also @ TechSpot: Windows 8 Release Preview leaked, Microsoft may raise OEM prices

TechSpot

[Solved] Search results getting redirected

Discussion in 'Virus and Malware Removal' started by user7000, Jan 31, 2011.

Thread Status:
Not open for further replies.
Page 2 of 2

  1. user7000 Newcomer, in training

    Those are the results that poped up at the end of the scan, I just copy and pasted it. There was a option that said copy to clipboard, not sure what it is, I clicked on it and nothing happened
    user7000, Feb 13, 2011
    #21

  2. Bobbye Helper on the Fringe

    You copy the log to the clipboard, then paste here. The clipboard is the 'invisable' place where whatever you copy is held. Then when you paste, the system moves the contents of the clipboard to wherever you want to paste it. If you had clicked on 'copy to clipboard', you wouldn't have seen anything happen. But if you then clicked on the area where you wanted the copy to go and clicked on Ctrl+V, you would have seen it.

    You can both Copy and Paste 3 ways:
    • Click on Edit> then Copy or Paste
    • Use the mouse right button and choose Copy or Paste from the drop-down menu.
    • Use keyboard combinations: Ctrl A is Select All. Ctrl C is Copy. Ctrl V is Paste.
    Remember these they will serve you well. If you forget the keyboard combination, you can find it in Edit, to the right of the word.
    ========================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
C:\Users\MOM\AppData\Local\1ix3I3tm\Fiky73.cpl 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ============================================
    Please reopen HijackThis to 'do system scan only.' Check on the following, if present:
    O4 - HKCU\..\Run: [Fiky73] control.exe "C:\Users\MOM\AppData\Local\1ix3I3tm\Fiky73.cpl",0,0
    Close all Windows except HijackThis and click on "Fix Checked."
    ===============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    KillAll::
Folder::
c:\users\MOM\AppData\Local\PopCap Games
c:\programdata\PopCap Games
c:\users\MOM\AppData\Local\1ix3I3tm
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fiky73"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"=-
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Empty the Recycle Bin
    Reboot the computer
    Repeat the Eset scan>> with a log
    Bobbye, Feb 14, 2011
    #22

  3. user7000 Newcomer, in training

    Here are the logs

    OTMovit by Old Timer:

    All processes killed
    ========== FILES ==========
    C:\Users\MOM\AppData\Local\1ix3I3tm\Fiky73.cpl moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: MOM
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 23288216 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 63750937 bytes
    ->Flash cache emptied: 43438 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 18634 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 5954289862 bytes

    Total Files Cleaned = 5,762.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 02172011_082631

    Files moved on Reboot...
    File move failed. C:\Windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...


    CFScript:

    ComboFix 11-02-16.05 - MOM 17/02/2011 9:04.3.1 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.1791.1038 [GMT -8:00]
    Running from: c:\users\MOM\Desktop\ComboFix.exe
    Command switches used :: c:\users\MOM\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\programdata\Desktop
    c:\programdata\PopCap Games
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\badloop.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\badmove.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\blitz-countup.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\bomb_explode.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\bonuslaser.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\bubblepop.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\buttonpress1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\buttonpress2.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\chainparticle1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\chainx1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\challenge_unlock.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\challengecompleted.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\click.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\click_dialog.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\coal_blasted.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\combo_1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\combo_2.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\combo_3.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\combo_4.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\combo_5.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\combo_6.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\combo_7.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\counter_warning.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\doomgem_appears.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\doomgem_countdown.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\doomgem_destroyed.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\doomgemgameover.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\doorlock2.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\doorlock3.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\doubleset.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\eclipseintro1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\electro_explode.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\electro_start1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\electrogem_created.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\endfinal6b.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\flamelightning.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\fruit_appears.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\fruitbonuscount.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\gameunlocked.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\gem_countdown.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\gem_countdown_destroyed.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\gem_fruit_destroyed.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\gem_hit.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\gem_lock_break.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\gem_lock_end.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\gem_lock_start.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\gem_prelock.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\gem_shatters.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\gemsoul-lands3.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\geode.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\goodloop.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\innerlock1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\innerlock2.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\lightbar_blink.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\lock1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\menu_button_click.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\menu_slide.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\mouseover1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\mouseover2.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\mouseover3.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\multiplier_down.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\multiplier_up2_1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\multiplier_up2_2.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\multiplier_up2_3.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\multiplier_up2_4.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\powergem_created.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\preblast.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\purr.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\rank_completion.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\replay_popup.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\reshuffle1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\rewind.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\rowblow.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\screenprint.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\select.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\siren.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\sixmatch.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\skull-added.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\soulify.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\speedbonus.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\spinner_unlock.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\spinsequencer1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\start_rotate.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\steamlock1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\supergem_create.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\tally_zoomin.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\TEMP_Timpani.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\trans_arrival.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\trans_engineignition.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\trans_engineloop1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\trans_preignition.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\trans_spacenoise.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\transfer.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\trialclick.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\triallimit.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\trialunlock.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\trophy_awarded.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\tutorial-match.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\tutorial_snap.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\tutorialcomplete.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\typewriter1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_anewhighscore.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_awesome.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_blitz.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_bombdisarmed.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_challenge.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_challengecomplete.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_chooseyourgame.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_classic.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_eight.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_excellent.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_five.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_four.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_fourminutes.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_gameover.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_go.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_good.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_goodbye.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_incredible.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_levelcomplete.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_newchallengeunlocked.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_nine.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_one.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_oneminute.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_seven.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_six.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_spectacular.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_thirtyseconds.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_three.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_threeminutes.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_two.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_twominutes.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_unbelievable.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_welcometobejeweledtwist.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\voice_zen.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\whirlpool1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\wildcard_destroyed.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\x_lose.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\x_spinnerappears1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\x_wheelspin.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\x_wheelspin2.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\x_win.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\x_win2.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\zenstart.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\zentransition1.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\zentransition2.wav
    c:\programdata\PopCap Games\BejeweledTwist\cached\sounds\zentransition3.wav
    c:\programdata\PopCap Games\BejeweledTwist\users\BARRY\profile.dat
    c:\programdata\PopCap Games\BejeweledTwist\users\BARRY\savegame_classic.dat
    c:\programdata\PopCap Games\BejeweledTwist\users\BARRY\savegame_zen.dat
    c:\programdata\PopCap Games\BejeweledTwist\users\scores.dat
    c:\programdata\PopCap Games\BejeweledTwist\users\users.dat
    c:\programdata\PopCap Games\popcinfot.dat
    c:\users\MOM\AppData\Local\1ix3I3tm
    c:\users\MOM\AppData\Local\PopCap Games
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\flarebold120sidebar.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\FlareGothic14.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\FlareGothic16.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\flaregothic17.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\flaregothic19zen.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\flaregothic25.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\flaregothic28.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\FLAREGOTHIC32.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\flaregothic55.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\FlareGothicBold100.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\flaregothicbold20.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\flaregothicbold42.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\flaregothicbold66.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\flaregothicbold80score.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\flaregothicboldbutton66.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\humanst19.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\humanst28.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\Humanst521BT40.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\kozgoproheavy30.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\kozukagothprob.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\kozukaminproh120.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\768\quincycaps25.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\NonResize\flaregothic8.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\NonResize\flaregothicbold10.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\fonts\NonResize\humanst9.txt.cfw2
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\alchemy_convert.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\background_change.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\backtomain.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\badgeawarded.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\badgefall.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\badmove.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\bomb_appears.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\bomb_explode.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\breath_in.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\breath_out.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\butterfly_appear.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\butterfly_death1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\butterflyescape.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\button_mouseleave.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\button_mouseover.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\button_press.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\button_release.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\carddeal.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\cardflip.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\clickflyin.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\coin_created.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\coinappear.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\cold wind.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\combo_1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\combo_2.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\combo_3.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\combo_4.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\combo_5.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\combo_6.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\combo_7.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\countdown_warning.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\diamond_mine_artifact_showcase.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\diamond_mine_bigstone_cracked.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\Diamond_Mine_Death.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\diamond_mine_dig.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\diamond_mine_dig_line_hit.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\diamond_mine_dig_line_hit_mega.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\diamond_mine_dig_notify.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\diamond_mine_dirt_cracked.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\diamond_mine_stone_cracked.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\diamond_mine_treasurefind.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\diamond_mine_treasurefind_diamonds.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\doubleset.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\earthquake.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\electro_explode.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\electro_path.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\electro_path2.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\firework_crackle.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\firework_launch.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\firework_thump.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\flamebonus.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\flameloop.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\flamespeed1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\gem_countdown_destroyed.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\gem_hit.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\gem_shatters.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hypercube_create.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_2.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_3.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_4.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_5.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_6.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_7.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_zen_1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_zen_2.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_zen_3.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_zen_4.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_zen_5.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_zen_6.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_gem_land_zen_7.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_shatter_1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_shatter_2.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\hyperspace_shatter_zen.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\ice_column_appears.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\ice_column_break.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\Ice_Storm_ColumnCombo.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\Ice_Storm_ColumnCombo_Mega.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\Ice_Storm_Final_Thud.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\Ice_Storm_GameOver.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\Ice_Storm_Multipler_Up.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\Ice_Storm_Steam_Build_Up.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\Ice_Storm_Steam_Valve.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\Ice_Storm_Wind.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\ice_warning.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\lasergem_created.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\lightning_energize.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\lightning_humloop.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\lightning_tube_fill_10.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\lightning_tube_fill_5.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\menuspin.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\multiplier_appears.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\multiplier_hurrahed.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\multiplier_up2_1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\multiplier_up2_2.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\multiplier_up2_3.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\multiplier_up2_4.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\poker_4ofakind.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\poker_flush.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\poker_fullhouse.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\pokerchips.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\pokerscore.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\powergem_created.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\preblast.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\pulleys.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\quest_award_wreath.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\quest_get.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\quest_menu_button_mouseover1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\quest_menu_button1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\quest_notify.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\quest_orb1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\quest_orb3.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\Quest_Sandstorm_cover.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\Quest_Sandstorm_reveal.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\QuestMenu_RelicComplete_object.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\QuestMenu_RelicComplete_rumble.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\QuestMenu_RelicRevealed_object.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\QuestMenu_RelicRevealed_rumble.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\rank_countup.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\rankup.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\replay_popup.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\rewind.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\sandstorm_treasure_reveal.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\scramble.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\secretmouseover1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\secretmouseover2.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\secretmouseover3.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\secretmouseover4.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\secretunlocked.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\select.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\sin500.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\skull_appear.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\skull_busted.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\skull_buster.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\skullcoin_flip.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\skullcoinlands.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\skullcoinlose.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\skullcoinwin.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\small_explode.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\speedmatch1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\speedmatch2.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\speedmatch3.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\speedmatch4.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\speedmatch5.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\speedmatch6.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\speedmatch7.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\speedmatch8.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\speedmatch9.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\start_rotate.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\tick.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\timebombexplode.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\timebonus_10.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\timebonus_5.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\timebonus_appears_10.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\timebonus_appears_5.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\tooltip.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\tower_hits_top1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_awesome.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_blazingspeed.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_challengecomplete.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_excellent.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_extraordinary.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_gameover.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_getready.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_go.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_good.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_goodbye.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_levelcomplete.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_nomoremoves.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_spectacular.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_thirtyseconds.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_timeup.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_unbelievable.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_welcomeback.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\voice_welcometobejeweled.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_checkoff.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_checkon.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_combo_2.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_dropdownbutton.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_mantra1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_menuclose.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_menuexpand.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_menuopen.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_menushrink.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_necklace_1.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_necklace_2.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_necklace_3.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\cached\sounds\zen_necklace_4.wav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\users\ users.dat
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\users\hiscores.dat
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\users\MOM\butterfly.sav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\users\MOM\classic.sav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\users\MOM\diamond_mine.sav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\users\MOM\poker.sav
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\users\MOM\profile .dat
    c:\users\MOM\AppData\Local\PopCap Games\Bejeweled3\users\MOM\zen.sav

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-17 to 2011-02-17 )))))))))))))))))))))))))))))))
    .

    2011-02-17 17:11 . 2011-02-17 17:11 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-17 17:01 . 2011-02-17 17:01 -------- d-----w- C:\32788R22FWJFW
    2011-02-17 16:26 . 2011-02-17 16:26 -------- d-----w- C:\_OTM
    2011-02-15 13:54 . 2011-01-13 10:20 7844688 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7C4B3A2F-7F18-4E56-B811-BD0C1E044829}\mpengine.dll
    2011-02-10 03:26 . 2011-02-10 03:26 -------- d-----w- c:\program files (x86)\ESET
    2011-02-10 03:14 . 2011-02-10 03:16 -------- d-----w- C:\HijackThis
    2011-02-09 06:17 . 2011-01-05 05:37 428032 ----a-w- c:\windows\SysWow64\vbscript.dll
    2011-02-09 06:17 . 2010-10-27 05:18 5510528 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-02-09 06:17 . 2010-10-27 05:16 1739176 ----a-w- c:\windows\system32\ntdll.dll
    2011-02-09 06:17 . 2010-10-27 04:43 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
    2011-02-09 06:17 . 2010-10-27 04:40 1293120 ----a-w- c:\windows\SysWow64\ntdll.dll
    2011-02-09 06:17 . 2010-10-27 04:43 3957120 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
    2011-02-09 06:17 . 2011-01-07 05:49 366080 ----a-w- c:\windows\system32\atmfd.dll
    2011-02-09 06:17 . 2011-01-07 08:06 46080 ----a-w- c:\windows\system32\atmlib.dll
    2011-02-09 06:17 . 2011-01-07 07:27 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
    2011-02-09 06:17 . 2011-01-07 05:33 294400 ----a-w- c:\windows\SysWow64\atmfd.dll
    2011-01-30 22:57 . 2011-01-30 22:57 103864 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
    2011-01-24 23:31 . 2011-01-24 23:31 -------- d-----w- c:\program files (x86)\GameHouse
    2011-01-24 23:00 . 2011-01-24 23:00 -------- d-----w- c:\program files (x86)\SereneScreen
    2011-01-20 05:02 . 2011-01-20 05:02 -------- d-----w- c:\users\MOM\AppData\Local\Microsoft Games
    2011-01-20 04:22 . 2011-01-20 04:22 -------- d-----w- c:\programdata\NVIDIA Corporation
    2011-01-20 04:22 . 2011-01-20 04:24 -------- d-----w- c:\program files\NVIDIA Corporation
    2011-01-20 04:20 . 2009-10-10 03:17 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
    2011-01-20 04:10 . 2011-01-20 04:10 -------- d-----w- c:\program files\Microsoft IntelliPoint
    2011-01-20 03:55 . 2011-01-20 03:55 -------- d-----w- c:\users\MOM\AppData\Roaming\Malwarebytes
    2011-01-20 03:54 . 2010-12-21 02:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-01-20 03:54 . 2011-01-20 03:54 -------- d-----w- c:\programdata\Malwarebytes
    2011-01-20 03:54 . 2010-12-21 02:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-20 03:54 . 2011-01-20 03:54 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-01-19 08:45 . 2011-01-13 08:41 273488 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-01-19 08:45 . 2011-01-13 08:37 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-01-19 08:45 . 2011-01-13 08:40 51792 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-01-19 08:45 . 2011-01-13 08:37 29264 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-01-19 08:45 . 2011-01-13 08:37 62032 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-01-19 08:45 . 2011-01-13 08:47 237168 ----a-w- c:\windows\system32\aswBoot.exe
    2011-01-19 08:44 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-19 08:44 . 2011-01-13 08:47 188216 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2011-01-19 08:44 . 2011-01-19 08:44 -------- d-----w- c:\programdata\Alwil Software
    2011-01-19 08:44 . 2011-01-19 08:44 -------- d-----w- c:\program files\Alwil Software
    2011-01-18 18:19 . 2011-01-18 18:19 -------- d--h--r- c:\users\MOM\AppData\Roaming\SecuROM
    2011-01-18 18:18 . 2011-01-18 18:18 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
    2011-01-18 17:41 . 2009-02-25 02:35 255552 ----a-w- c:\windows\system32\drivers\mcdbus.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    user7000, Feb 17, 2011
    #23

  4. user7000 Newcomer, in training

    Part 2 of Cf Script:

    2010-12-19 10:40 . 2010-12-19 08:39 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2010-12-19 09:39 . 2010-12-19 09:39 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
    2010-12-19 08:39 . 2010-12-19 08:39 48648 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\Markup.dll
    2010-12-19 08:39 . 2010-12-19 08:39 573760 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    .

    ((((((((((((((((((((((((((((( SnapShot_2011-02-01_22.19.31 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-09 06:18 . 2010-12-21 05:38 51200 c:\windows\SysWOW64\wscapi.dll
    + 2011-02-09 06:18 . 2010-12-21 05:38 14336 c:\windows\SysWOW64\slwga.dll
    + 2011-02-09 06:18 . 2010-12-18 05:30 67072 c:\windows\SysWOW64\mshtmled.dll
    - 2010-12-15 01:33 . 2010-11-04 05:49 67072 c:\windows\SysWOW64\mshtmled.dll
    - 2010-12-15 01:33 . 2010-11-04 05:46 12800 c:\windows\SysWOW64\msfeedssync.exe
    + 2011-02-09 06:18 . 2010-12-18 05:26 12800 c:\windows\SysWOW64\msfeedssync.exe
    + 2011-02-09 06:18 . 2010-12-18 05:30 64512 c:\windows\SysWOW64\msfeedsbs.dll
    - 2010-12-15 01:33 . 2010-11-04 05:49 64512 c:\windows\SysWOW64\msfeedsbs.dll
    - 2010-12-15 01:33 . 2010-11-04 05:48 44544 c:\windows\SysWOW64\licmgr10.dll
    + 2011-02-09 06:18 . 2010-12-18 05:29 44544 c:\windows\SysWOW64\licmgr10.dll
    + 2011-02-09 06:18 . 2010-12-21 05:34 80384 c:\windows\SysWOW64\davclnt.dll
    + 2009-07-14 04:54 . 2011-02-17 17:14 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2011-02-01 22:20 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2011-02-01 22:20 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2011-02-17 17:14 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2011-02-01 22:20 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2011-02-17 17:14 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-02-09 06:18 . 2010-12-21 06:16 97280 c:\windows\system32\wscsvc.dll
    - 2009-07-13 23:48 . 2009-07-14 01:41 97280 c:\windows\system32\wscsvc.dll
    + 2011-02-09 06:18 . 2010-12-21 06:16 62976 c:\windows\system32\wscapi.dll
    + 2009-08-26 03:53 . 2011-02-12 19:17 27808 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2011-02-17 16:30 41642 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-02-09 06:18 . 2010-12-21 06:15 15360 c:\windows\system32\slwga.dll
    + 2011-02-09 06:18 . 2010-12-18 06:12 97280 c:\windows\system32\mshtmled.dll
    - 2010-12-15 01:33 . 2010-11-04 06:32 97280 c:\windows\system32\mshtmled.dll
    + 2011-02-09 06:18 . 2010-12-18 06:08 12288 c:\windows\system32\msfeedssync.exe
    - 2010-12-15 01:33 . 2010-11-04 06:28 12288 c:\windows\system32\msfeedssync.exe
    - 2010-12-15 01:33 . 2010-11-04 06:32 82944 c:\windows\system32\msfeedsbs.dll
    + 2011-02-09 06:18 . 2010-12-18 06:12 82944 c:\windows\system32\msfeedsbs.dll
    - 2010-12-15 01:33 . 2010-11-04 06:31 57856 c:\windows\system32\licmgr10.dll
    + 2011-02-09 06:18 . 2010-12-18 06:11 57856 c:\windows\system32\licmgr10.dll
    - 2010-06-29 23:37 . 2011-02-01 20:25 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-06-29 23:37 . 2011-02-17 16:29 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-02-01 20:25 . 2011-02-01 20:25 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2011-02-17 16:29 . 2011-02-17 16:29 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2011-02-17 16:29 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2011-02-01 20:25 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-06-30 00:38 . 2011-02-01 22:19 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-06-30 00:38 . 2011-02-17 17:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:46 . 2011-02-14 09:38 80352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    - 2009-07-14 04:46 . 2011-01-23 09:08 80352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    - 2010-12-19 08:38 . 2011-02-01 21:29 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    + 2010-12-19 08:38 . 2011-02-17 11:46 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2010-12-19 08:38 . 2011-02-01 21:29 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
    + 2010-12-19 08:38 . 2011-02-17 11:46 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
    - 2010-12-19 08:38 . 2011-02-01 21:29 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
    + 2010-12-19 08:38 . 2011-02-17 11:46 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
    - 2010-06-30 00:38 . 2011-02-01 22:19 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-06-30 00:38 . 2011-02-17 17:13 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-06-30 00:38 . 2011-02-17 17:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-06-30 00:38 . 2011-02-01 22:19 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-06-30 00:38 . 2011-02-17 17:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-06-30 00:38 . 2011-02-01 22:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-06-30 00:38 . 2011-02-01 22:19 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-06-30 00:38 . 2011-02-17 17:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-07-15 01:41 . 2010-12-15 11:15 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
    - 2010-07-15 01:41 . 2010-12-15 11:15 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    - 2010-07-15 01:41 . 2010-12-15 11:15 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    - 2010-07-15 01:41 . 2010-12-15 11:15 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
    - 2010-07-15 01:41 . 2010-12-15 11:15 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    - 2010-07-15 01:41 . 2010-12-15 11:15 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
    + 2010-07-08 19:47 . 2011-02-17 16:27 6554 c:\windows\system32\wdi\ERCQueuedResolutions.dat
    + 2010-07-11 23:20 . 2011-02-11 07:11 2180 c:\windows\system32\wdi\{88d4896f-f553-446a-9c75-9dec124ff8b7}.bin
    + 2010-06-30 00:39 . 2011-02-17 16:30 8000 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1685454527-2538209616-13761551-1001_UserData.bin
    - 2011-02-01 22:18 . 2011-02-01 22:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-02-17 16:28 . 2011-02-17 17:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-02-01 22:18 . 2011-02-01 22:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-02-17 16:28 . 2011-02-17 17:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-07-15 01:41 . 2011-02-09 11:05 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    - 2010-07-15 01:41 . 2010-12-15 11:15 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
    + 2011-02-09 06:18 . 2010-12-21 05:38 981504 c:\windows\SysWOW64\wininet.dll
    + 2011-02-09 06:18 . 2010-12-21 05:38 350720 c:\windows\SysWOW64\winhttp.dll
    + 2011-02-09 06:18 . 2010-12-21 05:38 204800 c:\windows\SysWOW64\WebClnt.dll
    + 2011-02-09 06:18 . 2010-12-21 05:38 204288 c:\windows\SysWOW64\upnp.dll
    - 2010-12-15 01:33 . 2010-11-04 05:49 606208 c:\windows\SysWOW64\mstime.dll
    + 2011-02-09 06:18 . 2010-12-18 05:30 606208 c:\windows\SysWOW64\mstime.dll
    - 2010-12-15 01:33 . 2010-11-04 05:49 599040 c:\windows\SysWOW64\msfeeds.dll
    + 2011-02-09 06:18 . 2010-12-18 05:30 599040 c:\windows\SysWOW64\msfeeds.dll
    + 2011-02-09 06:18 . 2010-12-18 05:29 541184 c:\windows\SysWOW64\kerberos.dll
    - 2009-07-13 23:35 . 2009-07-14 01:15 541184 c:\windows\SysWOW64\kerberos.dll
    - 2010-06-30 17:39 . 2009-12-02 08:17 716800 c:\windows\SysWOW64\jscript.dll
    + 2011-02-09 06:18 . 2011-01-05 05:34 716800 c:\windows\SysWOW64\jscript.dll
    - 2010-12-15 01:33 . 2010-11-04 05:48 185856 c:\windows\SysWOW64\iepeers.dll
    + 2011-02-09 06:18 . 2010-12-18 05:29 185856 c:\windows\SysWOW64\iepeers.dll
    - 2010-12-15 01:33 . 2010-11-04 05:48 381440 c:\windows\SysWOW64\iedkcs32.dll
    + 2011-02-09 06:18 . 2010-12-18 05:29 381440 c:\windows\SysWOW64\iedkcs32.dll
    - 2009-07-13 23:38 . 2009-07-14 01:41 214016 c:\windows\system32\winsrv.dll
    + 2011-02-09 06:18 . 2010-12-21 06:16 214016 c:\windows\system32\winsrv.dll
    + 2011-02-09 06:18 . 2010-12-21 06:16 442880 c:\windows\system32\winhttp.dll
    + 2011-02-09 06:18 . 2010-12-21 06:16 258048 c:\windows\system32\WebClnt.dll
    + 2010-06-30 04:22 . 2011-02-17 07:41 240324 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
    - 2010-06-30 17:59 . 2010-03-08 21:59 612352 c:\windows\system32\vbscript.dll
    + 2011-02-09 06:18 . 2011-01-05 06:20 612352 c:\windows\system32\vbscript.dll
    + 2011-02-09 06:18 . 2010-12-21 06:15 264192 c:\windows\system32\upnp.dll
    - 2009-07-14 02:36 . 2011-02-01 20:30 628024 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2011-02-17 16:35 628024 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2011-02-17 16:35 110208 c:\windows\system32\perfc009.dat
    - 2009-07-14 02:36 . 2011-02-01 20:30 110208 c:\windows\system32\perfc009.dat
    + 2011-02-09 06:18 . 2010-12-18 06:12 703488 c:\windows\system32\msfeeds.dll
    - 2010-12-15 01:33 . 2010-11-04 06:32 703488 c:\windows\system32\msfeeds.dll
    + 2011-02-09 06:18 . 2010-12-18 06:11 714752 c:\windows\system32\kerberos.dll
    - 2010-06-30 17:39 . 2009-12-02 09:15 852480 c:\windows\system32\jscript.dll
    + 2011-02-09 06:18 . 2011-01-05 06:16 852480 c:\windows\system32\jscript.dll
    - 2010-12-15 01:33 . 2010-11-04 06:31 256000 c:\windows\system32\iepeers.dll
    + 2011-02-09 06:18 . 2010-12-18 06:11 256000 c:\windows\system32\iepeers.dll
    + 2011-02-09 06:18 . 2010-12-18 06:11 445952 c:\windows\system32\iedkcs32.dll
    - 2010-12-15 01:33 . 2010-11-04 06:31 445952 c:\windows\system32\iedkcs32.dll
    - 2009-07-14 04:45 . 2011-01-20 05:06 383768 c:\windows\system32\FNTCACHE.DAT
    + 2009-07-14 04:45 . 2011-02-09 11:22 383768 c:\windows\system32\FNTCACHE.DAT
    + 2011-02-09 06:18 . 2011-01-26 06:53 265088 c:\windows\system32\drivers\dxgmms1.sys
    - 2011-01-13 01:35 . 2010-11-02 05:21 982912 c:\windows\system32\drivers\dxgkrnl.sys
    + 2011-02-09 06:18 . 2011-01-26 06:53 982912 c:\windows\system32\drivers\dxgkrnl.sys
    + 2011-02-09 06:18 . 2010-12-21 06:10 100864 c:\windows\system32\davclnt.dll
    - 2011-01-13 01:35 . 2010-11-02 04:59 144384 c:\windows\system32\cdd.dll
    + 2011-02-09 06:18 . 2011-01-26 06:31 144384 c:\windows\system32\cdd.dll
    + 2009-07-14 05:01 . 2011-02-17 16:27 352740 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    - 2009-07-14 05:01 . 2011-02-01 22:18 352740 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2010-11-20 21:33 . 2011-02-17 16:27 876596 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1685454527-2538209616-13761551-1001-8192.dat
    - 2010-11-20 21:33 . 2011-02-01 20:22 876596 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1685454527-2538209616-13761551-1001-8192.dat
    - 2010-07-15 01:41 . 2010-12-15 11:15 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
    - 2010-07-15 01:41 . 2010-12-15 11:15 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
    - 2010-07-15 01:41 . 2010-12-15 11:15 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    - 2010-07-15 01:41 . 2010-12-15 11:15 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
    - 2010-07-15 01:41 . 2010-12-15 11:15 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
    - 2010-07-15 01:41 . 2010-12-15 11:15 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
    + 2010-07-15 01:41 . 2011-02-09 11:05 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
    + 2011-02-09 06:18 . 2010-12-21 05:38 1228288 c:\windows\SysWOW64\urlmon.dll
    + 2011-02-09 06:18 . 2010-12-21 05:36 1389568 c:\windows\SysWOW64\msxml6.dll
    + 2011-02-09 06:18 . 2010-12-21 05:36 1236992 c:\windows\SysWOW64\msxml3.dll
    + 2011-02-09 06:18 . 2010-12-18 05:30 5980672 c:\windows\SysWOW64\mshtml.dll
    - 2010-12-15 01:33 . 2010-11-04 05:48 2063360 c:\windows\SysWOW64\iertutil.dll
    + 2011-02-09 06:18 . 2010-12-18 05:29 2063360 c:\windows\SysWOW64\iertutil.dll
    + 2011-02-09 06:18 . 2010-12-21 06:16 1197056 c:\windows\system32\wininet.dll
    + 2011-02-09 06:18 . 2011-01-05 04:00 3127808 c:\windows\system32\win32k.sys
    + 2011-02-09 06:18 . 2010-12-21 06:15 1498112 c:\windows\system32\urlmon.dll
    + 2011-02-09 06:18 . 2010-12-21 06:13 2003968 c:\windows\system32\msxml6.dll
    + 2011-02-09 06:18 . 2010-12-21 06:13 1880576 c:\windows\system32\msxml3.dll
    - 2010-12-15 01:33 . 2010-11-04 06:32 1026560 c:\windows\system32\mstime.dll
    + 2011-02-09 06:18 . 2010-12-18 06:12 1026560 c:\windows\system32\mstime.dll
    + 2011-02-09 06:18 . 2010-12-18 06:12 9302528 c:\windows\system32\mshtml.dll
    - 2010-12-15 01:33 . 2010-11-04 06:31 2447872 c:\windows\system32\iertutil.dll
    + 2011-02-09 06:18 . 2010-12-18 06:11 2447872 c:\windows\system32\iertutil.dll
    + 2009-07-14 04:45 . 2011-02-09 11:25 3801083 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    - 2009-07-14 04:45 . 2011-01-20 05:13 3801083 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2011-01-18 00:06 . 2011-01-18 00:06 5518848 c:\windows\Installer\7c7772e.msp
    - 2010-12-15 01:33 . 2010-11-04 05:48 10989056 c:\windows\SysWOW64\ieframe.dll
    + 2011-02-09 06:18 . 2010-12-21 05:35 10989056 c:\windows\SysWOW64\ieframe.dll
    + 2009-07-14 02:34 . 2011-02-17 16:43 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    - 2009-07-14 02:34 . 2011-02-01 20:39 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2010-07-06 06:21 . 2011-02-09 11:02 39403464 c:\windows\system32\MRT.exe
    + 2011-02-09 06:18 . 2010-12-21 06:11 12369408 c:\windows\system32\ieframe.dll
    - 2010-12-15 01:33 . 2010-11-04 06:31 12369408 c:\windows\system32\ieframe.dll
    + 2011-01-31 10:45 . 2011-01-31 10:45 11135488 c:\windows\Installer\dda8bfc.msp
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-01 1255736]
    R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [2009-02-13 14464]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-06 828912]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 62032]
    S2 Greg_Service;GRegService;c:\program files (x86)\eMachines\Registration\GregHSRW.exe [2009-06-04 1150496]
    S2 TomTomHOMEService;TomTomHOMEService;c:\program files (x86)\TomTom HOME 2\TomTomHOMEService.exe [2010-08-24 92008]
    S2 Updater Service;Updater Service;c:\program files\eMachines\eMachines Updater\UpdaterService.exe [2009-07-04 240160]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-22 45456]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-05-22 215040]

    .

    --------- x86-64 -----------


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-07-20 7981088]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-22 2327952]
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ca.yahoo.com/?p=us
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=1009&m=el1320&r=17360610b103p0384v145r4871r258
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\users\MOM\AppData\Roaming\Mozilla\Firefox\Profiles\muqw0o04.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Modify Headers: {b749fc7c-e949-447f-926c-3f4eed6accfe} - %profile%\extensions\{b749fc7c-e949-447f-926c-3f4eed6accfe}
    FF - user.js: yahoo.homepage.dontask - true
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-17 09:18:01 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-17 17:18
    ComboFix2.txt 2011-02-01 22:23
    ComboFix3.txt 2011-02-01 08:03

    Pre-Run: 218,028,802,048 bytes free
    Post-Run: 217,641,336,832 bytes free

    - - End Of File - - AA44AC8567B250965E739A4DDACD93EB



    This is what i got when i clicked copy to clipboard and pasted it onto notepad for the Eset scan. Not sure if this is correct.


    C:\_OTM\MovedFiles\02172011_082631\C_Users\MOM\AppData\Local\1ix3I3tm\Fiky73.cpl a variant of Win32/Sefnit.BA trojan
    user7000, Feb 17, 2011
    #24

  5. Bobbye Helper on the Fringe

    That entry from Eset is okay> I moved the file in OTM.

    You should be moving a bit faster now. Are you having any more redirects or other malware-related problems? If not:>>>
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.

    Creating a Restore Point in Windows 7:
    • Click on Start> right click on Computer> Properties
    • Select System Protection
    • Click on the Create button (near bottom)
    • Type a name for the Restore Point
    • Click on Create again to save the restore point.

    Deleting all but the most recent System Protection point in Windows 7
    1. Click Start> Computer> right click the C Drive and choose Properties> enter.
    2. Click Disk Cleanup from there.
      [IMG]
    3. Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
    4. Click the More Options tab
      [IMG]
    5. Click the Clean up under System Restore and Shadow Copies.
    6. Click OK.
    7. You will get a confirmation screen> Just click Delete.
    8. Click OK on the Disk Cleanup Screen.
    9. Click Delete Files on the Confirmation screen.
    [IMG]
    It will run the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin
    Let me know if you have any questions.
    Bobbye, Feb 19, 2011
    #25

  6. user7000 Newcomer, in training

    I haven't gotten any redirects anymore. I done all the cleanup and got rid of the stuff on the desktop.
    user7000, Feb 22, 2011
    #26

  7. Bobbye Helper on the Fringe

    You're welcome.
    Bobbye, Feb 23, 2011
    #27
Page 2 of 2
Thread Status:
Not open for further replies.