Windows has encountered a critical error and will shutdown in one minute

Solved
By Daniel Riley
Aug 7, 2012
Topic Status:
Not open for further replies.
  1. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    Scrtap that I tried it again and it worked
  2. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    Get the error frst64 is not recognized as an internal or external command, operable program or batch file.
  3. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    Sorry its me being an ***** again
  4. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    Scan result of Farbar Recovery Scan Tool Version: 02-09-2012 03
    Ran by SYSTEM at 03-09-2012 17:53:12
    Running from F:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001
    ==================== Registry (Whitelisted) ===================
    HKLM\...\Run: [AtherosBtStack] "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe" [613536 2010-10-27] (Atheros Commnucations)
    HKLM\...\Run: [AthBtTray] "C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe" [379040 2010-10-27] (Atheros Commnucations)
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11545192 2010-11-02] (Realtek Semiconductor)
    HKLM\...\Run: [Cmaudio8788] C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cmicnfgp.dll,CMICtrlWnd [8151040 2009-12-08] (C-Media Corporation)
    HKLM\...\Run: [Cmaudio8788GX] C:\Windows\syswow64\HsMgr.exe Envoke [200704 2008-07-10] ()
    HKLM\...\Run: [Cmaudio8788GX64] C:\Windows\system\HsMgr64.exe Envoke [282112 2008-07-10] ()
    HKLM\...\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming [1744152 2011-10-07] (Logitech, Inc.)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
    HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-04-26] (Renesas Electronics Corporation)
    HKLM-x32\...\Run: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [375000 2009-10-26] (DeviceVM, Inc.)
    HKLM-x32\...\Run: [SSDMonitor] C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe [112600 2011-05-17] (PC Tools)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe [479232 2005-07-15] (Google Inc.)
    HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
    HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
    HKLM-x32\...\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [641664 2012-04-05] (Advanced Micro Devices, Inc.)
    HKLM-x32\...\Run: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml [10752 2012-02-20] ()
    HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462920 2012-07-03] (Malwarebytes Corporation)
    HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
    HKU\dandadandan\...\Run: [Google Update] "C:\Users\dandadandan\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2005-01-01] (Google Inc.)
    HKU\dandadandan\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
    HKU\dandadandan\...\Run: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [393216 2010-11-17] (AMD)
    Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 192.168.1.254
    Startup: C:\Users\dandadandan\Start Menu\Programs\Startup\Dropbox.lnk
    ShortcutTarget: Dropbox.lnk -> (No File)
    ==================== Services (Whitelisted) ======
    2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [655944 2012-07-03] (Malwarebytes Corporation)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
    2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [80896 2010-09-16] ()
    2 PCToolsSSDMonitorSvc; C:\Program Files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [632792 2011-05-17] (PC Tools)
    2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
    ==================== Drivers (Whitelisted) ===================
    2 atksgt; C:\Windows\System32\Drivers\atksgt.sys [314016 2011-05-24] ()
    3 cmudaxp; C:\Windows\System32\Drivers\cmudaxp.sys [1261056 2010-07-23] (C-Media Inc)
    2 lirsgt; C:\Windows\System32\Drivers\lirsgt.sys [43680 2011-05-24] ()
    3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-07-03] (Malwarebytes Corporation)
    3 MRV6X64U; C:\Windows\System32\DRIVERS\WN111x.sys [340480 2007-10-28] (Marvell Semiconductor, Inc)
    3 RTL8187B; C:\Windows\System32\Drivers\RTL8187B.sys [450048 2010-03-30] (Realtek Semiconductor Corporation )
    3 Mrvleap; C:\Windows\System32\DRIVERS\mrv64drv.sys [x]
    ==================== NetSvcs (Whitelisted) =================
    ==================== One Month Created Files and Folders ======================
    2012-09-02 13:17 - 2012-09-02 13:25 - 00000000 ____D C:\Users\dandadandan\Desktop\New folder (2)
    2012-09-02 12:54 - 2012-09-02 12:55 - 17813784 ____A (Dropbox, Inc.) C:\Users\dandadandan\Downloads\Dropbox 1.4.17.exe
    2012-09-02 09:35 - 2012-09-02 13:30 - 217370711 ____A C:\Users\dandadandan\Downloads\American Pie 1+2+3 soundtrack.rar
    2012-09-02 09:33 - 2012-09-03 17:53 - 00000000 ____D C:\FRST
    2012-09-01 08:00 - 2012-09-03 08:37 - 00000392 ____A C:\Windows\setupact.log
    2012-09-01 08:00 - 2012-09-01 08:00 - 00000000 ____A C:\Windows\setuperr.log
    2012-09-01 07:59 - 2012-09-01 07:59 - 00176940 ____A C:\Users\dandadandan\Downloads\BFE.reg
    2012-09-01 07:58 - 2012-09-01 07:58 - 00006396 ____A C:\Users\dandadandan\Downloads\MpsSvc.reg
    2012-09-01 07:46 - 2012-09-03 06:39 - 00010602 ____A C:\Windows\WindowsUpdate.log
    2012-09-01 07:43 - 2012-09-01 07:43 - 00109932 ____A C:\Users\dandadandan\Documents\cc_20120901_164317.reg
    2012-09-01 07:43 - 2012-09-01 07:43 - 00001314 ____A C:\Users\dandadandan\Documents\cc_20120901_164330.reg
    2012-09-01 07:41 - 2012-09-01 07:41 - 03927560 ____A (Piriform Ltd) C:\Users\dandadandan\Downloads\ccsetup322 (3).exe
    2012-09-01 07:41 - 2012-09-01 07:41 - 03927560 ____A (Piriform Ltd) C:\Users\dandadandan\Downloads\ccsetup322 (2).exe
    2012-09-01 07:41 - 2012-09-01 07:41 - 03927560 ____A (Piriform Ltd) C:\Users\dandadandan\Downloads\ccsetup322 (1).exe
    2012-09-01 07:41 - 2012-09-01 07:41 - 00000000 ____D C:\Program Files\CCleaner
    2012-09-01 07:40 - 2012-09-01 07:57 - 00000000 ____D C:\Users\All Users\Spybot - Search & Destroy
    2012-09-01 07:40 - 2012-09-01 07:45 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy
    2012-09-01 07:40 - 2012-09-01 07:41 - 03927560 ____A (Piriform Ltd) C:\Users\dandadandan\Downloads\ccsetup322.exe
    2012-09-01 07:39 - 2012-09-01 07:39 - 16409960 ____A (Safer Networking Limited ) C:\Users\dandadandan\Downloads\spybotsd162.exe
    2012-08-31 21:22 - 2012-08-31 21:22 - 00000000 ____D C:\Users\dandadandan\AppData\Roaming\Malwarebytes
    2012-08-31 21:22 - 2012-08-31 21:22 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-08-31 21:22 - 2012-08-31 21:22 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-08-31 21:22 - 2012-07-03 04:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-08-31 21:21 - 2012-08-31 21:21 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\dandadandan\Downloads\mbam-setup-1.62.0.1300.exe
    2012-08-19 20:33 - 2012-08-19 20:33 - 04024320 ____A C:\Program Files (x86)\GUTF6CD.tmp
    2012-08-19 20:33 - 2012-08-19 20:33 - 00000000 ____D C:\Program Files (x86)\GUMF6AD.tmp
    ==================== 3 Months Modified Files ================================
    2012-09-03 08:37 - 2012-09-01 08:00 - 00000392 ____A C:\Windows\setupact.log
    2012-09-03 08:37 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-09-03 08:04 - 2012-06-10 15:18 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-09-03 07:38 - 2005-01-01 16:25 - 00000932 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2694974181-1940623718-3779438024-1000UA.job
    2012-09-03 06:39 - 2012-09-01 07:46 - 00010602 ____A C:\Windows\WindowsUpdate.log
    2012-09-03 06:36 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-09-03 06:36 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-09-03 06:29 - 2011-04-05 02:40 - 00000035 ____A C:\Users\Public\Documents\AtherosServiceConfig.ini
    2012-09-02 13:30 - 2012-09-02 09:35 - 217370711 ____A C:\Users\dandadandan\Downloads\American Pie 1+2+3 soundtrack.rar
    2012-09-02 12:55 - 2012-09-02 12:54 - 17813784 ____A (Dropbox, Inc.) C:\Users\dandadandan\Downloads\Dropbox 1.4.17.exe
    2012-09-02 12:40 - 2011-05-17 19:31 - 00000278 ____A C:\Windows\Tasks\RMSchedule.job
    2012-09-02 09:48 - 2009-07-13 21:13 - 00005382 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-09-01 08:00 - 2012-09-01 08:00 - 00000000 ____A C:\Windows\setuperr.log
    2012-09-01 07:59 - 2012-09-01 07:59 - 00176940 ____A C:\Users\dandadandan\Downloads\BFE.reg
    2012-09-01 07:58 - 2012-09-01 07:58 - 00006396 ____A C:\Users\dandadandan\Downloads\MpsSvc.reg
    2012-09-01 07:43 - 2012-09-01 07:43 - 00109932 ____A C:\Users\dandadandan\Documents\cc_20120901_164317.reg
    2012-09-01 07:43 - 2012-09-01 07:43 - 00001314 ____A C:\Users\dandadandan\Documents\cc_20120901_164330.reg
    2012-09-01 07:41 - 2012-09-01 07:41 - 03927560 ____A (Piriform Ltd) C:\Users\dandadandan\Downloads\ccsetup322 (3).exe
    2012-09-01 07:41 - 2012-09-01 07:41 - 03927560 ____A (Piriform Ltd) C:\Users\dandadandan\Downloads\ccsetup322 (2).exe
    2012-09-01 07:41 - 2012-09-01 07:41 - 03927560 ____A (Piriform Ltd) C:\Users\dandadandan\Downloads\ccsetup322 (1).exe
    2012-09-01 07:41 - 2012-09-01 07:40 - 03927560 ____A (Piriform Ltd) C:\Users\dandadandan\Downloads\ccsetup322.exe
    2012-09-01 07:39 - 2012-09-01 07:39 - 16409960 ____A (Safer Networking Limited ) C:\Users\dandadandan\Downloads\spybotsd162.exe
    2012-08-31 21:21 - 2012-08-31 21:21 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\dandadandan\Downloads\mbam-setup-1.62.0.1300.exe
    2012-08-31 20:38 - 2005-01-01 16:25 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2694974181-1940623718-3779438024-1000Core.job
    2012-08-31 11:04 - 2012-06-10 15:18 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2012-08-31 11:04 - 2011-07-12 13:47 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2012-08-19 20:33 - 2012-08-19 20:33 - 04024320 ____A C:\Program Files (x86)\GUTF6CD.tmp
    2012-07-19 15:54 - 2012-07-19 15:54 - 00384844 ____A C:\Users\dandadandan\AppData\Local\funmoods-speeddial.crx
    2012-07-19 15:54 - 2012-07-19 15:54 - 00031465 ____A C:\Users\dandadandan\AppData\Local\funmoods.crx
    2012-07-19 15:54 - 2012-07-12 14:46 - 00385784 ____A (Proland Software) C:\Users\dandadandan\Downloads\cleanshutdowner.exe
    2012-07-19 13:47 - 2012-07-19 13:47 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.680C4F959CB4C10B
    2012-07-12 14:46 - 2012-07-12 14:46 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.29B93C8DF1B05AD5
    2012-07-12 14:46 - 2012-07-12 14:46 - 00000237 ____A C:\user.js
    2012-07-12 14:32 - 2012-07-12 14:32 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.CDC3BD3B51028232
    2012-07-12 14:23 - 2012-07-12 14:23 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.DBBB9B918D6D7D6C
    2012-07-12 14:23 - 2012-07-12 14:23 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\vujioxqw.sys
    2012-07-12 14:13 - 2012-07-12 14:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.EF4DB39E3493D087
    2012-07-12 14:11 - 2012-07-12 14:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.5BB6BD836AEAA0CD
    2012-07-12 14:08 - 2012-07-12 14:08 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.F8D168A513F5846F
    2012-07-12 14:03 - 2012-07-12 14:03 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AE5BF11DBD2FB70F
    2012-07-12 14:00 - 2012-07-12 14:00 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.21EF982B30E56EED
    2012-07-12 13:55 - 2012-07-12 13:55 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D4EC0ACD8F8D58D0
    2012-07-12 13:55 - 2012-07-12 13:52 - 72334880 ____A (Microsoft Corporation) C:\Users\dandadandan\Downloads\msert.exe
    2012-07-12 13:48 - 2011-08-09 18:30 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-07-12 13:48 - 2011-04-07 12:17 - 00005348 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
    2012-07-12 13:47 - 2012-07-12 13:46 - 12621696 ____A (Microsoft Corporation) C:\Users\dandadandan\Downloads\mseinstall.exe
    2012-07-11 15:52 - 2009-07-13 20:45 - 00416088 ____A C:\Windows\System32\FNTCACHE.DAT
    2012-07-10 18:10 - 2012-07-08 06:05 - 533378739 ____A C:\Users\dandadandan\Downloads\True.Blood.S05E04.HDTV.x264-ASAP.mp4
    2012-07-10 17:37 - 2012-07-10 16:31 - 442039719 ____A C:\Users\dandadandan\Downloads\True.Blood.S05E05.HDTV.x264-ASAP.mp4
    2012-07-10 14:26 - 2011-04-05 16:18 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
    2012-07-04 10:14 - 2012-07-04 10:14 - 13764096 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticaldd.dll
    2012-07-04 10:14 - 2012-07-04 10:14 - 00514560 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiadlxx.dll
    2012-07-04 10:14 - 2012-07-04 10:14 - 00343040 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmpag.sys
    2012-07-04 10:14 - 2012-07-04 10:14 - 00245896 ____A C:\Windows\SysWOW64\atiapfxx.blb
    2012-07-04 10:14 - 2012-07-04 10:14 - 00245896 ____A C:\Windows\System32\atiapfxx.blb
    2012-07-04 10:14 - 2012-07-04 10:14 - 00236544 ____A (AMD) C:\Windows\System32\atiesrxx.exe
    2012-07-04 10:14 - 2012-07-04 10:14 - 00204952 ____A C:\Windows\SysWOW64\ativvsvl.dat
    2012-07-04 10:14 - 2012-07-04 10:14 - 00204952 ____A C:\Windows\System32\ativvsvl.dat
    2012-07-04 10:14 - 2012-07-04 10:14 - 00120320 ____A (AMD) C:\Windows\System32\atitmm64.dll
    2012-07-04 10:14 - 2012-07-04 10:14 - 00059392 ____A (ATI Technologies, Inc.) C:\Windows\System32\atiedu64.dll
    2012-07-04 10:14 - 2012-07-04 10:14 - 00054784 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atimpc64.dll
    2012-07-04 10:14 - 2012-07-04 10:14 - 00054784 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\amdpcom64.dll
    2012-07-04 10:14 - 2012-07-04 10:14 - 00053760 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atimpc32.dll
    2012-07-04 10:14 - 2012-07-04 10:14 - 00053760 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\amdpcom32.dll
    2012-07-04 10:14 - 2012-07-04 10:14 - 00053248 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\ati2erec.dll
    2012-07-04 10:14 - 2012-07-04 10:14 - 00051200 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalrt64.dll
    2012-07-04 10:14 - 2012-07-04 10:14 - 00021504 ____A (AMD) C:\Windows\System32\atimuixx.dll
    2012-07-04 10:14 - 2011-03-08 20:56 - 00909312 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\aticfx32.dll
    2012-07-04 10:14 - 2011-03-08 20:30 - 06203392 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdag.dll
    2012-07-04 10:14 - 2011-03-08 20:17 - 00054784 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiuxp64.dll
    2012-07-04 10:13 - 2012-07-04 10:13 - 01120768 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd6v.dll
    2012-07-04 10:13 - 2012-07-04 10:13 - 00360448 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atiadlxy.dll
    2012-07-04 10:13 - 2012-07-04 10:13 - 00159744 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atiapfxx.exe
    2012-07-04 10:13 - 2012-07-04 10:13 - 00157144 ____A C:\Windows\SysWOW64\ativvsva.dat
    2012-07-04 10:13 - 2012-07-04 10:13 - 00157144 ____A C:\Windows\System32\ativvsva.dat
    2012-07-04 10:13 - 2012-07-04 10:13 - 00095760 ____A (Advanced Micro Devices) C:\Windows\System32\Drivers\AtihdW76.sys
    2012-07-04 10:13 - 2012-07-04 10:13 - 00043520 ____A (ATI Technologies, Inc.) C:\Windows\SysWOW64\ati2edxx.dll
    2012-07-04 10:13 - 2012-07-04 10:13 - 00017408 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6pxx.dll
    2012-07-04 10:13 - 2011-03-08 20:48 - 06800896 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atidxx32.dll
    2012-07-04 10:13 - 2011-03-08 20:40 - 07479296 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atidxx64.dll
    2012-07-04 10:13 - 2011-03-08 20:16 - 00044544 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiu9p64.dll
    2012-07-04 10:12 - 2012-07-04 10:12 - 07431680 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd64.dll
    2012-07-04 10:12 - 2012-07-04 10:12 - 02631008 ____A C:\Windows\System32\atiumd6a.cap
    2012-07-04 10:12 - 2012-07-04 10:12 - 00442368 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\ATIDEMGX.dll
    2012-07-04 10:12 - 2012-07-04 10:12 - 00041984 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atig6txx.dll
    2012-07-04 10:12 - 2012-07-04 10:12 - 00038159 ____A C:\Windows\atiogl.xml
    2012-07-04 10:12 - 2012-07-04 10:12 - 00014848 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiglpxx.dll
    2012-07-04 10:12 - 2012-07-04 10:12 - 00014848 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiglpxx.dll
    2012-07-04 10:12 - 2012-07-04 10:12 - 00003917 ____A C:\Windows\SysWOW64\atipblag.dat
    2012-07-04 10:12 - 2012-07-04 10:12 - 00003917 ____A C:\Windows\System32\atipblag.dat
    2012-07-04 10:12 - 2012-07-04 10:11 - 04731904 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\atiumd6a.dll
    2012-07-04 10:12 - 2011-04-05 02:56 - 00064000 ____A (AMD) C:\Windows\System32\coinst.dll
    2012-07-04 10:12 - 2011-03-08 20:55 - 01067520 ____A (Advanced Micro Devices, Inc. ) C:\Windows\System32\aticfx64.dll
    2012-07-04 10:12 - 2011-03-08 20:17 - 00041984 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiuxpag.dll
    2012-07-04 10:12 - 2011-03-08 20:16 - 00032256 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiu9pag.dll
    2012-07-04 10:11 - 2012-07-04 10:11 - 01831424 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdmv.dll
    2012-07-04 10:11 - 2012-07-04 10:11 - 00503808 ____A (AMD) C:\Windows\System32\atieclxx.exe
    2012-07-04 10:11 - 2012-07-04 10:11 - 00044544 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticalcl64.dll
    2012-07-04 10:11 - 2012-07-04 10:10 - 26181632 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\atio6axx.dll
    2012-07-04 10:11 - 2012-07-04 10:10 - 16090624 ____A (Advanced Micro Devices Inc.) C:\Windows\System32\aticaldd64.dll
    2012-07-04 10:11 - 2012-07-04 10:10 - 00033280 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atigktxx.dll
    2012-07-04 10:11 - 2012-07-04 10:09 - 19753984 ____A (Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\atioglxx.dll
    2012-07-04 10:11 - 2011-03-08 19:34 - 04795904 ____A (Advanced Micro Devices, Inc. ) C:\Windows\SysWOW64\atiumdva.dll
    2012-07-04 10:10 - 2012-07-04 10:10 - 11174400 ____A (Advanced Micro Devices, Inc.) C:\Windows\System32\Drivers\atikmdag.sys
    2012-07-04 10:10 - 2012-07-04 10:10 - 00601728 ____A C:\Windows\System32\atiicdxx.dat
    2012-07-04 10:10 - 2012-07-04 10:09 - 02664704 ____A C:\Windows\SysWOW64\atiumdva.cap
    2012-07-04 10:09 - 2012-07-04 10:09 - 00046080 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalrt.dll
    2012-07-04 10:09 - 2012-07-04 10:09 - 00044032 ____A (Advanced Micro Devices Inc.) C:\Windows\SysWOW64\aticalcl.dll
    2012-07-04 09:49 - 2009-07-13 21:08 - 00032620 ____A C:\Windows\Tasks\SCHEDLGU.TXT
    2012-07-03 04:46 - 2012-08-31 21:22 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-06-26 16:31 - 2012-06-26 15:33 - 494399192 ____A C:\Users\dandadandan\Downloads\True.Blood.S05E03.HDTV.x264-ASAP.mp4
    2012-06-25 07:04 - 2012-06-25 07:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll
    2012-06-11 19:08 - 2012-07-10 14:28 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
    2012-06-08 21:43 - 2012-07-10 13:03 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
    2012-06-08 20:41 - 2012-07-10 13:03 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
    ZeroAccess:
    C:\Windows\Installer\{d62fee95-4285-3685-1e08-bb7744f9fbac}
    C:\Windows\Installer\{d62fee95-4285-3685-1e08-bb7744f9fbac}\@
    C:\Windows\Installer\{d62fee95-4285-3685-1e08-bb7744f9fbac}\L
    C:\Windows\Installer\{d62fee95-4285-3685-1e08-bb7744f9fbac}\U
    C:\Windows\Installer\{d62fee95-4285-3685-1e08-bb7744f9fbac}\U\00000001.@
    ZeroAccess:
    C:\Users\dandadandan\AppData\Local\{d62fee95-4285-3685-1e08-bb7744f9fbac}
    C:\Users\dandadandan\AppData\Local\{d62fee95-4285-3685-1e08-bb7744f9fbac}\@
    C:\Users\dandadandan\AppData\Local\{d62fee95-4285-3685-1e08-bb7744f9fbac}\L
    C:\Users\dandadandan\AppData\Local\{d62fee95-4285-3685-1e08-bb7744f9fbac}\U
    ==================== Known DLLs (Whitelisted) =================
    ==================== Bamital & volsnap Check =================
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points =========================
    Restore point made on: 2012-07-05 15:02:12
    Restore point made on: 2012-07-08 14:40:22
    Restore point made on: 2012-07-08 14:42:33
    Restore point made on: 2012-07-08 14:46:01
    Restore point made on: 2012-07-10 13:05:05
    Restore point made on: 2012-07-10 14:24:07
    Restore point made on: 2012-07-12 13:45:27
    Restore point made on: 2012-08-31 11:51:21
    Restore point made on: 2012-08-31 21:23:24
    Restore point made on: 2012-09-01 17:57:37
    Restore point made on: 2012-09-02 12:40:33
    ==================== Memory info ===========================
    Percentage of memory in use: 10%
    Total physical RAM: 8172.16 MB
    Available physical RAM: 7331.04 MB
    Total Pagefile: 8170.31 MB
    Available Pagefile: 7333.91 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.91 MB
    ==================== Partitions ============================
    1 Drive c: () (Fixed) (Total:931.41 GB) (Free:595.98 GB) NTFS
    2 Drive e: (GRMCHPXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
    3 Drive f: (Lexlar) (Removable) (Total:0.94 GB) (Free:0.9 GB) NTFS
    4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
    5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 931 GB 0 B
    Disk 1 Online 960 MB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 100 MB 1024 KB
    Partition 2 Primary 931 GB 101 MB
    ==================================================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 Y System Rese NTFS Partition 100 MB Healthy
    ==================================================================================
    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 931 GB Healthy
    ==================================================================================
    Partitions of Disk 1:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 959 MB 31 KB
    ==================================================================================
    Disk: 1
    Partition 1
    Type : 07
    Hidden: No
    Active: No
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 3 F Lexlar NTFS Removable 959 MB Healthy
    ==================================================================================
    Last Boot: 2012-08-31 11:44
    ==================== End Of Log =============================
  5. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    This should fix the reboot problem:

    FRST64 Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

    Now, please enter System Recovery Options then select Command Prompt.

    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went. Let me know if you can stay in Windows without the reboot message appearing.
    Daniel Riley likes this.
  6. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    Ok it resrted successfully and does not reboot. thanks. whats next?

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 02-09-2012 03
    Ran by SYSTEM at 2012-09-05 16:31:21 Run:1
    Running from F:\

    ==============================================

    C:\Windows\Installer\{d62fee95-4285-3685-1e08-bb7744f9fbac} moved successfully.
    C:\Users\dandadandan\AppData\Local\{d62fee95-4285-3685-1e08-bb7744f9fbac} moved successfully.

    ==== End of Fixlog ====
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Great. Now, in Normal Mode, do the following:

    ComboFix

    Please download ComboFix[​IMG] by sUBs
    From BleepingComputer.com

    Please save the file to your Desktop, but rename it first to svchost.exe

    Important information about ComboFix

    Before the download:
    • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
    • It is important to rename ComboFix before the download.
    • Please do not rename ComboFix to other names, but only the one indicated.
    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on svchost.exe & follow the prompts.
    • It will attempt to install the Recovery Console:
    • When ComboFix finishes, it will produce a report for you.
    • Please post the "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
  8. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    ComboFix 12-09-06.02 - dandadandan 06/09/2012 21:32:41.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.8172.6577 [GMT 1:00]
    Running from: c:\users\dandadandan\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\chrome.manifest
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\funmoods.css
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\funmoods.xul
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\images\pref.jpg
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\arwDwn.gif
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ae.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\bg.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ch.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\cn.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\cz.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\de.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\eg.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\en.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\es.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\fr.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\gr.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\he.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\il.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\it.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ja.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\jp.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\nl.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\no.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\pl.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\pt.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ro.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ru.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\sa.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\se.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\sv.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\tr.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\ua.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\flgs\us.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\help_16.gif
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\home.gif
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\logo.png
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\privecy_16_hot.gif
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\imgs\tellafriend.gif
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\loader.xul
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\mtstart.js
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\preferences.xul
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\content\tmplt.js
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\install.rdf
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\META-INF\le_c6a58f26_4d2d_4341_b387_c4f2289b6170.rsa
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\META-INF\le_c6a58f26_4d2d_4341_b387_c4f2289b6170.sf
    c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\extensions\ffxtlbr@funmoods.com\META-INF\manifest.mf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-08-06 to 2012-09-06 )))))))))))))))))))))))))))))))
    .
    .
    2012-09-02 17:33 . 2012-09-04 01:53--------d-----w-C:\FRST
    2012-09-01 15:41 . 2012-09-01 15:41--------d-----w-c:\program files\CCleaner
    2012-09-01 15:40 . 2012-09-01 15:57--------d-----w-c:\programdata\Spybot - Search & Destroy
    2012-09-01 15:40 . 2012-09-01 15:45--------d-----w-c:\program files (x86)\Spybot - Search & Destroy
    2012-09-01 05:22 . 2012-09-01 05:22--------d-----w-c:\users\dandadandan\AppData\Roaming\Malwarebytes
    2012-09-01 05:22 . 2012-09-01 05:22--------d-----w-c:\programdata\Malwarebytes
    2012-09-01 05:22 . 2012-09-01 05:22--------d-----w-c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-09-01 05:22 . 2012-07-03 12:4624904----a-w-c:\windows\system32\drivers\mbam.sys
    2012-09-01 05:22 . 2012-08-28 00:499310152----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-08-20 04:33 . 2012-08-20 04:33--------d-----w-c:\program files (x86)\GUMF6AD.tmp
    2012-08-20 04:33 . 2012-08-20 04:334024320----a-w-c:\program files (x86)\GUTF6CD.tmp
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-08-31 19:04 . 2012-06-10 23:18426184----a-w-c:\windows\SysWow64\FlashPlayerApp.exe
    2012-08-31 19:04 . 2011-07-12 21:4770344----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-07-19 21:47 . 2012-07-19 21:47328704----a-w-c:\windows\system32\services.exe.680C4F959CB4C10B
    2012-07-12 22:46 . 2012-07-12 22:46328704----a-w-c:\windows\system32\services.exe.29B93C8DF1B05AD5
    2012-07-12 22:32 . 2012-07-12 22:32328704----a-w-c:\windows\system32\services.exe.CDC3BD3B51028232
    2012-07-12 22:23 . 2012-07-12 22:2350392----a-w-c:\windows\system32\drivers\vujioxqw.sys
    2012-07-12 22:23 . 2012-07-12 22:23328704----a-w-c:\windows\system32\services.exe.DBBB9B918D6D7D6C
    2012-07-12 22:13 . 2012-07-12 22:13328704----a-w-c:\windows\system32\services.exe.EF4DB39E3493D087
    2012-07-12 22:11 . 2012-07-12 22:11328704----a-w-c:\windows\system32\services.exe.5BB6BD836AEAA0CD
    2012-07-12 22:08 . 2012-07-12 22:08328704----a-w-c:\windows\system32\services.exe.F8D168A513F5846F
    2012-07-12 22:03 . 2012-07-12 22:03328704----a-w-c:\windows\system32\services.exe.AE5BF11DBD2FB70F
    2012-07-12 22:00 . 2012-07-12 22:00328704----a-w-c:\windows\system32\services.exe.21EF982B30E56EED
    2012-07-12 21:55 . 2012-07-12 21:55328704----a-w-c:\windows\system32\services.exe.D4EC0ACD8F8D58D0
    2012-07-10 22:26 . 2011-04-06 00:1859701280----a-w-c:\windows\system32\MRT.exe
    2012-07-04 18:14 . 2012-07-04 18:1413764096----a-w-c:\windows\SysWow64\aticaldd.dll
    2012-07-04 18:14 . 2011-03-09 04:306203392----a-w-c:\windows\SysWow64\atiumdag.dll
    2012-07-04 18:14 . 2012-07-04 18:1454784----a-w-c:\windows\system32\atimpc64.dll
    2012-07-04 18:14 . 2012-07-04 18:1454784----a-w-c:\windows\system32\amdpcom64.dll
    2012-07-04 18:14 . 2012-07-04 18:14120320----a-w-c:\windows\system32\atitmm64.dll
    2012-07-04 18:14 . 2012-07-04 18:1451200----a-w-c:\windows\system32\aticalrt64.dll
    2012-07-04 18:14 . 2012-07-04 18:14236544----a-w-c:\windows\system32\atiesrxx.exe
    2012-07-04 18:14 . 2012-07-04 18:1459392----a-w-c:\windows\system32\atiedu64.dll
    2012-07-04 18:14 . 2012-07-04 18:1453248----a-w-c:\windows\system32\drivers\ati2erec.dll
    2012-07-04 18:14 . 2012-07-04 18:14343040----a-w-c:\windows\system32\drivers\atikmpag.sys
    2012-07-04 18:14 . 2011-03-09 04:56909312----a-w-c:\windows\SysWow64\aticfx32.dll
    2012-07-04 18:14 . 2012-07-04 18:1421504----a-w-c:\windows\system32\atimuixx.dll
    2012-07-04 18:14 . 2012-07-04 18:1453760----a-w-c:\windows\SysWow64\atimpc32.dll
    2012-07-04 18:14 . 2012-07-04 18:1453760----a-w-c:\windows\SysWow64\amdpcom32.dll
    2012-07-04 18:14 . 2012-07-04 18:14514560----a-w-c:\windows\system32\atiadlxx.dll
    2012-07-04 18:14 . 2011-03-09 04:1754784----a-w-c:\windows\system32\atiuxp64.dll
    2012-07-04 18:13 . 2012-07-04 18:13360448----a-w-c:\windows\SysWow64\atiadlxy.dll
    2012-07-04 18:13 . 2012-07-04 18:1395760----a-w-c:\windows\system32\drivers\AtihdW76.sys
    2012-07-04 18:13 . 2012-07-04 18:1343520----a-w-c:\windows\SysWow64\ati2edxx.dll
    2012-07-04 18:13 . 2011-03-09 04:407479296----a-w-c:\windows\system32\atidxx64.dll
    2012-07-04 18:13 . 2011-03-09 04:1644544----a-w-c:\windows\system32\atiu9p64.dll
    2012-07-04 18:13 . 2012-07-04 18:1317408----a-w-c:\windows\system32\atig6pxx.dll
    2012-07-04 18:13 . 2012-07-04 18:131120768----a-w-c:\windows\system32\atiumd6v.dll
    2012-07-04 18:13 . 2012-07-04 18:13159744----a-w-c:\windows\system32\atiapfxx.exe
    2012-07-04 18:13 . 2011-03-09 04:486800896----a-w-c:\windows\SysWow64\atidxx32.dll
    2012-07-04 18:12 . 2011-04-05 10:5664000----a-w-c:\windows\system32\coinst.dll
    2012-07-04 18:12 . 2012-07-04 18:127431680----a-w-c:\windows\system32\atiumd64.dll
    2012-07-04 18:12 . 2011-03-09 04:1632256----a-w-c:\windows\SysWow64\atiu9pag.dll
    2012-07-04 18:12 . 2012-07-04 18:1214848----a-w-c:\windows\SysWow64\atiglpxx.dll
    2012-07-04 18:12 . 2012-07-04 18:1214848----a-w-c:\windows\system32\atiglpxx.dll
    2012-07-04 18:12 . 2012-07-04 18:1241984----a-w-c:\windows\system32\atig6txx.dll
    2012-07-04 18:12 . 2011-03-09 04:1741984----a-w-c:\windows\SysWow64\atiuxpag.dll
    2012-07-04 18:12 . 2012-07-04 18:12442368----a-w-c:\windows\system32\ATIDEMGX.dll
    2012-07-04 18:12 . 2012-07-04 18:114731904----a-w-c:\windows\system32\atiumd6a.dll
    2012-07-04 18:12 . 2011-03-09 04:551067520----a-w-c:\windows\system32\aticfx64.dll
    2012-07-04 18:11 . 2012-07-04 18:1026181632----a-w-c:\windows\system32\atio6axx.dll
    2012-07-04 18:11 . 2012-07-04 18:11503808----a-w-c:\windows\system32\atieclxx.exe
    2012-07-04 18:11 . 2012-07-04 18:1016090624----a-w-c:\windows\system32\aticaldd64.dll
    2012-07-04 18:11 . 2012-07-04 18:1144544----a-w-c:\windows\system32\aticalcl64.dll
    2012-07-04 18:11 . 2012-07-04 18:111831424----a-w-c:\windows\SysWow64\atiumdmv.dll
    2012-07-04 18:11 . 2011-03-09 03:344795904----a-w-c:\windows\SysWow64\atiumdva.dll
    2012-07-04 18:11 . 2012-07-04 18:0919753984----a-w-c:\windows\SysWow64\atioglxx.dll
    2012-07-04 18:11 . 2012-07-04 18:1033280----a-w-c:\windows\SysWow64\atigktxx.dll
    2012-07-04 18:10 . 2012-07-04 18:1011174400----a-w-c:\windows\system32\drivers\atikmdag.sys
    2012-07-04 18:09 . 2012-07-04 18:0946080----a-w-c:\windows\SysWow64\aticalrt.dll
    2012-07-04 18:09 . 2012-07-04 18:0944032----a-w-c:\windows\SysWow64\aticalcl.dll
    2012-06-25 15:04 . 2012-06-25 15:041394248----a-w-c:\windows\SysWow64\msxml4.dll
    2012-06-12 03:08 . 2012-07-10 22:283148800----a-w-c:\windows\system32\win32k.sys
    2012-06-09 05:43 . 2012-07-10 21:0314172672----a-w-c:\windows\system32\shell32.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files (x86)\IncrediMail_MediaBar_2\prxtbIncr.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
    2011-05-09 09:49176936----a-w-c:\program files (x86)\IncrediMail_MediaBar_2\prxtbIncr.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}"= "c:\program files (x86)\IncrediMail_MediaBar_2\prxtbIncr.dll" [2011-05-09 176936]
    .
    [HKEY_CLASSES_ROOT\clsid\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}]
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:1994208----a-w-c:\users\dandadandan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:1994208----a-w-c:\users\dandadandan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:1994208----a-w-c:\users\dandadandan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:1994208----a-w-c:\users\dandadandan\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "HydraVisionDesktopManager"="c:\program files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [2010-11-18 393216]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X]
    "NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
    "BCU"="c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe" [2009-10-26 375000]
    "SSDMonitor"="c:\program files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe" [2011-05-18 112600]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files (x86)\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-07 421776]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
    "Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
    .
    c:\users\dandadandan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\dandadandan\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-8-27 26924984]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-31 250056]
    R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [2010-10-27 279152]
    R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-01 33736]
    R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
    R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
    R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-28 113120]
    R3 Mrvleap;MARVELL EAP Driver;c:\windows\system32\DRIVERS\mrv64drv.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 98688]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4925184]
    R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtl8187B.sys [2010-03-31 450048]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2012-02-15 52736]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-07 1255736]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
    S0 mv91xx;mv91xx;c:\windows\system32\DRIVERS\mv91xx.sys [2010-08-27 297000]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-07-27 63960]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-07-04 236544]
    S2 BCUService;Browser Configuration Utility Service;c:\program files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe [2009-10-26 223464]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
    S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2010-09-16 80896]
    S2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files (x86)\Common Files\PC Tools\sMonitor\StartManSvc.exe [2011-05-18 632792]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2012-07-04 11174400]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2012-07-04 343040]
    S3 ATHDFU;Atheros Valkyrie USB BootROM;c:\windows\system32\Drivers\AthDfu.sys [2010-10-27 55336]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2012-07-04 95760]
    S3 BTATH_BUS;Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [2010-10-27 31080]
    S3 cmudaxp;ASUS Xonar DG Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [2010-07-23 1261056]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
    S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2010-10-19 56344]
    S3 MRV6X64U;Marvell TOPDOG 802.11n WLAN Driver for Vista x64 (USB8x);c:\windows\system32\DRIVERS\WN111x.sys [2007-10-28 340480]
    S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2010-09-30 80384]
    S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2010-09-30 180736]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-10-26 406632]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-09-06 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-10 19:04]
    .
    2012-09-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2694974181-1940623718-3779438024-1000Core.job
    - c:\users\dandadandan\AppData\Local\Google\Update\GoogleUpdate.exe [2005-01-02 00:25]
    .
    2012-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2694974181-1940623718-3779438024-1000UA.job
    - c:\users\dandadandan\AppData\Local\Google\Update\GoogleUpdate.exe [2005-01-02 00:25]
    .
    2012-09-05 c:\windows\Tasks\RMSchedule.job
    - c:\program files (x86)\Registry Mechanic\RegMech.exe [2011-05-18 03:28]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:1997792----a-w-c:\users\dandadandan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:1997792----a-w-c:\users\dandadandan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:1997792----a-w-c:\users\dandadandan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
    @="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
    2012-06-30 04:1997792----a-w-c:\users\dandadandan\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AtherosBtStack"="c:\program files (x86)\Bluetooth Suite\BtvStack.exe" [2010-10-27 613536]
    "AthBtTray"="c:\program files (x86)\Bluetooth Suite\AthBtTray.exe" [2010-10-27 379040]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-11-02 11545192]
    "Cmaudio8788"="c:\windows\Syswow64\cmicnfgp.dll" [2009-12-08 8151040]
    "Cmaudio8788GX"="c:\windows\syswow64\HsMgr.exe" [2008-07-11 200704]
    "Cmaudio8788GX64"="c:\windows\system\HsMgr64.exe" [2008-07-11 282112]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEzz0F0B0AtAyE0Czz0EyBtN0D0Tzu0StBtDtDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=516689117
    mStart Page = hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEzz0F0B0AtAyE0Czz0EyBtN0D0Tzu0StBtDtDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=516689117
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: Add to Evernote 4.0 - c:\program files (x86)\Evernote\Evernote\EvernoteIE.dll/204
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
    FF - ProfilePath - c:\users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=113480&babsrc=KW_ss&mntrId=aac8c8e700000000000000184d77e7c9&q=
    FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=113480
    FF - user.js: extensions.BabylonToolbar_i.babExt -
    FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
    FF - user.js: extensions.BabylonToolbar_i.id - aac8c8e700000000000000184d77e7c9
    FF - user.js: extensions.BabylonToolbar_i.hardId - aac8c8e700000000000000184d77e7c9
    FF - user.js: extensions.BabylonToolbar_i.instlDay - 15533
    FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
    FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1723:46
    FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
    FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
    FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
    FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
    FF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9
    FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
    FF - user.js: extensions.funmoods.hmpg - true
    FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEzz0F0B0AtAyE0Czz0EyBtN0D0Tzu0StBtDtDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=516689117
    FF - user.js: extensions.funmoods.dfltSrch - true
    FF - user.js: extensions.funmoods.srchPrvdr - Search
    FF - user.js: extensions.funmoods.dnsErr - true
    FF - user.js: extensions.funmoods_i.newTab - true
    FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEzz0F0B0AtAyE0Czz0EyBtN0D0Tzu0StBtDtDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=516689117
    FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEzz0F0B0AtAyE0Czz0EyBtN0D0Tzu0StBtDtDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=516689117&q=
    FF - user.js: extensions.funmoods.id - F46D048FBA34C8E7
    FF - user.js: extensions.funmoods.instlDay - 15541
    FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
    FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
    FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.220:54
    FF - user.js: extensions.funmoods.prtnrId - funmoods
    FF - user.js: extensions.funmoods.prdct - funmoods
    FF - user.js: extensions.funmoods.aflt - iron2
    FF - user.js: extensions.funmoods_i.smplGrp - none
    FF - user.js: extensions.funmoods.tlbrId - base
    FF - user.js: extensions.funmoods.instlRef - iron2
    FF - user.js: extensions.funmoods.dfltLng -
    FF - user.js: extensions.funmoods.excTlbr - false
    FF - user.js: extensions.funmoods.autoRvrt - false
    FF - user.js: extensions.funmoods.envrmnt - production
    FF - user.js: extensions.funmoods.isdcmntcmplt - true
    FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2694974181-1940623718-3779438024-1000\Software\SecuROM\License information*]
    "datasecu"=hex:0d,99,33,3c,90,88,4b,ab,2a,cf,d4,fe,05,54,c7,f3,07,c2,2f,ac,c4,
    e0,fb,96,bf,bd,5f,e3,41,66,35,8e,89,03,f2,93,a5,b0,0f,6b,f0,58,85,28,ea,c6,\
    "rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.11"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\ASUS Xonar DG Audio\Customapp\ASUSAUDIOCENTER.EXE
    .
    **************************************************************************
    .
    Completion time: 2012-09-06 22:52:09 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-09-06 21:52
    .
    Pre-Run: 653,690,925,056 bytes free
    Post-Run: 653,295,955,968 bytes free
    .
    - - End Of File - - 01A1636574416529CB4142634F903CD5
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let's get rid of the adware and underlying infection.

    This will check for adware first...

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

    Now, check for rootkits...

    Please download and run TDSSKiller to your desktop as outlined below:

    Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    For Windows XP, double-click to start.
    For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.


    [​IMG]

    -------------------------

    Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    [​IMG]

    ------------------------

    Click the Start Scan button.

    [​IMG]

    -----------------------

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue


    [​IMG]

    ----------------------

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


    [​IMG]


    --------------------

    A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
    Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

    -------------------

    Here's a summary of what to do if you would like to print it out:

    If a suspicious object is detected, the default action will be Skip, click on Continue
    If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
    Skip and click on Continue

    If malicious objects are found, they will show in the Scan results and offer three (3) options.

    Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  10. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    Here ya go sir

    Attached Files:

  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Excellent work so far!

    AdwCleaner Scan
    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Search.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.
  12. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    Doing the online scan now

    # AdwCleaner v2.001 - Logfile created 09/11/2012 at 22:31:42
    # Updated 09/09/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : dandadandan - PHOENIX
    # Boot Mode : Normal
    # Running from : E:\adwcleaner.exe
    # Option [Search]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
    File Found : C:\user.js
    File Found : C:\Users\dandadandan\AppData\Local\funmoods.crx
    File Found : C:\Users\dandadandan\AppData\Local\funmoods-speeddial.crx
    File Found : C:\Users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\searchplugins\search.xml
    Folder Found : C:\Program Files (x86)\Conduit
    Folder Found : C:\Program Files (x86)\IncrediMail_MediaBar_2
    Folder Found : C:\Program Files (x86)\IncrediMail_MediaBar_2
    Folder Found : C:\Program Files (x86)\Wajam
    Folder Found : C:\Users\dandadandan\AppData\Local\Conduit
    Folder Found : C:\Users\dandadandan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
    Folder Found : C:\Users\dandadandan\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Folder Found : C:\Users\dandadandan\AppData\Local\Wajam
    Folder Found : C:\Users\dandadandan\AppData\LocalLow\boost_interprocess
    Folder Found : C:\Users\dandadandan\AppData\LocalLow\Conduit
    Folder Found : C:\Users\dandadandan\AppData\LocalLow\IncrediMail_MediaBar_2
    Folder Found : C:\Users\dandadandan\AppData\LocalLow\IncrediMail_MediaBar_2
    Folder Found : C:\Users\dandadandan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam

    ***** [Registry] *****

    Key Found : HKCU\Software\AppDataLow\Software\Conduit
    Key Found : HKCU\Software\AppDataLow\Software\IncrediMail_MediaBar_2
    Key Found : HKCU\Software\AppDataLow\Software\IncrediMail_MediaBar_2
    Key Found : HKCU\Software\AppDataLow\Toolbar
    Key Found : HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
    Key Found : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Found : HKCU\Software\IM
    Key Found : HKCU\Software\ImInstaller
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}
    Key Found : HKCU\Software\Wajam
    Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
    Key Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
    Key Found : HKLM\SOFTWARE\Classes\b
    Key Found : HKLM\SOFTWARE\Classes\f
    Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore
    Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1
    Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2724386
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}
    Key Found : HKLM\SOFTWARE\Classes\wajam.WajamBHO
    Key Found : HKLM\SOFTWARE\Classes\wajam.WajamBHO.1
    Key Found : HKLM\SOFTWARE\Classes\wajam.WajamDownloader
    Key Found : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1
    Key Found : HKLM\Software\Conduit
    Key Found : HKLM\Software\ImInstaller
    Key Found : HKLM\Software\IncrediMail_MediaBar_2
    Key Found : HKLM\Software\IncrediMail_MediaBar_2
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1083ECD8-9E5B-4D2E-B47A-3D87076C1ABB}
    Key Found : HKLM\Software\Wajam
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{1083ECD8-9E5B-4D2E-B47A-3D87076C1ABB}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
    Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0E52A6FC-7904-4A15-B7FE-75F63FDCD1BC}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8788C046-A791-4146-8AE3-D650A1264F9B}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}
    Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IncrediMail_MediaBar_2 Toolbar
    Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wajam
    Key Found : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Found : HKU\S-1-5-21-2694974181-1940623718-3779438024-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}]
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}]
    Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEzz0F0B0AtAyE0Czz0EyBtN0D0Tzu0StBtDtDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=516689117
    [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEzz0F0B0AtAyE0Czz0EyBtN0D0Tzu0StBtDtDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=516689117
    [HKCU\Software\Microsoft\Internet Explorer\Main - Backup.Old.Start Page] = hxxp://search.babylon.com/?affID=113480&babsrc=HP_ss&mntrId=aac8c8e700000000000000184d77e7c9

    -\\ Mozilla Firefox v13.0.1 (en-US)

    Profile name : default
    File : C:\Users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\prefs.js

    Found : user_pref("backup.old.browser.search.defaultenginename", "Search the web (Babylon)");
    Found : user_pref("backup.old.browser.search.selectedEngine", "Search the web (Babylon)");
    Found : user_pref("backup.old.browser.startup.homepage", "hxxp://search.babylon.com/?affID=113480&babsrc=HP_[...]
    Found : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
    Found : user_pref("browser.newtab.url", "hxxp://search.babylon.com/?affID=113480&babsrc=NT_ss&mntrId=aac8c8e[...]
    Found : user_pref("browser.search.order.1", "Search the web (Babylon)");
    Found : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
    Found : user_pref("extensions.BabylonToolbar_i.babExt", "");
    Found : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=113480");
    Found : user_pref("extensions.BabylonToolbar_i.hardId", "aac8c8e700000000000000184d77e7c9");
    Found : user_pref("extensions.BabylonToolbar_i.id", "aac8c8e700000000000000184d77e7c9");
    Found : user_pref("extensions.BabylonToolbar_i.instlDay", "15533");
    Found : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
    Found : user_pref("extensions.BabylonToolbar_i.newTab", true);
    Found : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=113480&babsrc=N[...]
    Found : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
    Found : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
    Found : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
    Found : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
    Found : user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9");
    Found : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
    Found : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1723:46:20");
    Found : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
    Found : user_pref("extensions.enabledAddons", "ffxtlbr@funmoods.com:1.5.1,{AB883856-CAE1-11E1-8270-B8AC6F996[...]
    Found : user_pref("extensions.funmoods.aflt", "iron2");
    Found : user_pref("extensions.funmoods.autoRvrt", false);
    Found : user_pref("extensions.funmoods.cntry", "GB");
    Found : user_pref("extensions.funmoods.cv", "cv5");
    Found : user_pref("extensions.funmoods.dfltLng", "");
    Found : user_pref("extensions.funmoods.dfltSrch", true);
    Found : user_pref("extensions.funmoods.dnsErr", true);
    Found : user_pref("extensions.funmoods.envrmnt", "production");
    Found : user_pref("extensions.funmoods.excTlbr", false);
    Found : user_pref("extensions.funmoods.hdrMd5", "431A02F2376E80805EA64A66726940AA");
    Found : user_pref("extensions.funmoods.hmpg", true);
    Found : user_pref("extensions.funmoods.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2Xzuy[...]
    Found : user_pref("extensions.funmoods.id", "F46D048FBA34C8E7");
    Found : user_pref("extensions.funmoods.instlDay", "15541");
    Found : user_pref("extensions.funmoods.instlRef", "iron2");
    Found : user_pref("extensions.funmoods.isdcmntcmplt", true);
    Found : user_pref("extensions.funmoods.lastVrsnTs", "1.5.23.220:54:47");
    Found : user_pref("extensions.funmoods.mntrvrsn", "1.3.0");
    Found : user_pref("extensions.funmoods.newTab", true);
    Found : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=iron2&chnl=iron2&cd=2Xz[...]
    Found : user_pref("extensions.funmoods.prdct", "funmoods");
    Found : user_pref("extensions.funmoods.prtnrId", "funmoods");
    Found : user_pref("extensions.funmoods.sg", "none");
    Found : user_pref("extensions.funmoods.smplGrp", "none");
    Found : user_pref("extensions.funmoods.srchPrvdr", "Search");
    Found : user_pref("extensions.funmoods.tlbrId", "base");
    Found : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/?f=3&a=iron2&chnl=iron2&cd=2[...]
    Found : user_pref("extensions.funmoods.vrsn", "1.5.23.22");
    Found : user_pref("extensions.funmoods.vrsnTs", "1.5.23.220:54:47");
    Found : user_pref("extensions.funmoods.vrsni", "1.5.23.22");
    Found : user_pref("extensions.funmoods_i.newTab", true);
    Found : user_pref("extensions.funmoods_i.smplGrp", "none");
    Found : user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.220:54:47");
    Found : user_pref("keyword.URL", "hxxp://search.babylon.com/?affID=113480&babsrc=KW_ss&mntrId=aac8c8e7000000[...]

    -\\ Google Chrome v21.0.1180.89

    File : C:\Users\dandadandan\AppData\Local\Google\Chrome\User Data\Default\Preferences

    Found [l.13] : urls_to_restore_on_startup = [ "hxxp://www.google.com", "hxxp://search.babylon.com/?affID=113480&babsrc=HP_ss&mntrId=aac8c8e700000000000000184d77e7c9" ]
    Found [l.65] : icon_url = "hxxp://start.funmoods.com/favicon.ico",
    Found [l.68] : keyword = "funmoods.com",
    Found [l.71] : search_url = "hxxp://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEzz0F0B0AtAyE0Czz0EyBtN0D0Tzu0StBtDtDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=516689117",
    Found [l.1908] : urls_to_restore_on_startup = [ "hxxp://www.google.com", "hxxp://search.babylon.com/?affID=113480&babsrc=HP_ss&mntrId=aac8c8e700000000000000184d77e7c9" ]

    *************************

    AdwCleaner[R1].txt - [15188 octets] - [10/09/2012 21:39:14]
    AdwCleaner[R2].txt - [15126 octets] - [11/09/2012 22:31:42]

    ########## EOF - C:\AdwCleaner[R2].txt - [15187 octets] ##########
  13. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    C:\FRST\Quarantine\{d62fee95-4285-3685-1e08-bb7744f9fbac}\U\00000001.@Win64/Conedex.D trojancleaned by deleting - quarantined
     
  14. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    AdwCleaner Fix
    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with OK.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
    Please post the log.

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death
  15. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    # AdwCleaner v2.001 - Logfile created 09/12/2012 at 18:20:56
    # Updated 09/09/2012 by Xplode
    # Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
    # User : dandadandan - PHOENIX
    # Boot Mode : Normal
    # Running from : C:\Users\dandadandan\Desktop\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
    File Deleted : C:\user.js
    File Deleted : C:\Users\dandadandan\AppData\Local\funmoods.crx
    File Deleted : C:\Users\dandadandan\AppData\Local\funmoods-speeddial.crx
    File Deleted : C:\Users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\searchplugins\search.xml
    Folder Deleted : C:\Program Files (x86)\Conduit
    Folder Deleted : C:\Program Files (x86)\IncrediMail_MediaBar_2
    Folder Deleted : C:\Program Files (x86)\Wajam
    Folder Deleted : C:\Users\dandadandan\AppData\Local\Conduit
    Folder Deleted : C:\Users\dandadandan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
    Folder Deleted : C:\Users\dandadandan\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Folder Deleted : C:\Users\dandadandan\AppData\Local\Wajam
    Folder Deleted : C:\Users\dandadandan\AppData\LocalLow\boost_interprocess
    Folder Deleted : C:\Users\dandadandan\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\dandadandan\AppData\LocalLow\IncrediMail_MediaBar_2
    Folder Deleted : C:\Users\dandadandan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
    Key Deleted : HKCU\Software\AppDataLow\Software\IncrediMail_MediaBar_2
    Key Deleted : HKCU\Software\AppDataLow\Toolbar
    Key Deleted : HKCU\Software\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
    Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Deleted : HKCU\Software\IM
    Key Deleted : HKCU\Software\ImInstaller
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}
    Key Deleted : HKCU\Software\Wajam
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{35C1605E-438B-4D64-AAB1-8885F097A9B1}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\b
    Key Deleted : HKLM\SOFTWARE\Classes\f
    Key Deleted : HKLM\SOFTWARE\Classes\funmoodsApp.appCore
    Key Deleted : HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2724386
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}
    Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO
    Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamBHO.1
    Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader
    Key Deleted : HKLM\SOFTWARE\Classes\wajam.WajamDownloader.1
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\Software\ImInstaller
    Key Deleted : HKLM\Software\IncrediMail_MediaBar_2
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1083ECD8-9E5B-4D2E-B47A-3D87076C1ABB}
    Key Deleted : HKLM\Software\Wajam
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{1083ECD8-9E5B-4D2E-B47A-3D87076C1ABB}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0E52A6FC-7904-4A15-B7FE-75F63FDCD1BC}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8788C046-A791-4146-8AE3-D650A1264F9B}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IncrediMail_MediaBar_2 Toolbar
    Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Wajam
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}]
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}]
    Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D40B90B4-D3B1-4D6B-A5D7-DC041C1B76C0}]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Restored : [HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
    Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEzz0F0B0AtAyE0Czz0EyBtN0D0Tzu0StBtDtDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=516689117 --> hxxp://www.google.com
    Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEzz0F0B0AtAyE0Czz0EyBtN0D0Tzu0StBtDtDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=516689117 --> hxxp://www.google.com
    Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Backup.Old.Start Page] = hxxp://search.babylon.com/?affID=113480&babsrc=HP_ss&mntrId=aac8c8e700000000000000184d77e7c9 --> hxxp://www.google.com

    -\\ Mozilla Firefox v13.0.1 (en-US)

    Profile name : default
    File : C:\Users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\prefs.js

    C:\Users\dandadandan\AppData\Roaming\Mozilla\Firefox\Profiles\swkj9kyu.default\user.js ... Deleted !

    Deleted : user_pref("backup.old.browser.search.defaultenginename", "Search the web (Babylon)");
    Deleted : user_pref("backup.old.browser.search.selectedEngine", "Search the web (Babylon)");
    Deleted : user_pref("backup.old.browser.startup.homepage", "hxxp://search.babylon.com/?affID=113480&babsrc=HP_[...]
    Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
    Deleted : user_pref("browser.newtab.url", "hxxp://search.babylon.com/?affID=113480&babsrc=NT_ss&mntrId=aac8c8e[...]
    Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");
    Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
    Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
    Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=113480");
    Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "aac8c8e700000000000000184d77e7c9");
    Deleted : user_pref("extensions.BabylonToolbar_i.id", "aac8c8e700000000000000184d77e7c9");
    Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15533");
    Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
    Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
    Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=113480&babsrc=N[...]
    Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
    Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
    Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
    Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
    Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9");
    Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
    Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1723:46:20");
    Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");
    Deleted : user_pref("extensions.enabledAddons", "ffxtlbr@funmoods.com:1.5.1,{AB883856-CAE1-11E1-8270-B8AC6F996[...]
    Deleted : user_pref("extensions.funmoods.aflt", "iron2");
    Deleted : user_pref("extensions.funmoods.autoRvrt", false);
    Deleted : user_pref("extensions.funmoods.cntry", "GB");
    Deleted : user_pref("extensions.funmoods.cv", "cv5");
    Deleted : user_pref("extensions.funmoods.dfltLng", "");
    Deleted : user_pref("extensions.funmoods.dfltSrch", true);
    Deleted : user_pref("extensions.funmoods.dnsErr", true);
    Deleted : user_pref("extensions.funmoods.envrmnt", "production");
    Deleted : user_pref("extensions.funmoods.excTlbr", false);
    Deleted : user_pref("extensions.funmoods.hdrMd5", "431A02F2376E80805EA64A66726940AA");
    Deleted : user_pref("extensions.funmoods.hmpg", true);
    Deleted : user_pref("extensions.funmoods.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=iron2&chnl=iron2&cd=2Xzuy[...]
    Deleted : user_pref("extensions.funmoods.id", "F46D048FBA34C8E7");
    Deleted : user_pref("extensions.funmoods.instlDay", "15541");
    Deleted : user_pref("extensions.funmoods.instlRef", "iron2");
    Deleted : user_pref("extensions.funmoods.isdcmntcmplt", true);
    Deleted : user_pref("extensions.funmoods.lastVrsnTs", "1.5.23.220:54:47");
    Deleted : user_pref("extensions.funmoods.mntrvrsn", "1.3.0");
    Deleted : user_pref("extensions.funmoods.newTab", true);
    Deleted : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=iron2&chnl=iron2&cd=2Xz[...]
    Deleted : user_pref("extensions.funmoods.prdct", "funmoods");
    Deleted : user_pref("extensions.funmoods.prtnrId", "funmoods");
    Deleted : user_pref("extensions.funmoods.sg", "none");
    Deleted : user_pref("extensions.funmoods.smplGrp", "none");
    Deleted : user_pref("extensions.funmoods.srchPrvdr", "Search");
    Deleted : user_pref("extensions.funmoods.tlbrId", "base");
    Deleted : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/?f=3&a=iron2&chnl=iron2&cd=2[...]
    Deleted : user_pref("extensions.funmoods.vrsn", "1.5.23.22");
    Deleted : user_pref("extensions.funmoods.vrsnTs", "1.5.23.220:54:47");
    Deleted : user_pref("extensions.funmoods.vrsni", "1.5.23.22");
    Deleted : user_pref("extensions.funmoods_i.newTab", true);
    Deleted : user_pref("extensions.funmoods_i.smplGrp", "none");
    Deleted : user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.220:54:47");
    Deleted : user_pref("keyword.URL", "hxxp://search.babylon.com/?affID=113480&babsrc=KW_ss&mntrId=aac8c8e7000000[...]

    -\\ Google Chrome v21.0.1180.89

    File : C:\Users\dandadandan\AppData\Local\Google\Chrome\User Data\Default\Preferences

    Deleted [l.13] : urls_to_restore_on_startup = [ "hxxp://www.google.com", "hxxp://search.babylon.com/?affID=113480&babsrc=HP_ss&mntrId=aac8c8e700000000000000184d77e7c9" ]
    Deleted [l.65] : icon_url = "hxxp://start.funmoods.com/favicon.ico",
    Deleted [l.68] : keyword = "funmoods.com",
    Deleted [l.71] : search_url = "hxxp://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzuyEtN2Y1L1Qzu0FyEyC0DtDyEzz0F0B0AtAyE0Czz0EyBtN0D0Tzu0StBtDtDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=516689117",
    Deleted [l.1937] : urls_to_restore_on_startup = [ "hxxp://www.google.com", "hxxp://search.babylon.com/?affID=113480&babsrc=HP_ss&mntrId=aac8c8e700000000000000184d77e7c9" ]

    *************************

    AdwCleaner[R1].txt - [15188 octets] - [10/09/2012 21:39:14]
    AdwCleaner[R2].txt - [15223 octets] - [11/09/2012 22:31:42]
    AdwCleaner[S1].txt - [15720 octets] - [12/09/2012 18:20:56]

    ########## EOF - C:\AdwCleaner[S1].txt - [15781 octets] ##########
  16. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    As far as I can see there are no more problems. is there anything else I should check?
  17. Daniel Riley

    Daniel Riley Newcomer, in training Topic Starter Posts: 25

    I can't perform a windows update. it gives error 80246008
  18. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Fix Windows Update & Background Intelligent Transfer Services

    Go to Start > type in CMD and right-click on Command Prompt in the results pane and hit Run as administrator...

    Type the following commands in Command Prompt and hit enter after each line:

    sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto
    sc config wuauserv binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto

    Once done, tell me how it's working.


    Clean up System Restore

    Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

    To manually create a new Restore Point
    • Go to Control Panel and select System and Maintenance
    • Select System
    • On the left select Advance System Settings and accept the warning if you get one
    • Select System Protection Tab
    • Select Create at the bottom
    • Type in a name I.e. Clean
    • Select Create
    Now we can purge the infected ones
    • Go back to the System and Maintenance page
    • Select Performance Information and Tools
    • On the left select Open Disk Cleanup
    • Select Files from all users and accept the warning if you get one
    • In the drop down box select your main drive I.e. C
    • For a few moments the system will make some calculations:
      [​IMG]
    • Select the More Options tab
      [​IMG]
    • In the System Restore and Shadow Backups select Clean up
      [​IMG]
    • Select Delete on the pop up
    • Select OK
    • Select Delete

    Run OTC to remove our tools

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC.exe by OldTimer:
    • Save it to your Desktop.
    • Double click OTC.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

    Purge old temporary files

    Download CCleaner Slim and save it to your Desktop - Alternate download link

    When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
    Follow the prompts to install the program.

    * Double-click the CCleaner shortcut on the desktop to start the program.
    * Click on the Options block on the left, then choose Cookies.
    * Under Cookies to Delete, highlight any cookies you would like to retain permanently
    * Click the right arrow > to move them to the Cookies to Keep window.
    * Go into Options > Advanced & uncheck Only delete files in Windows Temp folders older than 48 hours
    * Click Cleaner on the left then Run Cleaner on the right to run the program.
    * Important: Make sure that ALL browser windows are closed before selecting Run Cleaner

    Caution: Only use the Registry feature if you are very familiar with the registry.
    Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

    Security Check

    Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Marked as solved.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.