-17 22:35 . 2012-06-13 10:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-05-17 22:29 . 2012-06-13 10:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-05-17 22:24 . 2012-06-13 10:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-05-15 19:51 . 2012-06-13 05:15 2045440 ----a-w- c:\windows\system32\win32k.sys
    2012-05-03 02:54 . 2012-05-03 02:54 42392 ----a-w- c:\windows\system32\xfcodec.dll
    2012-05-01 14:03 . 2012-06-13 05:15 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-04-23 16:00 . 2012-06-13 05:15 984064 ----a-w- c:\windows\system32\crypt32.dll
    2012-04-23 16:00 . 2012-06-13 05:15 98304 ----a-w- c:\windows\system32\cryptnet.dll
    2012-04-23 16:00 . 2012-06-13 05:15 133120 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-04-18 10:56 . 2012-04-18 10:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2012-04-18 10:56 . 2012-04-18 10:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
    "{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
    "{6d8d66f3-14fc-4736-a096-fac0ea66289c}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
    "{970a72ad-2603-4b4e-bb28-aff6ab80cccd}"= "c:\program files\CrazyForCricket_3k\bar\1.bin\3kSrcAs.dll" [2011-11-09 62864]
    .
    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
    .
    [HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
    .
    [HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
    .
    [HKEY_CLASSES_ROOT\clsid\{970a72ad-2603-4b4e-bb28-aff6ab80cccd}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-11-29 05:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
    2010-06-03 08:24 2736736 ----a-w- c:\program files\Softonic-Eng7\tbSoft.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
    2010-04-15 02:33 2515552 ----a-w- c:\program files\XfireXO\tbXfir.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64d23501-5195-4224-9446-e2b0fb64e859}]
    2010-03-25 06:56 2349080 ----a-w- c:\program files\HiGames\tbHiG1.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
    2011-01-03 00:16 175400 ----a-w- c:\program files\midicase\prxtbmidi.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
    2010-12-09 02:51 3911776 ----a-w- c:\program files\Elf_1.15\tbElf_.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
    2011-08-24 08:21 1299248 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{64d23501-5195-4224-9446-e2b0fb64e859}"= "c:\program files\HiGames\tbHiG1.dll" [2010-03-25 2349080]
    "{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-04-15 2515552]
    "{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
    "{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
    "{6d8d66f3-14fc-4736-a096-fac0ea66289c}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
    "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2011-08-24 1299248]
    .
    [HKEY_CLASSES_ROOT\clsid\{64d23501-5195-4224-9446-e2b0fb64e859}]
    .
    [HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
    .
    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
    .
    [HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
    .
    [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{64D23501-5195-4224-9446-E2B0FB64E859}"= "c:\program files\HiGames\tbHiG1.dll" [2010-03-25 2349080]
    "{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
    "{B9D63C58-90CC-428B-8D3B-CBB88EB07E7E}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
    "{6D8D66F3-14FC-4736-A096-FAC0EA66289C}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
    .
    [HKEY_CLASSES_ROOT\clsid\{64d23501-5195-4224-9446-e2b0fb64e859}]
    .
    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
    .
    [HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
    .
    [HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-03 68856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
    "Steam"="c:\program files\Steam\steam.exe" [2011-08-02 1242448]
    "DeskSpace"="c:\users\Greg\Deskspace\deskspace.exe" [2002-01-01 1066496]
    "Facebook Update"="c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-15 138096]
    "MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-05-02 17355912]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-07-18 6246400]
    "dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-03-17 668912]
    "dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-03-17 16624]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-10 30192]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
    "VX1000"="c:\windows\vVX1000.exe" [2009-07-24 762208]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
    "IObitBar Browser Plugin Loader"="c:\progra~1\IObitBar\toolbar\1.bin\i0brmon.exe" [2010-08-02 20480]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
    "SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2011-08-01 114992]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
    "CrazyForCricket Search Scope Monitor"="c:\progra~1\CRAZYF~2\bar\1.bin\3ksrchmn.exe" [2011-11-09 38440]
    "CrazyForCricket_3k Browser Plugin Loader"="c:\progra~1\CRAZYF~2\bar\1.bin\3kbrmon.exe" [2011-11-09 30096]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    .
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
    DeskSpace.lnk - l:\deskspace\deskspace.exe [N/A]
    Facebook Messenger.lnk - c:\users\Greg\AppData\Local\Facebook\Messenger\2.1.4570.0\FacebookMessenger.exe [2012-7-6 217536]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    Xfire.lnk - c:\program files\Xfire\Xfire.exe [2012-5-3 3553176]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 2 (0x2)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-15 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 19:02]
    .
    2012-07-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000Core.job
    - c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-03 18:09]
    .
    2012-07-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000UA.job
    - c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-03 18:09]
    .
    2012-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000Core.job
    - c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-02 10:13]
    .
    2012-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000UA.job
    - c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-02 10:13]
    .
    2012-07-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 05:40]
    .
    2012-07-15 c:\windows\Tasks\RtlNICDiagVistaStart.job
    - c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2008-10-03 11:18]
    .
    2012-07-15 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 05:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/index.php?lh=c0eff49bfa52c6577d051ffa05300cc9&eu=XVUHAKl-eM-CZ8lbII58wQ
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride = <local>;*.local
    TCP: DhcpNameServer = 61.9.211.33 61.9.211.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    URLSearchHooks-{9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\PageRage\tbPage.dll
    BHO-{9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\PageRage\tbPage.dll
    Toolbar-{9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\PageRage\tbPage.dll
    WebBrowser-{9565115D-C7D6-46D3-BD63-B67B481A4368} - c:\program files\PageRage\tbPage.dll
    HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
    HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
    HKCU-Run-KamikazeKat - c:\program files\ScreenMates\kamikazekat.exe
    HKCU-Run-Felix - c:\program files\ScreenMates\felix.exe
    HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
    HKLM-Run-hpqSRMon - (no file)
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-Addictive Football Demo - c:\program files\Addictive Football Demo\Uninstal.exe
    AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe
    AddRemove-Backyard Basketball 2007 - c:\program files\Backyard Basketball 2007\Uninstall.exe
    AddRemove-CNXT_MODEM_PCI_HSF - c:\program files\CONEXANT\CNXT_MODEM_PCI_HSF\UIU32m.exe
    AddRemove-Crossfire - c:\program files\cf-uninst.exe
    AddRemove-PageRage Toolbar - c:\progra~1\PageRage\UNWISE.EXE
    AddRemove-{2C08D7E7-9EE1-4A08-AFE0-745F02DCD6A4}_is1 - c:\users\Greg\Desktop\Pokemon Online\unins000.exe
    AddRemove-{C12A198C-E751-4729-839A-8FA07CF941C1}_is1 - c:\program files\EA Sports\Fifa Online 2\unins000.exe
    AddRemove-Crossfire 1.7a - c:\program files\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-16 06:44
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
    "ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2530732781-1678084383-3266196856-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{65D3B8F8-3D45-C03F-F0D7-2C3C92B5E16E}*]
    "papldpmnaoaokohaemlpjfgiafpoaann"=hex:6a,61,6a,6d,6a,68,6d,6f,67,6a,64,6d,68,
    61,62,6a,63,65,62,65,00,b9
    "abflnpbnmhgfbbbjclgejpimilboigghfe"=hex:69,61,6b,6d,62,69,6c,64,69,6a,67,64,
    6c,67,6d,67,6d,67,00,00
    .
    [HKEY_USERS\S-1-5-21-2530732781-1678084383-3266196856-1000\Software\SecuROM\License information*]
    "datasecu"=hex:ca,17,21,f5,a4,ce,b8,3a,5a,b5,99,3f,ce,f0,13,82,df,1d,b6,f2,71,
    fd,e5,c5,d2,17,b1,07,53,70,dc,1c,b7,d4,65,a8,3b,5b,0f,75,79,a2,22,a1,43,1c,\
    "rkeysecu"=hex:d3,70,bf,92,47,4f,b0,52,8c,2f,3f,54,b3,70,9c,1c
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(5304)
    c:\program files\SweetIM\Messenger\mgAdaptersProxy.dll
    c:\users\Greg\Deskspace\deskspace151.dll
    c:\program files\CrazyForCricket_3k\bar\1.bin\3kbrstub.dll
    c:\program files\IObitBar\toolbar\1.bin\i0brstub.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Dell\DellDock\DockLogin.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Application Updater\ApplicationUpdater.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\progra~1\CRAZYF~2\bar\1.bin\3kbarsvc.exe
    c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    c:\windows\system32\CTsvcCDA.exe
    c:\windows\system32\dldncoms.exe
    c:\progra~1\IObitBar\toolbar\1.bin\i0barsvc.exe
    c:\program files\Microsoft LifeCam\MSCamS32.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    c:\windows\RtHDVCpl.exe
    c:\program files\IObitBar\toolbar\1.bin\i0brmon.exe
    c:\program files\CrazyForCricket_3k\bar\1.bin\3kbrmon.exe
    c:\program files\Digital Line Detect\DLG.exe
    c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
    c:\program files\Dell V105\dldnMsdMon.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
    c:\windows\system32\msiexec.exe
    c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
    c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
    c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
    c:\program files\Common Files\Steam\SteamService.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2012-07-16 06:56:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-07-15 20:56
    .
    Pre-Run: 192,126,926,848 bytes free
    Post-Run: 205,086,515,200 bytes free
    .
    - - End Of File - - 75CC9DD810A7BBDD8109325250573E49
  13. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    RegNull::
    [HKEY_USERS\S-1-5-21-2530732781-1678084383-3266196856-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{65D3B8F8-3D45-C03F-F0D7-2C3C92B5E16E}*]
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  14. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Hi Broni,

    I'm getting the following window

    "C:\Users\Greg\Desktop\ComboFix.exe
    Illegal operation attempted on a registry key marked for deletion"

    All I have is the "OK" radio button to select. ????

    I've actually deleted MSE a few threads back. Don't know if that info helps. I know windows firewall is operational.
  15. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    I should have mentioned that this occured when I tried to drag and drop. Haven't selected OK however. Will wait for your reply in case it is malware :-(
  16. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Restart computer to fix the issue..

    Then reinstall MSE.
    Update, run full scan.

    Next....

    Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
    NOTE. If you already have MBAM installed, update it before running the scan.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    Be sure to restart the computer IF MBAM asks you to do so.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

    =============================

    Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  17. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Wow, don't I feel like a heel :oops:

    Completing instructions now :D
  18. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Should I drag and drop again or just continue on?? Just want to be sure.
  19. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    If you didn't complete Combofix fix yet do it now.
    If you did post the log.
  20. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Running Combo Fix successfully will post results ASAP
  21. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Hi again Broni,

    Combo Fix latest log. I'll wait for your reply.


    ComboFix 12-07-14.01 - Greg 16/07/2012 8:07.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3070.1935 [GMT 10:00]
    Running from: c:\users\Greg\Desktop\ComboFix.exe
    Command switches used :: c:\users\Greg\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-15 to 2012-07-15 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-15 22:13 . 2012-07-15 22:13 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-07-15 20:39 . 2012-07-15 22:13 -------- d-----w- c:\users\Greg\AppData\Local\temp
    2012-07-15 18:11 . 2012-06-17 17:14 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{300AB105-98E1-4012-879C-C5EC6F777073}\mpengine.dll
    2012-07-15 07:23 . 2012-07-15 07:23 -------- d-----w- C:\FRST
    2012-07-10 11:31 . 2012-07-10 11:31 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2012-07-08 07:59 . 2012-07-08 07:59 -------- d-----w- c:\users\Greg\AppData\Local\etax2012
    2012-07-07 06:08 . 2012-07-07 06:20 -------- d-----w- c:\users\Greg\AppData\Roaming\Ovwua
    2012-07-04 08:46 . 2012-07-04 08:46 -------- d-----w- c:\program files\Lame For Audacity
    2012-07-04 02:19 . 2012-07-04 02:19 -------- d-----w- c:\programdata\Sony
    2012-07-03 07:37 . 2012-07-08 07:59 -------- d-----w- c:\program files\etax2012
    2012-07-03 07:14 . 2012-07-03 07:14 -------- d-----w- c:\users\Greg\AppData\Roaming\Publish Providers
    2012-07-03 07:11 . 2012-07-03 07:12 -------- d-----w- c:\users\Greg\AppData\Local\Sony
    2012-07-03 07:11 . 2012-07-03 07:11 -------- d-----w- c:\program files\Sony
    2012-07-03 07:10 . 2012-07-04 02:18 -------- d-----w- c:\users\Greg\AppData\Roaming\Sony
    2012-07-02 10:36 . 2012-07-02 10:36 -------- d-----w- c:\program files\Ask.com
    2012-07-02 10:34 . 2012-07-02 10:34 -------- d-----w- c:\program files\FreeTime
    2012-06-27 00:12 . 2012-06-30 03:09 -------- d-----w- C:\Log
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-07-15 19:02 . 2012-04-04 07:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2012-07-15 19:02 . 2011-08-14 01:40 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-06-02 22:19 . 2012-06-08 23:29 45080 ----a-w- c:\windows\system32\wups2.dll
    2012-06-02 22:19 . 2012-06-08 23:29 53784 ----a-w- c:\windows\system32\wuauclt.exe
    2012-06-02 22:19 . 2012-06-08 23:28 35864 ----a-w- c:\windows\system32\wups.dll
    2012-06-02 22:19 . 2012-06-08 23:28 577048 ----a-w- c:\windows\system32\wuapi.dll
    2012-06-02 22:19 . 2012-06-08 23:29 1933848 ----a-w- c:\windows\system32\wuaueng.dll
    2012-06-02 22:12 . 2012-06-08 23:29 2422272 ----a-w- c:\windows\system32\wucltux.dll
    2012-06-02 22:12 . 2012-06-08 23:28 88576 ----a-w- c:\windows\system32\wudriver.dll
    2012-06-02 05:19 . 2012-06-08 23:28 171904 ----a-w- c:\windows\system32\wuwebv.dll
    2012-06-02 05:12 . 2012-06-08 23:28 33792 ----a-w- c:\windows\system32\wuapp.exe
    2012-05-31 02:25 . 2010-04-11 09:16 237072 ------w- c:\windows\system32\MpSigStub.exe
    2012-05-17 22:45 . 2012-06-13 10:03 1800192 ----a-w- c:\windows\system32\jscript9.dll
    2012-05-17 22:35 . 2012-06-13 10:03 1129472 ----a-w- c:\windows\system32\wininet.dll
    2012-05-17 22:35 . 2012-06-13 10:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-05-17 22:29 . 2012-06-13 10:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe
    2012-05-17 22:24 . 2012-06-13 10:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
    2012-05-15 19:51 . 2012-06-13 05:15 2045440 ----a-w- c:\windows\system32\win32k.sys
    2012-05-03 02:54 . 2012-05-03 02:54 42392 ----a-w- c:\windows\system32\xfcodec.dll
    2012-05-01 14:03 . 2012-06-13 05:15 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
    2012-04-23 16:00 . 2012-06-13 05:15 984064 ----a-w- c:\windows\system32\crypt32.dll
    2012-04-23 16:00 . 2012-06-13 05:15 98304 ----a-w- c:\windows\system32\cryptnet.dll
    2012-04-23 16:00 . 2012-06-13 05:15 133120 ----a-w- c:\windows\system32\cryptsvc.dll
    2012-04-18 10:56 . 2012-04-18 10:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2012-04-18 10:56 . 2012-04-18 10:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
    "{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
    "{6d8d66f3-14fc-4736-a096-fac0ea66289c}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
    "{970a72ad-2603-4b4e-bb28-aff6ab80cccd}"= "c:\program files\CrazyForCricket_3k\bar\1.bin\3kSrcAs.dll" [2011-11-09 62864]
    .
    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
    .
    [HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
    .
    [HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
    .
    [HKEY_CLASSES_ROOT\clsid\{970a72ad-2603-4b4e-bb28-aff6ab80cccd}]
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
    2010-11-29 05:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
    2010-06-03 08:24 2736736 ----a-w- c:\program files\Softonic-Eng7\tbSoft.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
    2010-04-15 02:33 2515552 ----a-w- c:\program files\XfireXO\tbXfir.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64d23501-5195-4224-9446-e2b0fb64e859}]
    2010-03-25 06:56 2349080 ----a-w- c:\program files\HiGames\tbHiG1.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
    2011-01-03 00:16 175400 ----a-w- c:\program files\midicase\prxtbmidi.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
    2010-12-09 02:51 3911776 ----a-w- c:\program files\Elf_1.15\tbElf_.dll
    .
    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
    2011-08-24 08:21 1299248 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{64d23501-5195-4224-9446-e2b0fb64e859}"= "c:\program files\HiGames\tbHiG1.dll" [2010-03-25 2349080]
    "{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-04-15 2515552]
    "{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
    "{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
    "{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
    "{6d8d66f3-14fc-4736-a096-fac0ea66289c}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
    "{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2011-08-24 1299248]
    .
    [HKEY_CLASSES_ROOT\clsid\{64d23501-5195-4224-9446-e2b0fb64e859}]
    .
    [HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
    .
    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
    .
    [HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
    .
    [HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
    .
    [HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
    .
    [HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
    [HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
    [HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{64D23501-5195-4224-9446-E2B0FB64E859}"= "c:\program files\HiGames\tbHiG1.dll" [2010-03-25 2349080]
    "{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
    "{B9D63C58-90CC-428B-8D3B-CBB88EB07E7E}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
    "{6D8D66F3-14FC-4736-A096-FAC0EA66289C}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
    .
    [HKEY_CLASSES_ROOT\clsid\{64d23501-5195-4224-9446-e2b0fb64e859}]
    .
    [HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
    .
    [HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
    .
    [HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-03 68856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
    "Steam"="c:\program files\Steam\steam.exe" [2011-08-02 1242448]
    "DeskSpace"="c:\users\Greg\Deskspace\deskspace.exe" [2002-01-01 1066496]
    "Facebook Update"="c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-15 138096]
    "MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-05-02 17355912]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-07-18 6246400]
    "dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-03-17 668912]
    "dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-03-17 16624]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-10 30192]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
    "VX1000"="c:\windows\vVX1000.exe" [2009-07-24 762208]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
    "IObitBar Browser Plugin Loader"="c:\progra~1\IObitBar\toolbar\1.bin\i0brmon.exe" [2010-08-02 20480]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
    "SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2011-08-01 114992]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
    "CrazyForCricket Search Scope Monitor"="c:\progra~1\CRAZYF~2\bar\1.bin\3ksrchmn.exe" [2011-11-09 38440]
    "CrazyForCricket_3k Browser Plugin Loader"="c:\progra~1\CRAZYF~2\bar\1.bin\3kbrmon.exe" [2011-11-09 30096]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    .
    c:\users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
    DeskSpace.lnk - l:\deskspace\deskspace.exe [N/A]
    Facebook Messenger.lnk - c:\users\Greg\AppData\Local\Facebook\Messenger\2.1.4570.0\FacebookMessenger.exe [2012-7-6 217536]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    Xfire.lnk - c:\program files\Xfire\Xfire.exe [2012-5-3 3553176]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-10-3 50688]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 2 (0x2)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
    S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-07-15 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 19:02]
    .
    2012-07-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000Core.job
    - c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-03 18:09]
    .
    2012-07-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000UA.job
    - c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-03 18:09]
    .
    2012-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000Core.job
    - c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-02 10:13]
    .
    2012-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000UA.job
    - c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-02 10:13]
    .
    2012-07-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 05:40]
    .
    2012-07-15 c:\windows\Tasks\RtlNICDiagVistaStart.job
    - c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2008-10-03 11:18]
    .
    2012-07-15 c:\windows\Tasks\SystemToolsDailyTest.job
    - c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 05:40]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/index.php?lh=c0eff49bfa52c6577d051ffa05300cc9&eu=XVUHAKl-eM-CZ8lbII58wQ
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uInternet Settings,ProxyOverride = <local>;*.local
    TCP: DhcpNameServer = 61.9.211.33 61.9.211.1
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-07-16 08:13
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
    "ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2530732781-1678084383-3266196856-1000\Software\SecuROM\License information*]
    "datasecu"=hex:ca,17,21,f5,a4,ce,b8,3a,5a,b5,99,3f,ce,f0,13,82,df,1d,b6,f2,71,
    fd,e5,c5,d2,17,b1,07,53,70,dc,1c,b7,d4,65,a8,3b,5b,0f,75,79,a2,22,a1,43,1c,\
    "rkeysecu"=hex:d3,70,bf,92,47,4f,b0,52,8c,2f,3f,54,b3,70,9c,1c
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(4408)
    c:\program files\IObitBar\toolbar\1.bin\i0brstub.dll
    c:\program files\CrazyForCricket_3k\bar\1.bin\3kbrstub.dll
    .
    Completion time: 2012-07-16 08:15:18
    ComboFix-quarantined-files.txt 2012-07-15 22:15
    ComboFix2.txt 2012-07-15 20:56
    .
    Pre-Run: 204,952,776,704 bytes free
    Post-Run: 204,909,309,952 bytes free
    .
    - - End Of File - - 1AFDD56523ACF2FE72D99C14FC964837
  22. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Good :)
    Go on...
  23. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

  24. Johnny270268

    Johnny270268 Newcomer, in training Topic Starter Posts: 81

    Hi again Boni,

    MSE is currently doing the full scan but it's going to take some considerable time to complete. I imagine the OTL log is going to take some time to do as well. I need to get some shuteye man! I've been awake for two days. Do you mind terribly if I let these scans do their magic and report back to you in about 6- 7 hours ?? It's around 10;18 am here on the south east of Queensland Australia. If I don't here anything I'll know you're OK with this. I'll very briefly report on the result of MSE full scan and post MBAM log for you then. :)
  25. Broni

    Broni Malware Annihilator Posts: 45,226   +243

    Not a problem :)


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.