win32:sirefef-PL [Rtk] removal

Solved
By BigWezz
Aug 31, 2012
Topic Status:
Not open for further replies.
  1. Hi guy

    Firstly I know there is already a thread called "[Solved] win32:sirefef-PL [Rtk] removal help" (http://www.techspot.com/community/topics/win32-sirefef-pl-rtk-removal-help.181608/) and I have previously been looking at that but I don't know if the solutions used there are specific to that user. If its not then I can just follow the advice in there given by Broni, if not, can you guys help me out please?

    I wouldn't say I'm amazing with computers but I can follow basic instructions so bare with me :) In the other thread one of the first things asked by Broni was to provide a log from "Bootkit Remover " and "aswMBR" these are below;

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
    Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-31 15:01:45
    -----------------------------
    15:01:45.231 OS Version: Windows x64 6.1.7601 Service Pack 1
    15:01:45.231 Number of processors: 8 586 0x1E05
    15:01:45.232 ComputerName: DEANS-COMP UserName: DE
    15:01:46.945 Initialize success
    15:01:47.060 AVAST engine defs: 12083100
    15:02:42.893 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
    15:02:42.897 Disk 0 Vendor: MDT_MD5000AAKS-00A7B0 01.03B01 Size: 476940MB BusType: 3
    15:02:42.909 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-4
    15:02:42.914 Disk 1 Vendor: SAMSUNG_HD154UI 1AG01118 Size: 1430799MB BusType: 3
    15:02:42.926 Disk 0 MBR read successfully
    15:02:42.931 Disk 0 MBR scan
    15:02:42.937 Disk 0 Windows 7 default MBR code
    15:02:42.951 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    15:02:42.961 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
    15:02:42.985 Disk 0 scanning C:\Windows\system32\drivers
    15:02:57.383 Service scanning
    15:03:10.140 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
    15:03:16.293 Modules scanning
    15:03:16.645 Disk 0 trace - called modules:
    15:03:16.682 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80074762c0]<<spmw.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
    15:03:16.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007949060]
    15:03:16.690 3 CLASSPNP.SYS[fffff8800168b43f] -> nt!IofCallDriver -> [0xfffffa8007619580]
    15:03:16.694 5 ACPI.sys[fffff880011927a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80075ff680]
    15:03:16.697 \Driver\atapi[0xfffffa80075da920] -> IRP_MJ_CREATE -> 0xfffffa80074762c0
    15:03:19.484 AVAST engine scan C:\Windows
    15:04:23.263 AVAST engine scan C:\Windows\system32
    15:07:07.456 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    15:07:11.629 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    15:09:12.805 AVAST engine scan C:\Windows\system32\drivers
    15:09:26.526 AVAST engine scan C:\Users\DE
    15:32:26.641 AVAST engine scan C:\ProgramData
    15:41:33.719 Scan finished successfully
    15:58:07.097 Disk 0 MBR has been saved successfully to "C:\Users\DE\Desktop\MBR.dat"
    15:58:07.097 The log file has been saved successfully to "C:\Users\DE\Desktop\aswMBR.txt"

    Thank you!
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    Please review the 5-Step removal instructions and post the logs back here for my review.

    Also, include this scan:

    Download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
  3. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Hi thanks for the quick reply!

    I've done all the scans now and there are as below;

    Malwarebytes Anti-Malware 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.31.12

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    DE :: DEANS-COMP [administrator]

    31/08/2012 22:15:36
    mbam-log-2012-08-31 (22-15-36).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 240415
    Time elapsed: 11 minute(s), 2 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    ============================================================

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-09-01 01:51:08
    Windows 6.1.7601 Service Pack 1
    Running: gmer.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7C 0xFD 0x00 0x3E ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x14 0x25 0xC3 0x44 ...
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7D 0xF8 0xA8 0xF7 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files (x86)\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7C 0xFD 0x00 0x3E ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x14 0x25 0xC3 0x44 ...
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7D 0xF8 0xA8 0xF7 ...

    ---- EOF - GMER 1.0.15 ----

    ============================================================
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
    Run by DE at 12:13:18 on 2012-09-01
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8187.5801 [GMT 1:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\nvvsvc.exe
    E:\Program Files (x86)\SASCORE64.EXE
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BBSvc.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe
    c:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe
    C:\Windows\system32\mfevtps.exe
    E:\Program Files\Proxy Labs\ProxyCap\pcapsvc.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Program Files (x86)\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files (x86)\Razer\Lycosa\razerhid.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Users\DE\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\DE\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\DE\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Windows\system32\sppsvc.exe
    C:\Users\DE\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\DE\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\DE\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\DE\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Common Files\McAfee\Core\mchost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
    mSearchAssistant = hxxp://start.facemoods.com/?a=ironto&s={searchTerms}&f=4
    mWinlogon: Userinit=userinit.exe,
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO: CescrtHlpr Object: {64182481-4f71-486b-a045-b233bd0da8fc} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\bh\facemoods.dll
    BHO: avast! EasyPass Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - E:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - E:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingExt.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
    BHO: Yontoo: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
    TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodsTlbr.dll
    TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingExt.dll"
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    TB: avast! EasyPass Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    uRun: [Google Update] "C:\Users\DE\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [SUPERAntiSpyware] E:\Program Files (x86)\SUPERAntiSpyware.exe
    uRun: [RoboForm] "C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    mRun: [DRPU PC Data Manager(Basic)] "e:\Program Files (x86)\DRPU PC Data Manager(Basic)\pcdm.exe" "hd"
    mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [Lycosa] "C:\Program Files (x86)\Razer\Lycosa\razerhid.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Customize Menu - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - E:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Fill Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: Free YouTube Download - C:\Users\DE\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
    IE: Free YouTube to MP3 Converter - C:\Users\DE\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    IE: Save Forms - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    IE: Se&nd to OneNote - E:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: Show avast! EasyPass Toolbar - file://C:\Program Files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - E:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - E:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    LSP: pcapwsp.dll
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{74E801AF-9F6C-486C-80A1-852EA5D9E29B} : DhcpNameServer = 192.168.0.1
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\MSC\McSnIePl.dll
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - E:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
    BHO-X64: CescrtHlpr Object: {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\bh\facemoods.dll
    BHO-X64: facemoods Helper - No File
    BHO-X64: avast! EasyPass Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
    BHO-X64: RoboForm BHO - No File
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    BHO-X64: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
    BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
    BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - E:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingExt.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
    BHO-X64: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
    BHO-X64: Yontoo Layers - No File
    TB-X64: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
    TB-X64: facemoods Toolbar: {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodsTlbr.dll
    TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BingExt.dll"
    TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
    TB-X64: avast! EasyPass Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files (x86)\Siber Systems\AI RoboForm\roboform.dll
    TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    mRun-x64: [DRPU PC Data Manager(Basic)] "e:\Program Files (x86)\DRPU PC Data Manager(Basic)\pcdm.exe" "hd"
    mRun-x64: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    mRun-x64: [Lycosa] "C:\Program Files (x86)\Razer\Lycosa\razerhid.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - E:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\DE\AppData\Roaming\Mozilla\Firefox\Profiles\k5ta0gia.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
    FF - plugin: c:\progra~2\mcafee\msc\npMcSnFFPl.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\1.122.0\npesnlaunch.dll
    FF - plugin: C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
    FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\DE\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
    FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
    FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1165635.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll
    FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
    FF - plugin: E:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
    FF - plugin: E:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extentions.y2layers.installId - 04264f49-2fcd-425d-912c-2dea6dd45e54
    FF - user.js: extentions.y2layers.defaultEnableAppsList - DropDownDeals,ezLooker,pagerage,buzzdock,toprelatedtopics,twittube
    .
    FF - user.js: extensions.autoDisableScopes - 14
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
    R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
    R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
    R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
    R1 SASDIFSV;SASDIFSV;E:\Program Files (x86)\sasdifsv64.sys [2011-7-22 14928]
    R1 SASKUTIL;SASKUTIL;E:\Program Files (x86)\saskutil64.sys [2011-7-12 12368]
    R2 !SASCORE;SAS Core Service;E:\Program Files (x86)\SASCore64.exe [2011-8-12 140672]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
    R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
    R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2012-8-31 44808]
    R2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\BBSvc.EXE [2012-2-20 193816]
    R2 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
    R2 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2011-5-13 1492840]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-8-31 655944]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\mcsacore.exe [2012-8-30 103472]
    R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-8-29 200728]
    R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-8-29 200728]
    R2 McShield;McAfee McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2012-8-29 237920]
    R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2012-8-29 218320]
    R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
    R2 pcapsvc;ProxyCap Service;E:\Program Files\Proxy Labs\ProxyCap\pcapsvc.exe [2011-10-9 1850368]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-5-15 382272]
    R3 Lycosa;Lycosa Keyboard;C:\Windows\system32\drivers\Lycosa.sys --> C:\Windows\system32\drivers\Lycosa.sys [?]
    R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
    R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
    R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
    R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-8-29 200728]
    S2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-4-12 1262400]
    S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-15 250056]
    S3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.364.0\SeaPort.EXE [2012-2-20 240408]
    S3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
    S3 HipShieldK;McAfee Inc. HipShieldK;C:\Windows\system32\drivers\HipShieldK.sys --> C:\Windows\system32\drivers\HipShieldK.sys [?]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-6-17 237008]
    S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;E:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 30963576]
    S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-5-5 113120]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 pbfilter;pbfilter;E:\Program Files\PeerBlock\pbfilter.sys [2011-6-15 24176]
    S3 Razerlow;Razer Pro|Solutions;C:\Windows\system32\drivers\DB3G.sys --> C:\Windows\system32\drivers\DB3G.sys [?]
    S3 SwitchBoard;SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 usbet;USB 2.0 PC CAMERA;C:\Windows\system32\DRIVERS\ETdrv.sys --> C:\Windows\system32\DRIVERS\ETdrv.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2010-11-11 306416]
    S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
    .
    =============== Created Last 30 ================
    .
    2012-08-31 21:14:46--------d-----w-C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-08-30 21:32:22--------d-----w-C:\Users\DE\AppData\Roaming\RoboForm
    2012-08-30 21:30:24--------d-----w-C:\Program Files (x86)\Siber Systems
    2012-08-30 21:29:5954072----a-w-C:\Windows\System32\drivers\aswRdr2.sys
    2012-08-30 21:29:56969200----a-w-C:\Windows\System32\drivers\aswSnx.sys
    2012-08-30 21:29:5171600----a-w-C:\Windows\System32\drivers\aswMonFlt.sys
    2012-08-30 21:29:2241224----a-w-C:\Windows\avastSS.scr
    2012-08-30 21:29:09--------d-----w-C:\ProgramData\AVAST Software
    2012-08-30 21:29:09--------d-----w-C:\Program Files\AVAST Software
    2012-08-30 00:58:34--------d-----w-C:\Users\DE\AppData\Roaming\SUPERAntiSpyware.com
    2012-08-30 00:58:00--------d-----w-C:\ProgramData\SUPERAntiSpyware.com
    2012-08-30 00:34:2316200----a-w-C:\Windows\stinger.sys
    2012-08-30 00:34:12--------d-----w-C:\Program Files (x86)\stinger
    2012-08-29 22:26:52196440----a-w-C:\Windows\System32\drivers\HipShieldK.sys
    2012-08-29 22:26:32--------d-----w-C:\Program Files (x86)\McAfee.com
    2012-08-29 22:26:2710288----a-w-C:\Windows\System32\drivers\mfeclnk.sys
    2012-08-29 22:26:26--------d-----w-C:\Program Files (x86)\Common Files\McAfee
    2012-08-29 22:26:2469672----a-w-C:\Windows\System32\drivers\cfwids.sys
    2012-08-29 22:26:24513456----a-w-C:\Windows\System32\drivers\mfefirek.sys
    2012-08-29 22:26:24300392----a-w-C:\Windows\System32\drivers\mfeavfk.sys
    2012-08-29 22:26:24106112----a-w-C:\Windows\System32\drivers\mferkdet.sys
    2012-08-29 22:26:07--------d-----w-C:\Program Files\McAfee.com
    2012-08-29 22:26:07--------d-----w-C:\Program Files\McAfee
    2012-08-29 22:15:26--------d-----w-C:\Program Files\Common Files\McAfee
    2012-08-29 22:15:14--------d-----w-C:\Program Files (x86)\McAfee
    2012-08-29 22:00:57177144----a-w-C:\Windows\System32\mfevtps.exe
    2012-08-29 21:35:53--------d-----w-C:\Users\DE\AppData\Roaming\McAfee
    2012-08-28 17:46:459310152----a-w-C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A8C074BD-4440-4832-A19C-438A80B60A8D}\mpengine.dll
    2012-08-25 13:14:20281088----a-w-C:\Program Files (x86)\Microsoft Games\Pinball\pinball.exe
    2012-08-25 13:14:20--------d-----w-C:\Program Files (x86)\Microsoft Games
    2012-08-21 23:44:30--------d-----w-C:\Windows\SysWow64\directx
    2012-08-21 21:51:04--------d-----w-C:\Users\DE\AppData\Local\CrashRpt
    2012-08-17 21:24:27--------d-----w-C:\Users\DE\AppData\Local\Macromedia
    2012-08-15 20:39:46503808----a-w-C:\Windows\System32\srcore.dll
    2012-08-15 20:39:4543008----a-w-C:\Windows\SysWow64\srclient.dll
    2012-08-15 20:39:403148800----a-w-C:\Windows\System32\win32k.sys
    2012-08-15 20:39:3759392----a-w-C:\Windows\System32\browcli.dll
    2012-08-15 20:39:37136704----a-w-C:\Windows\System32\browser.dll
    2012-08-15 20:39:3541984----a-w-C:\Windows\SysWow64\browcli.dll
    2012-08-15 20:39:31751104----a-w-C:\Windows\System32\win32spl.dll
    2012-08-15 20:39:31559104----a-w-C:\Windows\System32\spoolsv.exe
    2012-08-15 20:39:3067072----a-w-C:\Windows\splwow64.exe
    2012-08-15 20:39:30492032----a-w-C:\Windows\SysWow64\win32spl.dll
    2012-08-15 20:39:28956928----a-w-C:\Windows\System32\localspl.dll
    2012-08-04 17:39:11--------d-----w-C:\ProgramData\Spybot - Search & Destroy
    .
    ==================== Find3M ====================
    .
    2012-08-31 20:19:23280856----a-w-C:\Windows\SysWow64\PnkBstrB.xtr
    2012-08-31 20:19:23280856----a-w-C:\Windows\SysWow64\PnkBstrB.exe
    2012-08-31 15:18:23280792----a-w-C:\Windows\SysWow64\PnkBstrB.ex0
    2012-08-19 13:17:0670344----a-w-C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-08-19 13:17:06426184----a-w-C:\Windows\SysWow64\FlashPlayerApp.exe
    2012-07-03 12:46:4424904----a-w-C:\Windows\System32\drivers\mbam.sys
    2012-06-29 03:56:342312704----a-w-C:\Windows\System32\jscript9.dll
    2012-06-29 03:49:111392128----a-w-C:\Windows\System32\wininet.dll
    2012-06-29 03:48:071494528----a-w-C:\Windows\System32\inetcpl.cpl
    2012-06-29 03:43:49173056----a-w-C:\Windows\System32\ieUnatt.exe
    2012-06-29 03:39:482382848----a-w-C:\Windows\System32\mshtml.tlb
    2012-06-29 00:16:581800704----a-w-C:\Windows\SysWow64\jscript9.dll
    2012-06-29 00:09:011129472----a-w-C:\Windows\SysWow64\wininet.dll
    2012-06-29 00:08:591427968----a-w-C:\Windows\SysWow64\inetcpl.cpl
    2012-06-29 00:04:43142848----a-w-C:\Windows\SysWow64\ieUnatt.exe
    2012-06-29 00:00:452382848----a-w-C:\Windows\SysWow64\mshtml.tlb
    2012-06-22 06:38:16335784----a-w-C:\Windows\System32\drivers\mfewfpk.sys
    2012-06-22 06:36:12752672----a-w-C:\Windows\System32\drivers\mfehidk.sys
    2012-06-22 06:34:00169320----a-w-C:\Windows\System32\drivers\mfeapfk.sys
    2012-06-06 06:06:162004480----a-w-C:\Windows\System32\msxml6.dll
    2012-06-06 06:06:161881600----a-w-C:\Windows\System32\msxml3.dll
    2012-06-06 06:02:541133568----a-w-C:\Windows\System32\cdosys.dll
    2012-06-06 05:05:521390080----a-w-C:\Windows\SysWow64\msxml6.dll
    2012-06-06 05:05:521236992----a-w-C:\Windows\SysWow64\msxml3.dll
    2012-06-06 05:03:06805376----a-w-C:\Windows\SysWow64\cdosys.dll
    .
    ============= FINISH: 12:15:02.48 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 24/11/2010 13:41:25
    System Uptime: 01/09/2012 12:06:38 (0 hours ago)
    .
    Motherboard: Gigabyte Technology Co., Ltd. | | P55-US3L
    Processor: Intel(R) Core(TM) i7 CPU 860 @ 2.80GHz | Socket 1156 | 2794/133mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 466 GiB total, 141.87 GiB free.
    D: is CDROM ()
    E: is FIXED (NTFS) - 1397 GiB total, 829.866 GiB free.
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
    Description: McAfee Inc. mfeapfk
    Device ID: ROOT\LEGACY_MFEAPFK\0000
    Manufacturer:
    Name: McAfee Inc. mfeapfk
    PNP Device ID: ROOT\LEGACY_MFEAPFK\0000
    Service: mfeapfk
    .
    ==== System Restore Points ===================
    .
    RP324: 21/08/2012 19:48:12 - Windows Update
    RP325: 28/08/2012 18:46:12 - Windows Update
    RP326: 30/08/2012 22:28:55 - avast! Free Antivirus Setup
    .
    ==== Installed Programs ======================
    .
    «Achtung Panzer - Kharkov 1943 Demo»
    1ClickDownloader
    888casino
    Adobe AIR
    Adobe Community Help
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Media Player
    Adobe Photoshop CS5
    Adobe Reader X (10.1.3)
    Adobe Shockwave Player 11.6
    Advanced Tactical Center™ 1.0
    ANNO 1404
    Anno 2070
    Apple Application Support
    Apple Software Update
    ArtMoney SE v7.38
    µTorrent
    avast! EasyPass
    avast! Free Antivirus
    Battlefield 3™
    Battlelog Web Plugins
    Bing Bar
    Black & White® 2
    Blitzkrieg
    Botanicula
    Company of Heroes
    Crysis(R)
    D3DX10
    DAEMON Tools Toolbar
    DarthMod: Shogun II (v2.4)
    DarthMod: Shogun II (v2.7)
    Dear Esther
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    DelinvFile - 4.04
    DivX Setup
    Dual-Core Optimizer
    Duke Nukem Forever
    EB Documentation 1.1
    EB Trivial Script 0.125
    Empire: Total War
    ESN Sonar
    Europa Barbarorum 1.1
    Europa Barbarorum 1.2
    EVGA Precision 1.9.5
    Express Zip File Compression Software
    Facemoods Toolbar
    Fallout: New Vegas
    Free Audio CD Burner version 1.4.7
    Free Studio version 5.1.5
    Free YouTube Download 3 version 3.0.11.727
    Free YouTube to MP3 Converter version 3.9.35.324
    GIMP 2.6.11
    Google Chrome
    GPL MPEG-1/2 DirectShow Decoder Filter
    Grand Theft Auto IV
    Grand Theft Auto: Episodes From Liberty City
    Hawke BRC 1.0.9
    Java Auto Updater
    Java(TM) 6 Update 31
    Java(TM) 7 Update 5
    JavaFX 2.1.1
    Junk Mail filter update
    Just Cause 2
    LIMBO
    Magic ISO Maker v5.5 (build 0281)
    MagicDisc 2.7.106
    Malwarebytes Anti-Malware version 1.62.0.1300
    Mass Effect 2
    McAfee AntiVirus Plus
    McAfee Security Scan Plus
    McAfee Virtual Technician
    Medieval II Total War
    Medieval II Total War : Kingdoms : Americas
    Medieval II Total War : Kingdoms : Britannia
    Medieval II Total War : Kingdoms : Crusades
    Medieval II Total War : Kingdoms : Teutonic
    Men of War
    Mesh Runtime
    Messenger Companion
    Microsoft .NET Framework 1.1
    Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook Connector
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Microsoft Visual J# .NET Redistributable Package 1.1
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Minecraft Cracked
    Mount & Blade: Warband
    Mount&Blade With Fire and Sword
    Mozilla Firefox 14.0.1 (x86 en-GB)
    Mozilla Maintenance Service
    MSVCRT
    MSVCRT_amd64
    Norton Security Scan
    NVIDIA 3D Vision Controller Driver
    NVIDIA Photoshop Plug-ins 64 bit
    NVIDIA PhysX
    NVIDIA Stereoscopic 3D Driver
    NVIDIA Supersonic Sled demo
    ObjectDock Free
    Oblivion
    Oblivion mod manager 1.1.12
    OpenVPN 2.2.1
    Origin
    OverTargetMarkers Editor
    PDF Settings CS5
    PlayStation(R)Network Downloader
    PlayStation(R)Store
    Porrasturvat - Stair Dismount
    PunkBuster Services
    QuickTime
    Rainmeter (remove only)
    Razer Lycosa
    Recruitment Viewer 0.9
    Red Orchestra 2: Heroes of Stalingrad
    Rockstar Games Social Club
    RollerCoaster Tycoon® 3
    Rome - Total War(TM)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Slice Audio File Splitter
    Sniper Elite V2
    Stainless Steel
    Stainless Steel 3.2 Patch Final
    Stainless_Steel_6.0_Part1of2
    Stainless_Steel_6.0_Part2of2
    Steam
    Stronghold 3
    swMSM
    The Elder Scrolls V: Skyrim
    Theatre of War
    Theatre of War 2: Africa 1943
    Theatre of War 2: Kursk 1943
    Third Age - Total War 1.0 Part1
    Third Age - Total War 1.0 Part2
    Third Age - Total War Hotfix1
    Third Age - Total War Patch 1.1
    Third Age - Total War Patch 1.2
    Third Age - Total War Patch 1.3
    Third Age - Total War Patch 1.4
    thriXXX 3DSexVilla2-114.001
    Total War: SHOGUN 2
    Truck Dismount (remove only)
    Uninstall 1.0.0.1
    Universe Sandbox
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553092)
    VC80CRTRedist - 8.0.50727.6195
    VLC media player 1.1.11
    Warhammer 40,000 Space Marine
    WavePad Sound Editor
    WebCam
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Installer
    Windows Live Mail
    Windows Live Mesh
    Windows Live Mesh ActiveX Control for Remote Connections
    Windows Live Messenger
    Windows Live Messenger Companion Core
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Windows Live Writer
    Windows Live Writer Resources
    World of Tanks - Physics Preview
    World of Tanks 0.7.0_test1
    World of Tanks v.0.7.4_CT
    wxDownload Fast 0.6.0
    XPS2OneNote
    Your Freedom 20111109-01
    .
    ==== Event Viewer Messages From Past Week ========
    .
    30/08/2012 01:34:32, Error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
    30/08/2012 01:34:32, Error: Service Control Manager [7034] - The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).
    30/08/2012 01:34:32, Error: Service Control Manager [7031] - The Windows Live Family Safety Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
    30/08/2012 01:02:19, Error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
    25/08/2012 20:51:31, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
    25/08/2012 20:51:31, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    01/09/2012 12:10:24, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the McAfee Scanner service to connect.
    01/09/2012 12:10:24, Error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    01/09/2012 12:10:24, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
    01/09/2012 12:09:56, Error: Service Control Manager [7003] - The McAfee Personal Firewall Service service depends the following service: MpsSvc. This service might not be installed.
    01/09/2012 12:09:47, Error: Service Control Manager [7038] - The nvUpdatusService service was unable to log on as .\UpdatusUser with the currently configured password due to the following error: Logon failure: the specified account password has expired. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
    01/09/2012 12:09:47, Error: Service Control Manager [7000] - The NVIDIA Update Service Daemon service failed to start due to the following error: The service did not start due to a logon failure.
    01/09/2012 12:09:24, Error: Service Control Manager [7023] - The Function Discovery Resource Publication service terminated with the following error: %%-2147024891
    01/09/2012 12:09:24, Error: Service Control Manager [7001] - The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error: %%-2147024891
    01/09/2012 12:07:39, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mfeapfk
    01/09/2012 12:07:31, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    01/09/2012 12:07:30, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    01/09/2012 12:07:27, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    .
    ==== End Of File ===========================


    ============================================================

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
    , 64-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
    Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...

    ============================================================

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-08-31 15:01:45
    -----------------------------
    15:01:45.231 OS Version: Windows x64 6.1.7601 Service Pack 1
    15:01:45.231 Number of processors: 8 586 0x1E05
    15:01:45.232 ComputerName: DEANS-COMP UserName: DE
    15:01:46.945 Initialize success
    15:01:47.060 AVAST engine defs: 12083100
    15:02:42.893 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
    15:02:42.897 Disk 0 Vendor: MDT_MD5000AAKS-00A7B0 01.03B01 Size: 476940MB BusType: 3
    15:02:42.909 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-4
    15:02:42.914 Disk 1 Vendor: SAMSUNG_HD154UI 1AG01118 Size: 1430799MB BusType: 3
    15:02:42.926 Disk 0 MBR read successfully
    15:02:42.931 Disk 0 MBR scan
    15:02:42.937 Disk 0 Windows 7 default MBR code
    15:02:42.951 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
    15:02:42.961 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
    15:02:42.985 Disk 0 scanning C:\Windows\system32\drivers
    15:02:57.383 Service scanning
    15:03:10.140 Service sptd C:\Windows\System32\Drivers\sptd.sys **LOCKED** 32
    15:03:16.293 Modules scanning
    15:03:16.645 Disk 0 trace - called modules:
    15:03:16.682 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80074762c0]<<spmw.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
    15:03:16.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007949060]
    15:03:16.690 3 CLASSPNP.SYS[fffff8800168b43f] -> nt!IofCallDriver -> [0xfffffa8007619580]
    15:03:16.694 5 ACPI.sys[fffff880011927a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80075ff680]
    15:03:16.697 \Driver\atapi[0xfffffa80075da920] -> IRP_MJ_CREATE -> 0xfffffa80074762c0
    15:03:19.484 AVAST engine scan C:\Windows
    15:04:23.263 AVAST engine scan C:\Windows\system32
    15:07:07.456 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    15:07:11.629 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
    15:09:12.805 AVAST engine scan C:\Windows\system32\drivers
    15:09:26.526 AVAST engine scan C:\Users\DE
    15:32:26.641 AVAST engine scan C:\ProgramData
    15:41:33.719 Scan finished successfully
    15:58:07.097 Disk 0 MBR has been saved successfully to "C:\Users\DE\Desktop\MBR.dat"
    15:58:07.097 The log file has been saved successfully to "C:\Users\DE\Desktop\aswMBR.txt"

    ============================================================
  4. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Oops I havent done the adwcleaner scan, I'll do that now!
  5. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    AdwCleaner scan log

    # AdwCleaner v2.000 - Logfile created 09/01/2012 at 12:22:40
    # Updated 30/08/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : DE - DEANS-COMP
    # Boot Mode : Normal
    # Running from : C:\Users\DE\Downloads\adwcleaner (1).exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
    File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\fcmdSrch.xml
    File Found : C:\Users\DE\AppData\Roaming\Mozilla\Firefox\Profiles\k5ta0gia.default\searchplugins\daemon-search.xml
    Folder Found : C:\Program Files (x86)\DAEMON Tools Toolbar
    Folder Found : C:\Program Files (x86)\facemoods.com
    Folder Found : C:\Program Files (x86)\Yontoo
    Folder Found : C:\ProgramData\BabylonUpdater
    Folder Found : C:\ProgramData\InstallMate
    Folder Found : C:\ProgramData\Premium
    Folder Found : C:\ProgramData\Tarma Installer
    Folder Found : C:\Users\DE\AppData\LocalLow\boost_interprocess
    Folder Found : C:\Users\DE\AppData\LocalLow\facemoods.com
    Folder Found : C:\Users\Irene\AppData\LocalLow\facemoods.com

    ***** [Registry] *****

    Key Found : HKCU\Software\Conduit
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{64182481-4F71-486B-A045-B233BD0DA8FC}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DB4E9724-F518-4DFD-9C7C-78B52103CAB9}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{64182481-4F71-486B-A045-B233BD0DA8FC}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB4E9724-F518-4DFD-9C7C-78B52103CAB9}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
    Key Found : HKCU\Software\Softonic
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}
    Key Found : HKLM\Software\Babylon
    Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{AD25754E-D76C-42B3-A335-2F81478B722F}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
    Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj
    Key Found : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1
    Key Found : HKLM\SOFTWARE\Classes\esrv.escrtSrvc
    Key Found : HKLM\SOFTWARE\Classes\esrv.escrtSrvc.1
    Key Found : HKLM\SOFTWARE\Classes\facemoods.dskBnd
    Key Found : HKLM\SOFTWARE\Classes\facemoods.dskBnd.1
    Key Found : HKLM\SOFTWARE\Classes\facemoods.facemoodsHlpr
    Key Found : HKLM\SOFTWARE\Classes\facemoods.facemoodsHlpr.1
    Key Found : HKLM\SOFTWARE\Classes\facemoods.xtrnl
    Key Found : HKLM\SOFTWARE\Classes\facemoods.xtrnl.1
    Key Found : HKLM\SOFTWARE\Classes\facemoodsApp.appCore
    Key Found : HKLM\SOFTWARE\Classes\facemoodsApp.appCore.1
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{12A5F606-B1EC-474C-83ED-95E99FD8058E}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}
    Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api
    Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
    Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Layers
    Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Layers.1
    Key Found : HKLM\Software\Conduit
    Key Found : HKLM\Software\facemoods.com
    Key Found : HKLM\Software\Iminent
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Found : HKLM\Software\SweetIm
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{64182481-4F71-486B-A045-B233BD0DA8FC}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AD20D01C-C939-4DD2-8C55-56935A48987E}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DB4E9724-F518-4DFD-9C7C-78B52103CAB9}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DDE2C74F-58CC-4D71-8CE1-09DEBB8CFB78}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ihflimipbcaljfnojhhknppphnnciiif
    Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
    Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FFDF9EF3-3C3A-4F05-9A6E-5D3B778EC567}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{64182481-4F71-486B-A045-B233BD0DA8FC}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\facemoods
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
    Key Found : HKLM\SOFTWARE\Tarma Installer
    Key Found : HKU\S-1-5-21-3815836669-2017180766-4137048338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Key Found : HKU\S-1-5-21-3815836669-2017180766-4137048338-1000\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}
    Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]
    Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]
    Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{DB4E9724-F518-4DFD-9C7C-78B52103CAB9}]
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://start.facemoods.com/?a=ironto&s={searchTerms}&f=4

    -\\ Mozilla Firefox v14.0.1 (en-GB)

    Profile name : default
    File : C:\Users\DE\AppData\Roaming\Mozilla\Firefox\Profiles\k5ta0gia.default\prefs.js

    Found : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
    Found : user_pref("browser.search.defaultenginename", "Facemoods Search");
    Found : user_pref("browser.search.order.1", "Search the web (Babylon)");
    Found : user_pref("extensions.BabylonToolbar.bbDpng", 22);
    Found : user_pref("extensions.BabylonToolbar.firstRun", false);
    Found : user_pref("extensions.BabylonToolbar.lastActv", "22");
    Found : user_pref("extensions.BabylonToolbar.lastDP", 22);
    Found : user_pref("extensions.BabylonToolbar.lastVrsnTs", "1.4.31.223:50:42");
    Found : user_pref("extensions.facemoods.aflt", "_#ironto");
    Found : user_pref("extensions.facemoods.firstRun", false);
    Found : user_pref("extensions.facemoods.lastActv", "22");

    Profile name : default
    File : C:\Users\Irene\AppData\Roaming\Mozilla\Firefox\Profiles\oigotn3k.default\prefs.js

    [OK] File is clean.

    -\\ Google Chrome v21.0.1180.83

    File : C:\Users\DE\AppData\Local\Google\Chrome\User Data\DEfault\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [12802 octets] - [01/09/2012 12:22:40]

    ########## EOF - C:\AdwCleaner[R1].txt - [12863 octets] ##########
    Thanks!
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.


    Remove the Adware.
    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
    Please post the log.
  7. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Hey DragonMasterJay, I've done as asked, logs below;

    ComboFix 12-08-31.08 - DE 01/09/2012 13:26:36.1.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8187.6326 [GMT 1:00]
    Running from: c:\users\DE\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\facemoods.com
    c:\program files (x86)\facemoods.com\facemoods\1.4.17.6\bh\facemoods.dll
    c:\program files (x86)\facemoods.com\facemoods\1.4.17.6\facemoods.crx
    c:\program files (x86)\facemoods.com\facemoods\1.4.17.6\facemoods.png
    c:\program files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodsApp.dll
    c:\program files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodsEng.dll
    c:\program files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe
    c:\program files (x86)\facemoods.com\facemoods\1.4.17.6\faCEmoodstlbr.dll
    c:\program files (x86)\facemoods.com\facemoods\1.4.17.6\uninstall.exe
    c:\program files (x86)\facemoods.com\sqlite3.dll
    c:\users\DE\AppData\Local\Microsoft\Windows\Temporary Internet Files\{5F18DCFC-CDC8-4492-9B8C-536BD42E9327}.xps
    c:\users\DE\AppData\Local\Microsoft\Windows\Temporary Internet Files\{7E2A4EAC-2E7B-4972-B9AE-71B12BDB4245}.xps
    c:\users\DE\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A645BDB1-AD84-4649-A681-49CC00751474}.xps
    c:\users\DE\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DDD9316E-DE4D-4C2C-9323-B2326499E397}.xps
    c:\users\DE\AppData\Roaming\928d5be7.dat
    c:\users\DE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix
    c:\users\DE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\System Fix.lnk
    c:\users\DE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
    c:\windows\SysWow64\URTTemp
    c:\windows\SysWow64\URTTemp\regtlib.exe
    E:\install.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-01 to 2012-09-01 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-01 12:34 . 2012-09-01 12:34--------d-----w-c:\users\UpdatusUser\AppData\Local\temp
    2012-09-01 12:34 . 2012-09-01 12:34--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-31 21:14 . 2012-08-31 21:14--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-08-30 21:32 . 2012-08-30 21:32--------d-----w-c:\users\DE\AppData\Roaming\RoboForm
    2012-08-30 21:30 . 2012-08-30 21:30--------d-----w-c:\programdata\RoboForm
    2012-08-30 21:30 . 2012-08-30 21:30--------d-----w-c:\program files (x86)\Siber Systems
    2012-08-30 21:30 . 2012-08-21 09:1325232----a-w-c:\windows\system32\drivers\aswFsBlk.sys
    2012-08-30 21:30 . 2012-08-21 09:13359464----a-w-c:\windows\system32\drivers\aswSP.sys
    2012-08-30 21:29 . 2012-08-21 09:1354072----a-w-c:\windows\system32\drivers\aswRdr2.sys
    2012-08-30 21:29 . 2012-08-21 09:1359728----a-w-c:\windows\system32\drivers\aswTdi.sys
    2012-08-30 21:29 . 2012-08-21 09:13969200----a-w-c:\windows\system32\drivers\aswSnx.sys
    2012-08-30 21:29 . 2012-08-21 09:1371600----a-w-c:\windows\system32\drivers\aswMonFlt.sys
    2012-08-30 21:29 . 2012-08-21 09:12285328----a-w-c:\windows\system32\aswBoot.exe
    2012-08-30 21:29 . 2012-08-21 09:1241224----a-w-c:\windows\avastSS.scr
    2012-08-30 21:29 . 2012-08-21 09:12227648----a-w-c:\windows\SysWow64\aswBoot.exe
    2012-08-30 21:29 . 2012-08-30 21:29--------d-----w-c:\programdata\AVAST Software
    2012-08-30 21:29 . 2012-08-30 21:29--------d-----w-c:\program files\AVAST Software
    2012-08-30 00:58 . 2012-08-30 00:58--------d-----w-c:\users\DE\AppData\Roaming\SUPERAntiSpyware.com
    2012-08-30 00:58 . 2012-08-30 00:58--------d-----w-c:\programdata\SUPERAntiSpyware.com
    2012-08-30 00:34 . 2012-08-30 00:4716200----a-w-c:\windows\stinger.sys
    2012-08-30 00:34 . 2012-08-30 01:38--------d-----w-c:\program files (x86)\stinger
    2012-08-29 22:26 . 2012-04-20 15:40196440----a-w-c:\windows\system32\drivers\HipShieldK.sys
    2012-08-29 22:26 . 2012-06-22 06:3710288----a-w-c:\windows\system32\drivers\mfeclnk.sys
    2012-08-29 22:26 . 2012-08-29 22:26--------d-----w-c:\program files (x86)\Common Files\McAfee
    2012-08-29 22:26 . 2012-06-22 06:4069672----a-w-c:\windows\system32\drivers\cfwids.sys
    2012-08-29 22:26 . 2012-06-22 06:36106112----a-w-c:\windows\system32\drivers\mferkdet.sys
    2012-08-29 22:26 . 2012-06-22 06:35513456----a-w-c:\windows\system32\drivers\mfefirek.sys
    2012-08-29 22:26 . 2012-06-22 06:34300392----a-w-c:\windows\system32\drivers\mfeavfk.sys
    2012-08-29 22:26 . 2012-08-29 22:26--------d-----w-c:\program files\McAfee
    2012-08-29 22:15 . 2012-08-29 22:26--------d-----w-c:\program files\Common Files\McAfee
    2012-08-29 22:15 . 2012-09-01 10:44--------d-----w-c:\program files (x86)\McAfee
    2012-08-29 22:00 . 2012-06-22 06:38177144----a-w-c:\windows\system32\mfevtps.exe
    2012-08-29 22:00 . 2012-08-30 01:26--------d-----w-c:\programdata\McAfee
    2012-08-29 21:35 . 2012-08-29 21:35--------d-----w-c:\users\DE\AppData\Roaming\McAfee
    2012-08-25 13:14 . 2012-08-25 13:14--------d-----w-c:\program files (x86)\Microsoft Games
    2012-08-21 21:51 . 2012-08-21 21:51--------d-----w-c:\users\DE\AppData\Local\CrashRpt
    2012-08-17 21:24 . 2012-08-17 21:24--------d-----w-c:\users\DE\AppData\Local\Macromedia
    2012-08-15 20:39 . 2012-05-05 08:36503808----a-w-c:\windows\system32\srcore.dll
    2012-08-15 20:39 . 2012-05-05 07:4643008----a-w-c:\windows\SysWow64\srclient.dll
    2012-08-15 20:39 . 2012-07-18 18:153148800----a-w-c:\windows\system32\win32k.sys
    2012-08-15 20:39 . 2012-07-04 22:1359392----a-w-c:\windows\system32\browcli.dll
    2012-08-15 20:39 . 2012-07-04 22:13136704----a-w-c:\windows\system32\browser.dll
    2012-08-15 20:39 . 2012-07-04 22:1673216----a-w-c:\windows\system32\netapi32.dll
    2012-08-15 20:39 . 2012-07-04 21:1441984----a-w-c:\windows\SysWow64\browcli.dll
    2012-08-15 20:39 . 2012-02-11 06:43751104----a-w-c:\windows\system32\win32spl.dll
    2012-08-15 20:39 . 2012-02-11 06:36559104----a-w-c:\windows\system32\spoolsv.exe
    2012-08-15 20:39 . 2012-02-11 06:3667072----a-w-c:\windows\splwow64.exe
    2012-08-15 20:39 . 2012-02-11 05:43492032----a-w-c:\windows\SysWow64\win32spl.dll
    2012-08-15 20:39 . 2012-05-14 05:26956928----a-w-c:\windows\system32\localspl.dll
    2012-08-04 17:39 . 2012-08-29 22:09--------d-----w-c:\programdata\Spybot - Search & Destroy
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-31 20:19 . 2011-09-24 14:35280856----a-w-c:\windows\SysWow64\PnkBstrB.xtr
    2012-08-31 20:19 . 2011-02-05 22:53280856----a-w-c:\windows\SysWow64\PnkBstrB.exe
    2012-08-31 15:18 . 2011-02-05 22:53280792----a-w-c:\windows\SysWow64\PnkBstrB.ex0
    2012-08-23 08:26 . 2012-08-28 17:469310152----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{A8C074BD-4440-4832-A19C-438A80B60A8D}\mpengine.dll
    2012-08-19 13:17 . 2012-04-15 10:13426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-19 13:17 . 2011-05-23 09:2970344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-08-16 00:27 . 2010-11-24 14:4262134624----a-w-c:\windows\system32\MRT.exe
    2012-07-03 12:46 . 2011-12-10 13:4724904----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-22 06:38 . 2012-06-22 06:38335784----a-w-c:\windows\system32\drivers\mfewfpk.sys
    2012-06-22 06:36 . 2012-06-22 06:36752672----a-w-c:\windows\system32\drivers\mfehidk.sys
    2012-06-22 06:34 . 2012-06-22 06:34169320----a-w-c:\windows\system32\drivers\mfeapfk.sys
    2012-06-09 05:43 . 2012-07-11 23:3514172672----a-w-c:\windows\system32\shell32.dll
    2012-06-06 06:06 . 2012-07-11 23:352004480----a-w-c:\windows\system32\msxml6.dll
    2012-06-06 06:06 . 2012-07-11 23:351881600----a-w-c:\windows\system32\msxml3.dll
    2012-06-06 06:02 . 2012-07-11 23:351133568----a-w-c:\windows\system32\cdosys.dll
    2012-06-06 05:05 . 2012-07-11 23:351390080----a-w-c:\windows\SysWow64\msxml6.dll
    2012-06-06 05:05 . 2012-07-11 23:351236992----a-w-c:\windows\SysWow64\msxml3.dll
    2012-06-06 05:03 . 2012-07-11 23:35805376----a-w-c:\windows\SysWow64\cdosys.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="e:\program files (x86)\SUPERAntiSpyware.exe" [2012-07-09 5661056]
    "RoboForm"="c:\program files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2012-08-30 96056]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
    "Lycosa"="c:\program files (x86)\Razer\Lycosa\razerhid.exe" [2010-04-13 238592]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-06-21 1527896]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-19 250056]
    R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.364.0\SeaPort.exe [2012-02-20 240408]
    R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 196440]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-06-22 106112]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;e:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-04 113120]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 pbfilter;pbfilter;e:\program files\PeerBlock\pbfilter.sys [2010-11-06 24176]
    R3 Razerlow;Razer Pro|Solutions;c:\windows\system32\drivers\DB3G.sys [2005-11-07 21120]
    R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 usbet;USB 2.0 PC CAMERA;c:\windows\system32\DRIVERS\ETdrv.sys [2009-12-10 181248]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-24 1255736]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 306416]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-06-22 335784]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-04 834544]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 SASDIFSV;SASDIFSV;e:\program files (x86)\SASDIFSV64.SYS [2011-07-22 14928]
    S1 SASKUTIL;SASKUTIL;e:\program files (x86)\SASKUTIL64.SYS [2011-07-12 12368]
    S2 !SASCORE;SAS Core Service;e:\program files (x86)\SASCORE64.EXE [2011-08-11 140672]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
    S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.364.0\BBSvc.exe [2012-02-20 193816]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\SITEAD~1\mcsacore.exe [2012-06-15 103472]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-05-11 200728]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-05-11 200728]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-06-22 218320]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-06-22 177144]
    S2 pcapsvc;ProxyCap Service;e:\program files\Proxy Labs\ProxyCap\pcapsvc.exe [2011-10-09 1850368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-06-22 69672]
    S3 Lycosa;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2009-09-30 20352]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-06-22 513456]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-01 187392]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-01 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 13:17]
    .
    2012-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3815836669-2017180766-4137048338-1000Core.job
    - c:\users\DE\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-30 20:22]
    .
    2012-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3815836669-2017180766-4137048338-1000UA.job
    - c:\users\DE\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-30 20:22]
    .
    2012-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3815836669-2017180766-4137048338-1006Core.job
    - c:\users\Irene\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-12 18:54]
    .
    2012-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3815836669-2017180766-4137048338-1006UA.job
    - c:\users\Irene\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-12 18:54]
    .
    2012-08-31 c:\windows\Tasks\Norton Security Scan for DE.job
    - c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2012-01-02 01:45]
    .
    2012-09-01 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 26cbab1b-6213-468a-9c75-db1b663b4e73.job
    - e:\program files (x86)\SASTask.exe [2011-05-04 17:52]
    .
    2012-09-01 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 836c1c79-854f-4430-bb4e-36d8de7ef8f9.job
    - e:\program files (x86)\SASTask.exe [2011-05-04 17:52]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-08-21 09:11133400----a-w-c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
    IE: Customize Menu - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - e:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: Free YouTube Download - c:\users\DE\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
    IE: Free YouTube to MP3 Converter - c:\users\DE\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    IE: Save Forms - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    IE: Se&nd to OneNote - e:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: Show avast! EasyPass Toolbar - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    LSP: pcapwsp.dll
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\DE\AppData\Roaming\Mozilla\Firefox\Profiles\k5ta0gia.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
    FF - user.js: extentions.y2layers.installId - 04264f49-2fcd-425d-912c-2dea6dd45e54
    FF - user.js: extentions.y2layers.defaultEnableAppsList - DropDownDeals,ezLooker,pagerage,buzzdock,toprelatedtopics,twittube
    FF - user.js: extensions.autoDisableScopes - 14
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKLM-Run-DRPU PC Data Manager(Basic) - e:\program files (x86)\DRPU PC Data Manager(Basic)\pcdm.exe
    AddRemove-Battlelog Web Plugins - c:\program files (x86)\Battlelog Web Plugins\uninstall.exe
    AddRemove-DelinvFile_is1 - e:\purgeie\unins000.exe
    AddRemove-facemoods - c:\program files (x86)\facemoods.com\facemoods\1.4.17.6\uninstall.exe
    AddRemove-McAfee Virtual Technician - c:\program files (x86)\McAfee\Supportability\MVT\MVTInstaller.exe
    AddRemove-{44F2B651-A86A-4B6C-8563-07B66F00F8F8}_is1 - e:\program files (x86)\BRC\unins000.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3815836669-2017180766-4137048338-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:88,4e,21,7b,80,b1,72,d1,49,58,38,59,64,d6,4d,db,9e,02,12,56,89,65,d3,
    ba,ce,46,11,96,64,a0,8a,a7,fe,e3,68,1d,d3,a2,ff,97,71,a9,5d,67,3f,ea,11,87,\
    "??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
    .
    [HKEY_USERS\S-1-5-21-3815836669-2017180766-4137048338-1000\Software\SecuROM\License information*]
    "datasecu"=hex:ec,fd,cc,1f,ac,cc,0c,2a,24,d4,d9,74,c7,8e,0f,7c,fe,1e,97,fa,bd,
    bb,c8,73,c6,1f,9b,9c,67,1a,e8,86,dc,94,d6,1d,ca,81,c1,b4,1a,69,97,42,1a,2c,\
    "rkeysecu"=hex:bb,a2,48,fa,e7,47,1f,62,27,5b,a1,df,eb,a4,4d,7f
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Windows Live\Family Safety\fsssvc.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    c:\windows\SysWOW64\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2012-09-01 13:42:35 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-01 12:42
    .
    Pre-Run: 151,668,912,128 bytes free
    Post-Run: 153,610,903,552 bytes free
    .
    - - End Of File - - 5CF46D7D0A88B854487FA6131755CA37

    ========================================================================================

    # AdwCleaner v2.000 - Logfile created 09/01/2012 at 13:48:40
    # Updated 30/08/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : DE - DEANS-COMP
    # Boot Mode : Normal
    # Running from : C:\Users\DE\Downloads\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
    File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\fcmdSrch.xml
    File Deleted : C:\Users\DE\AppData\Roaming\Mozilla\Firefox\Profiles\k5ta0gia.default\searchplugins\daemon-search.xml
    Folder Deleted : C:\Program Files (x86)\DAEMON Tools Toolbar
    Folder Deleted : C:\Program Files (x86)\Yontoo
    Folder Deleted : C:\ProgramData\BabylonUpdater
    Folder Deleted : C:\ProgramData\InstallMate
    Folder Deleted : C:\ProgramData\Premium
    Folder Deleted : C:\ProgramData\Tarma Installer
    Folder Deleted : C:\Users\DE\AppData\LocalLow\boost_interprocess
    Folder Deleted : C:\Users\DE\AppData\LocalLow\facemoods.com
    Folder Deleted : C:\Users\Irene\AppData\LocalLow\facemoods.com

    ***** [Registry] *****

    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Deleted : HKCU\Software\Softonic
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}
    Key Deleted : HKLM\Software\Babylon
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{AD25754E-D76C-42B3-A335-2F81478B722F}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj
    Key Deleted : HKLM\SOFTWARE\Classes\DTToolbar.ToolBandObj.1
    Key Deleted : HKLM\SOFTWARE\Classes\esrv.escrtSrvc
    Key Deleted : HKLM\SOFTWARE\Classes\esrv.escrtSrvc.1
    Key Deleted : HKLM\SOFTWARE\Classes\facemoods.xtrnl
    Key Deleted : HKLM\SOFTWARE\Classes\facemoods.xtrnl.1
    Key Deleted : HKLM\SOFTWARE\Classes\facemoodsApp.appCore
    Key Deleted : HKLM\SOFTWARE\Classes\facemoodsApp.appCore.1
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{12A5F606-B1EC-474C-83ED-95E99FD8058E}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api
    Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\Software\facemoods.com
    Key Deleted : HKLM\Software\Iminent
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Deleted : HKLM\Software\SweetIm
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{99066096-8989-4612-841F-621A01D54AD7}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A5B99E41-E157-4209-8AAC-DB003A816079}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AD20D01C-C939-4DD2-8C55-56935A48987E}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DDE2C74F-58CC-4D71-8CE1-09DEBB8CFB78}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E95EAD3F-18C6-4304-9DC6-BD6FD8E11D37}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ihflimipbcaljfnojhhknppphnnciiif
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FFDF9EF3-3C3A-4F05-9A6E-5D3B778EC567}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\facemoods
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{542FA950-C57A-4E17-B3E1-D935DFE15DEE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5B035F86-41B5-40F1-AAAD-3D219F30244E}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6365AC7B-9920-4D8B-AF5D-3BDFEAC340A8}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6A934270-717F-4BC3-BA59-BC9BED47A8D2}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{74C012C4-00FB-4F04-9AFB-4AD5449D2018}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79B13431-CCAC-4097-8889-D0289E5E924F}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8C8D5C57-3CAD-4CF9-BCAD-F873678DA883}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{981334CB-7B8B-431F-B86D-67B7426B125B}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C1C2FC43-F042-4F17-AEDB-C5ABF3B42E4B}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F7EC6286-297C-4981-9DCC-FD7F57BC24C9}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{32099AAC-C132-4136-9E9A-4E364A424E17}]
    Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{32099AAC-C132-4136-9E9A-4E364A424E17}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

    -\\ Mozilla Firefox v14.0.1 (en-GB)

    Profile name : default
    File : C:\Users\DE\AppData\Roaming\Mozilla\Firefox\Profiles\k5ta0gia.default\prefs.js

    C:\Users\DE\AppData\Roaming\Mozilla\Firefox\Profiles\k5ta0gia.default\user.js ... Deleted !

    Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
    Deleted : user_pref("browser.search.defaultenginename", "Facemoods Search");
    Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");
    Deleted : user_pref("extensions.BabylonToolbar.bbDpng", 22);
    Deleted : user_pref("extensions.BabylonToolbar.firstRun", false);
    Deleted : user_pref("extensions.BabylonToolbar.lastActv", "22");
    Deleted : user_pref("extensions.BabylonToolbar.lastDP", 22);
    Deleted : user_pref("extensions.BabylonToolbar.lastVrsnTs", "1.4.31.223:50:42");
    Deleted : user_pref("extensions.facemoods.aflt", "_#ironto");
    Deleted : user_pref("extensions.facemoods.firstRun", false);
    Deleted : user_pref("extensions.facemoods.lastActv", "22");

    Profile name : default
    File : C:\Users\Irene\AppData\Roaming\Mozilla\Firefox\Profiles\oigotn3k.default\prefs.js

    [OK] File is clean.

    -\\ Google Chrome v21.0.1180.83

    File : C:\Users\DE\AppData\Local\Google\Chrome\User Data\DEfault\Preferences

    [OK] File is clean.

    *************************

    AdwCleaner[R1].txt - [12885 octets] - [01/09/2012 12:22:40]
    AdwCleaner[S1].txt - [11266 octets] - [01/09/2012 13:48:40]

    ########## EOF - C:\AdwCleaner[S1].txt - [11327 octets] ##########
  8. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Oh yeah I forgot to say when I ran ComboFix it said that McAfee was still running but I had shut it off and killed it off in the process tab on Task Manager. If you need me to run ComboFix again I can un-install McAfee if needed.

    Thanks
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good job, and no problem there for McAfee. Please do the following:

    1. ComboFix re-run
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Open notepad and copy/paste the text in the box below into it:
    • Save this as CFScript.txt, in the same location as ComboFix.exe

      [​IMG]
    • Referring to the picture above, drag CFScript into ComboFix.exe
    • When finished, it shall produce a log for you at C:\ComboFix.txt
    • Please post the contents of the log in your next reply.
    2. Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
    Make sure to post these logs for my review:
    • ComboFix log
    • ESET Scan log
    Also, let me know how your computer is running.

    Thanks! :)
  10. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Wow that was one long scan! Here are the logs as per request.

    ComboFix 12-08-31.08 - DE 01/09/2012 19:37:04.2.8 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8187.6783 [GMT 1:00]
    Running from: c:\users\DE\Desktop\ComboFix.exe
    Command switches used :: c:\users\DE\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {ADA629C7-7F48-5689-624A-3B76997E0892}
    FW: McAfee Firewall *Enabled* {959DA8E2-3527-57D1-4915-924367AD4FE9}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {16C7C823-5972-5907-58FA-0004E2F9422F}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\DE\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
    c:\windows\assembly\GAC_32\Desktop.ini
    c:\windows\assembly\GAC_64\Desktop.ini
    .
    Infected copy of c:\windows\SysWow64\userinit.exe was found and disinfected
    Restored copy from - c:\windows\erdnt\cache86\userinit.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-01 to 2012-09-01 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-01 18:48 . 2012-09-01 18:48--------d-----w-c:\users\UpdatusUser\AppData\Local\temp
    2012-09-01 18:48 . 2012-09-01 18:48--------d-----w-c:\users\Irene\AppData\Local\temp
    2012-09-01 18:48 . 2012-09-01 18:48--------d-----w-c:\users\Default\AppData\Local\temp
    2012-08-31 21:14 . 2012-08-31 21:14--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-08-30 21:32 . 2012-08-30 21:32--------d-----w-c:\users\DE\AppData\Roaming\RoboForm
    2012-08-30 21:30 . 2012-08-30 21:30--------d-----w-c:\programdata\RoboForm
    2012-08-30 21:30 . 2012-08-30 21:30--------d-----w-c:\program files (x86)\Siber Systems
    2012-08-30 21:30 . 2012-08-21 09:1325232----a-w-c:\windows\system32\drivers\aswFsBlk.sys
    2012-08-30 21:30 . 2012-08-21 09:13359464----a-w-c:\windows\system32\drivers\aswSP.sys
    2012-08-30 21:29 . 2012-08-21 09:1354072----a-w-c:\windows\system32\drivers\aswRdr2.sys
    2012-08-30 21:29 . 2012-08-21 09:1359728----a-w-c:\windows\system32\drivers\aswTdi.sys
    2012-08-30 21:29 . 2012-08-21 09:13969200----a-w-c:\windows\system32\drivers\aswSnx.sys
    2012-08-30 21:29 . 2012-08-21 09:1371600----a-w-c:\windows\system32\drivers\aswMonFlt.sys
    2012-08-30 21:29 . 2012-08-21 09:12285328----a-w-c:\windows\system32\aswBoot.exe
    2012-08-30 21:29 . 2012-08-21 09:1241224----a-w-c:\windows\avastSS.scr
    2012-08-30 21:29 . 2012-08-21 09:12227648----a-w-c:\windows\SysWow64\aswBoot.exe
    2012-08-30 21:29 . 2012-08-30 21:29--------d-----w-c:\programdata\AVAST Software
    2012-08-30 21:29 . 2012-08-30 21:29--------d-----w-c:\program files\AVAST Software
    2012-08-30 00:58 . 2012-08-30 00:58--------d-----w-c:\users\DE\AppData\Roaming\SUPERAntiSpyware.com
    2012-08-30 00:58 . 2012-08-30 00:58--------d-----w-c:\programdata\SUPERAntiSpyware.com
    2012-08-30 00:34 . 2012-08-30 00:4716200----a-w-c:\windows\stinger.sys
    2012-08-30 00:34 . 2012-08-30 01:38--------d-----w-c:\program files (x86)\stinger
    2012-08-29 22:26 . 2012-04-20 15:40196440----a-w-c:\windows\system32\drivers\HipShieldK.sys
    2012-08-29 22:26 . 2012-06-22 06:3710288----a-w-c:\windows\system32\drivers\mfeclnk.sys
    2012-08-29 22:26 . 2012-08-29 22:26--------d-----w-c:\program files (x86)\Common Files\McAfee
    2012-08-29 22:26 . 2012-06-22 06:4069672----a-w-c:\windows\system32\drivers\cfwids.sys
    2012-08-29 22:26 . 2012-06-22 06:36106112----a-w-c:\windows\system32\drivers\mferkdet.sys
    2012-08-29 22:26 . 2012-06-22 06:35513456----a-w-c:\windows\system32\drivers\mfefirek.sys
    2012-08-29 22:26 . 2012-06-22 06:34300392----a-w-c:\windows\system32\drivers\mfeavfk.sys
    2012-08-29 22:26 . 2012-08-29 22:26--------d-----w-c:\program files\McAfee
    2012-08-29 22:15 . 2012-08-29 22:26--------d-----w-c:\program files\Common Files\McAfee
    2012-08-29 22:15 . 2012-09-01 10:44--------d-----w-c:\program files (x86)\McAfee
    2012-08-29 22:00 . 2012-06-22 06:38177144----a-w-c:\windows\system32\mfevtps.exe
    2012-08-29 22:00 . 2012-08-30 01:26--------d-----w-c:\programdata\McAfee
    2012-08-29 21:35 . 2012-08-29 21:35--------d-----w-c:\users\DE\AppData\Roaming\McAfee
    2012-08-25 13:14 . 2012-08-25 13:14--------d-----w-c:\program files (x86)\Microsoft Games
    2012-08-21 21:51 . 2012-08-21 21:51--------d-----w-c:\users\DE\AppData\Local\CrashRpt
    2012-08-17 21:24 . 2012-08-17 21:24--------d-----w-c:\users\DE\AppData\Local\Macromedia
    2012-08-15 20:39 . 2012-05-05 08:36503808----a-w-c:\windows\system32\srcore.dll
    2012-08-15 20:39 . 2012-05-05 07:4643008----a-w-c:\windows\SysWow64\srclient.dll
    2012-08-15 20:39 . 2012-07-18 18:153148800----a-w-c:\windows\system32\win32k.sys
    2012-08-15 20:39 . 2012-07-04 22:1359392----a-w-c:\windows\system32\browcli.dll
    2012-08-15 20:39 . 2012-07-04 22:13136704----a-w-c:\windows\system32\browser.dll
    2012-08-15 20:39 . 2012-07-04 22:1673216----a-w-c:\windows\system32\netapi32.dll
    2012-08-15 20:39 . 2012-07-04 21:1441984----a-w-c:\windows\SysWow64\browcli.dll
    2012-08-15 20:39 . 2012-02-11 06:43751104----a-w-c:\windows\system32\win32spl.dll
    2012-08-15 20:39 . 2012-02-11 06:36559104----a-w-c:\windows\system32\spoolsv.exe
    2012-08-15 20:39 . 2012-02-11 06:3667072----a-w-c:\windows\splwow64.exe
    2012-08-15 20:39 . 2012-02-11 05:43492032----a-w-c:\windows\SysWow64\win32spl.dll
    2012-08-15 20:39 . 2012-05-14 05:26956928----a-w-c:\windows\system32\localspl.dll
    2012-08-04 17:39 . 2012-08-29 22:09--------d-----w-c:\programdata\Spybot - Search & Destroy
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-09-01 16:42 . 2011-09-24 14:35280792----a-w-c:\windows\SysWow64\PnkBstrB.xtr
    2012-09-01 16:42 . 2011-02-05 22:53280792----a-w-c:\windows\SysWow64\PnkBstrB.exe
    2012-09-01 16:39 . 2011-02-05 22:53280856----a-w-c:\windows\SysWow64\PnkBstrB.ex0
    2012-08-23 08:26 . 2012-08-28 17:469310152----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{A8C074BD-4440-4832-A19C-438A80B60A8D}\mpengine.dll
    2012-08-19 13:17 . 2012-04-15 10:13426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-19 13:17 . 2011-05-23 09:2970344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-08-16 00:27 . 2010-11-24 14:4262134624----a-w-c:\windows\system32\MRT.exe
    2012-07-03 12:46 . 2011-12-10 13:4724904----a-w-c:\windows\system32\drivers\mbam.sys
    2012-06-22 06:38 . 2012-06-22 06:38335784----a-w-c:\windows\system32\drivers\mfewfpk.sys
    2012-06-22 06:36 . 2012-06-22 06:36752672----a-w-c:\windows\system32\drivers\mfehidk.sys
    2012-06-22 06:34 . 2012-06-22 06:34169320----a-w-c:\windows\system32\drivers\mfeapfk.sys
    2012-06-09 05:43 . 2012-07-11 23:3514172672----a-w-c:\windows\system32\shell32.dll
    2012-06-06 06:06 . 2012-07-11 23:352004480----a-w-c:\windows\system32\msxml6.dll
    2012-06-06 06:06 . 2012-07-11 23:351881600----a-w-c:\windows\system32\msxml3.dll
    2012-06-06 06:02 . 2012-07-11 23:351133568----a-w-c:\windows\system32\cdosys.dll
    2012-06-06 05:05 . 2012-07-11 23:351390080----a-w-c:\windows\SysWow64\msxml6.dll
    2012-06-06 05:05 . 2012-07-11 23:351236992----a-w-c:\windows\SysWow64\msxml3.dll
    2012-06-06 05:03 . 2012-07-11 23:35805376----a-w-c:\windows\SysWow64\cdosys.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-09-01_12.37.02 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-07-14 04:54 . 2012-09-01 12:3865536 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-09-01 18:5265536 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-11-24 14:35 . 2012-09-01 16:3556452 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2012-09-01 18:5133458 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-11-24 13:43 . 2012-09-01 18:5123460 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3815836669-2017180766-4137048338-1000_UserData.bin
    + 2010-11-24 12:49 . 2012-09-01 18:5032768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-11-24 12:49 . 2012-09-01 12:3632768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-11-24 12:49 . 2012-09-01 12:3632768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-11-24 12:49 . 2012-09-01 18:5032768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2012-09-01 12:3616384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-09-01 18:5016384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2012-09-01 18:49 . 2012-09-01 18:492048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2012-09-01 12:36 . 2012-09-01 12:362048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-09-01 18:49 . 2012-09-01 18:492048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2012-09-01 12:36 . 2012-09-01 12:362048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2009-07-14 04:54 . 2012-09-01 12:38655360 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-09-01 18:52655360 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-09-01 18:52163840 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2012-09-01 12:38163840 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-11-28 02:01 . 2012-09-01 18:23467924 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
    - 2009-07-14 05:01 . 2012-09-01 12:35470340 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2012-09-01 18:48470340 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2010-11-26 17:23 . 2012-09-01 18:4929968228 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3815836669-2017180766-4137048338-1000-8192.dat
    - 2010-11-26 17:23 . 2012-09-01 12:3529968228 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3815836669-2017180766-4137048338-1000-8192.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SUPERAntiSpyware"="e:\program files (x86)\SUPERAntiSpyware.exe" [2012-07-09 5661056]
    "RoboForm"="c:\program files (x86)\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2012-08-30 96056]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-22 402432]
    "Lycosa"="c:\program files (x86)\Razer\Lycosa\razerhid.exe" [2010-04-13 238592]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-06-21 1527896]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    McAfee Security Scan Plus.lnk - c:\program files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-17 272528]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-05-15 1262400]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-19 250056]
    R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.364.0\SeaPort.exe [2012-02-20 240408]
    R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys [2012-04-20 196440]
    R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe [2011-06-17 237008]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-06-22 106112]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;e:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-08-04 113120]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 pbfilter;pbfilter;e:\program files\PeerBlock\pbfilter.sys [2010-11-06 24176]
    R3 Razerlow;Razer Pro|Solutions;c:\windows\system32\drivers\DB3G.sys [2005-11-07 21120]
    R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 usbet;USB 2.0 PC CAMERA;c:\windows\system32\DRIVERS\ETdrv.sys [2009-12-10 181248]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-24 1255736]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 306416]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-06-22 335784]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-12-04 834544]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 SASDIFSV;SASDIFSV;e:\program files (x86)\SASDIFSV64.SYS [2011-07-22 14928]
    S1 SASKUTIL;SASKUTIL;e:\program files (x86)\SASKUTIL64.SYS [2011-07-12 12368]
    S2 !SASCORE;SAS Core Service;e:\program files (x86)\SASCORE64.EXE [2011-08-11 140672]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-08-21 71600]
    S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.364.0\BBSvc.exe [2012-02-20 193816]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\SITEAD~1\mcsacore.exe [2012-06-15 103472]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-05-11 200728]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2012-05-11 200728]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-06-22 218320]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-06-22 177144]
    S2 pcapsvc;ProxyCap Service;e:\program files\Proxy Labs\ProxyCap\pcapsvc.exe [2011-10-09 1850368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-05-15 382272]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-06-22 69672]
    S3 Lycosa;Lycosa Keyboard;c:\windows\system32\drivers\Lycosa.sys [2009-09-30 20352]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-06-22 513456]
    S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2012-04-18 188736]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-03-01 187392]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-01 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-15 13:17]
    .
    2012-08-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3815836669-2017180766-4137048338-1000Core.job
    - c:\users\DE\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-30 20:22]
    .
    2012-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3815836669-2017180766-4137048338-1000UA.job
    - c:\users\DE\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-30 20:22]
    .
    2012-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3815836669-2017180766-4137048338-1006Core.job
    - c:\users\Irene\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-12 18:54]
    .
    2012-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3815836669-2017180766-4137048338-1006UA.job
    - c:\users\Irene\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-12 18:54]
    .
    2012-08-31 c:\windows\Tasks\Norton Security Scan for DE.job
    - c:\progra~2\NORTON~2\Engine\361~1.11\Nss.exe [2012-01-02 01:45]
    .
    2012-09-01 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 26cbab1b-6213-468a-9c75-db1b663b4e73.job
    - e:\program files (x86)\SASTask.exe [2011-05-04 17:52]
    .
    2012-09-01 c:\windows\Tasks\SUPERAntiSpyware Scheduled Task 836c1c79-854f-4430-bb4e-36d8de7ef8f9.job
    - e:\program files (x86)\SASTask.exe [2011-05-04 17:52]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-08-21 09:11133400----a-w-c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
    IE: Customize Menu - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    IE: E&xport to Microsoft Excel - e:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    IE: Free YouTube Download - c:\users\DE\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubedownload.htm
    IE: Free YouTube to MP3 Converter - c:\users\DE\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
    IE: Save Forms - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    IE: Se&nd to OneNote - e:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    IE: Show avast! EasyPass Toolbar - file://c:\program files (x86)\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    LSP: pcapwsp.dll
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\DE\AppData\Roaming\Mozilla\Firefox\Profiles\k5ta0gia.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-DAEMON Tools Toolbar - c:\program files (x86)\DAEMON Tools Toolbar\uninst.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3815836669-2017180766-4137048338-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:88,4e,21,7b,80,b1,72,d1,49,58,38,59,64,d6,4d,db,9e,02,12,56,89,65,d3,
    ba,ce,46,11,96,64,a0,8a,a7,fe,e3,68,1d,d3,a2,ff,97,71,a9,5d,67,3f,ea,11,87,\
    "??"=hex:69,6f,5c,46,6a,89,f9,ee,2d,48,e0,10,87,42,1e,12
    .
    [HKEY_USERS\S-1-5-21-3815836669-2017180766-4137048338-1000\Software\SecuROM\License information*]
    "datasecu"=hex:ec,fd,cc,1f,ac,cc,0c,2a,24,d4,d9,74,c7,8e,0f,7c,fe,1e,97,fa,bd,
    bb,c8,73,c6,1f,9b,9c,67,1a,e8,86,dc,94,d6,1d,ca,81,c1,b4,1a,69,97,42,1a,2c,\
    "rkeysecu"=hex:bb,a2,48,fa,e7,47,1f,62,27,5b,a1,df,eb,a4,4d,7f
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Windows Live\Family Safety\fsssvc.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    c:\windows\SysWOW64\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2012-09-01 19:56:54 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-01 18:56
    ComboFix2.txt 2012-09-01 12:42
    .
    Pre-Run: 153,029,861,376 bytes free
    Post-Run: 152,717,008,896 bytes free
    .
    - - End Of File - - D673EF9AF605E4E2F5D2C5B00CFAB57D

    =================================================================================================

    ESET-Scan-Log

    C:\ProgramData\Spybot - Search & Destroy\Recovery\ToolbarFacemood77.zipWin32/Bagle.gen.zip wormcleaned by deleting - quarantined
    C:\Users\DE\Downloads\Unlocker1.9.1-x64.exea variant of Win32/Toolbar.Babylon applicationcleaned by deleting - quarantined
    Thanks!!
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  12. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Hey bud!

    The computer seems fairly stable at the moment bar one thing, McAfee cant start. I get this error message;

    "The application was unable to start correctly (0xc000009a). Click OK to close the application"

    I haven't googled the error code as of yet as I wanted you to give me the nod to do so or tell me if its still maybe infected.

    To be fair the long and short of all of this started with McAfee's firewall not switching on. On the main menu scree it said it was on but when I went to the firewall settings it said it was off and it wouldn't turn on. I did some hunting on the internet and asking my friends and one suggested might be a rootkit messing around with it. I did a scan with Avast! (as advised by friends) and it found a rootkit called ZeroAccess. So I did a boot scan and it didnt mention anything about ZeroAccess but did find win32:sirefef-PL and a2 trojan (I think it said it was a trojan) called Win32:Agent-XIE. I haven't done any other scans bar the one's you've asked me to do, I havent really read the logs as I have no clue what I'm looking for so I don't know if ZeroAccess and that Win32:Agent-XIE are still lurking around in the depths of the computer.

    But other than having a load of scan logs and other things on the desktop all seems like normal. Though that said even with those things that came up in the scan I didnt notice any real change when they were infecting the pc, is that normal?

    And to answer your other bullet points, the pc is at its normal speed, no error messages bar the one above, no fake error messages from Avast! I believe, svchost.exe isn't in the process list :S and no crashes or blue screens fortunately.

    Thank you as always!

    p.s. sorry for the novel there^ :p
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    ZeroAccess problems disable firewalls and Windows Updates, and other things it shouldn't mess with.

    Do you have both Avast and McAfee programs installed?

    For the McAfee error(s), it is best just to fully remove McAfee program and reinstall it. Just make sure to have the license key written down first. :)

    Let me know about the antivirus situation, of which ones you have installed, before we continue here...
     
  14. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Hey again,

    I do have Avast! and McAfee installed but only got Avast! on recommendation from a friend saying my comp might have had a rootkit on it and that Avast! could find it with the boot scan.

    So do you want me to remove/re-install McAfee then we can continue or did you just need to know what I had installed at them moment?

    Obediently awaiting instructions :)
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    We'll continue disinfection. If you paid for McAfee, I'd rather see you keep it over Avast.

    Uninstalling AVAST software as described here:
    • Download aswClear.exe on your desktop
    • Start Windows in Safe Mode You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    • Open (execute) the uninstall utility
    • If you installed avast! in a different folder than the default, browse for it. (Note: Be careful! The content of any folder you choose will be deleted!)
    • Click REMOVE
    • Restart your computer
    Let me know how it went, and let me know if McAfee's firewall function is working...
  16. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Hi again bud!

    Just to keep you updated I haven't done the aswClear yet as I have been mad busy at work this week but I will start it on Saturday morning as tomorrow is another busy work day. But super thanks for your continued support. We'll smash this damn rootkit!

    Thanks!
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    You're welcome. Look forward to your return.
  18. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Hey DragonMasterJay!

    I removed McAfee and reinstalled it but it kicked up 4 error messages when installing and wont even run, although McAfee Security Scan Plus works ok (separate application). The error messages were all the same but for different .exe files;

    mcagent.exe
    The application was unable to start correctly (0xc000009a). Click OK to close the application
    mcods.exe
    The application was unable to start correctly (0xc000009a). Click OK to close the application
    McInsUpd.exe (this one poped up twice)
    The application was unable to start correctly (0xc000009a). Click OK to close the application

    I tried to reinstall McAfee before I removed Avast! so that my comp wasnt left with no protectio, but if you meant for me to remove Avast first then reinstall McAfee I'll get right on it. Sorry if I've done it the wrong way around here :S

    Thanks as always!!
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    McAfee's program needs completely removed just like aswClear would do for Avast...

    Please download and run MCPR.exe
    1. Download the removal tool from: http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
    2. Click Save and save the file to a folder on your computer.
    3. Navigate to the folder where the file was saved.
    4. Make sure all McAfee windows are closed.
    5. Double-click MCPR.exe to run the removal tool.

      NOTE: Windows Vista and 7 users must right-click MCPR.exe and select Run as Administrator.
    6. Restart your computer after receiving the message CleanUp Successful.
      Your McAfee product will not be fully removed until the system is restarted.
  20. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Hi again

    I did remove McAfee how you told me to with the MCPR.exe and restarted and all, re-installed but got the same error messages as my last post, and McAfee can start, it throws up;

    mcagent.exe
    The application was unable to start correctly (0xc000009a). Click OK to close the application

    Could Avast be interfering with the installation or a virus or the same rootkit? I haven't removed Avast yet as like I said I didn't really want to go with no protection or should I just remove Avast, then remove McAfee again and try to re-install it again?

    Thanks!
  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    If Avast wasn't disabled (should've made this clear earlier), then it may have interfered with driver removal of McAfee's software.

    Please disable Avast and try the tool one more time.

    (Right-click on Avast icon and mouseover avast! shields control, and hit Disable until computer is restarted)
  22. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Hey again

    Ok, really strange now, McAfee seemed to repair itself and is working fine with the firewall up and no warning poping up or anything. So thats good I believe?

    Avast is now gone with the remover you told me to download and all seems fine so far.

    Thanks
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi! If there are no more issues, then we shall finish up!

    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  24. BigWezz

    BigWezz Newcomer, in training Topic Starter Posts: 17

    Hey bud!

    Sorry been working all week and this Sat, I'll be following you instruction above tomorrow (Sun)

    Thanks as normal!
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Okay, see you later.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.