Inactive Another victim: Vista 64-bit sirefef restart after 1 minute

G

Grampz719

Posts: 26   +0
I followed the instructions from another victim [paddy12345, thread date Jun 10,2012] of the sirefef infection and generated FRST.txt While looking at the log I deduced that there is a problem with "services.exe", due to the giant arrow in the margin saying "ZeroAccess <======= ATTENTION!". So I also did the FRST64 search for "services.exe" and have included that log too.
I read Julio Franco's thread for the 5-step program, but my system is so tied up, I can't hardly do anything, in normal or safe mode boots.
The system had a browser redirect virus, then when I tried to install Microsoft Security Essentials, the "You are about to be logged off" pop ups started. I was able to see a MSE log that specifically had "sirefef" listed.
 
Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 16-08-2012 13:14:06
Running from E:\VI_TOOLS
Windows Vista (TM) Ultimate Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SoundMAX] "C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe" /tray [3858432 2008-09-11] (Analog Devices, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [TurboV] "C:\Program Files\ASUS\TurboV\TurboV.exe" [5391872 2009-05-25] ()
HKLM-x32\...\Run: [PlexUtilities] "C:\Program Files (x86)\Plextor\PlexUTILITIES\PlexRadar.exe" [1746944 2009-05-15] ()
HKLM-x32\...\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1310720 2008-04-15] (Analog Devices, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [311296 2010-03-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [296096 2012-07-21] (RealNetworks, Inc.)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Main\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-11-20] (Hewlett-Packard Company)
HKU\Main\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Main\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Main\...\Run: [HydraVisionMDEngine] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe" [569344 2010-08-03] (AMD)
HKU\Main\...\Run: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [393216 2010-08-03] (AMD)
HKU\Main\...\Run: [Grid] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraGrd.exe" [401408 2010-08-03] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\570\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25
Startup: C:\Users\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files (x86)\WinZip\WZQKPICK32.EXE (WinZip Computing, S.L.)
Startup: C:\Users\Main\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Main\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ======

2 AEADIFilters; C:\Windows\System32\AEADISRV.EXE [111616 2008-07-14] (Andrea Electronics Corporation)
2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [90112 2009-04-01] ()
2 MDES; C:\ASUS.SYS\CONFIG\DVMExportService.exe [315392 2009-02-18] (DeviceVM)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 Net Driver HPZ12; C:\Windows\System32\svchost.exe -k HPZ12 [27648 2008-01-20] (Microsoft Corporation)
2 Net Driver HPZ12; C:\Windows\SysWow64\svchost.exe -k HPZ12 [21504 2008-01-20] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
3 NtmsSvc; C:\Windows\System32\ntmssvc.dll [521216 2008-01-20] (Microsoft Corporation)
2 Pml Driver HPZ12; C:\Windows\System32\svchost.exe -k HPZ12 [27648 2008-01-20] (Microsoft Corporation)
2 Pml Driver HPZ12; C:\Windows\SysWow64\svchost.exe -k HPZ12 [21504 2008-01-20] (Microsoft Corporation)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
3 MozillaMaintenance; C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [x]

========================== Drivers (Whitelisted) =============

3 ADIHdAudAddService; C:\Windows\System32\drivers\ADIHdAud.sys [472576 2008-08-20] (Analog Devices, Inc.)
1 Amfilter; C:\Windows\System32\DRIVERS\Amfltx64.sys [12288 2007-10-15] ((Standard mouse types))
3 Amusbprt; C:\Windows\System32\DRIVERS\Amusbx64.sys [17920 2008-02-13] (A4Tech Co.,Ltd.)
1 AsIO; C:\Windows\SysWow64\Drivers\AsIO.sys [13368 2009-04-05] ()
0 mrdd; C:\Windows\System32\Drivers\mrdd.sys [22568 2008-11-11] (Marvell Semiconductor, Inc.)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15680 2006-10-31] ()
0 mv61xx; C:\Windows\System32\Drivers\mv61xx.sys [176680 2009-02-08] (Marvell Semiconductor, Inc.)
2 cpuz132; [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
1 isjarjoc; \??\C:\Windows\system32\drivers\isjarjoc.sys [x]
3 NAVENG; [x]
3 NAVEX15; [x]
2 Norton Internet Security; [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
1 SRTSP; [x]
1 SRTSPX; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-16 09:45 - 2012-08-16 09:45 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\hsbbdjqn.sys
2012-08-16 09:34 - 2012-08-16 09:34 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\eumxhleh.sys
2012-08-16 09:29 - 2012-08-16 09:29 - 00000000 ____D C:\$WINDOWS.~BT
2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagwrn.xml
2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagerr.xml
2012-08-16 09:24 - 2012-08-16 09:24 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gugoewef.sys
2012-08-16 09:19 - 2012-08-16 09:19 - 00001099 ____A C:\Users\Main\Desktop\Revo Uninstaller.lnk
2012-08-16 09:19 - 2012-08-16 09:19 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2012-08-16 09:13 - 2012-08-16 09:13 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\earqytlr.sys
2012-08-16 09:08 - 2012-08-16 09:44 - 00000000 ____D C:\FRST
2012-08-16 08:55 - 2012-08-16 08:55 - 00001912 ____A C:\Users\Main\Desktop\JDownloader.lnk
2012-08-16 08:54 - 2012-08-16 08:58 - 00000000 ____D C:\Program Files (x86)\DownloadManager
2012-08-16 08:54 - 2012-08-16 08:54 - 00000304 ____A C:\user.js
2012-08-16 08:54 - 2012-08-16 08:54 - 00000000 ____D C:\Program Files (x86)\BabylonToolbar
2012-08-16 08:41 - 2012-08-16 08:41 - 00000000 ____D C:\Users\Main\AppData\Roaming\Babylon
2012-08-16 08:41 - 2012-08-16 08:41 - 00000000 ____D C:\Users\All Users\Babylon
2012-08-15 07:16 - 2012-08-15 07:16 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-15 07:14 - 2012-08-15 07:15 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-08-15 07:14 - 2012-08-15 07:14 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-08-15 07:12 - 2012-08-15 07:13 - 12621696 ____A (Microsoft Corporation) C:\Users\Main\Desktop\mseinstall.exe
2012-08-09 13:50 - 2012-08-12 06:48 - 00000000 ____D C:\Users\Main\Documents\My Digital Editions
2012-08-09 13:50 - 2012-08-09 13:50 - 00002013 ____A C:\Users\Public\Desktop\Adobe Digital Editions.lnk
2012-08-09 13:48 - 2012-08-09 13:48 - 00001784 ____A C:\Users\Main\Desktop\RawFoodQuickandEasyOver100HealthyReci9781578263479.acsm
2012-08-06 15:03 - 2012-08-06 15:09 - 00000000 ____D C:\Users\All Users\SpeedyPC Software
2012-08-06 15:03 - 2012-08-06 15:03 - 00000000 ____D C:\Users\Main\AppData\Roaming\SpeedyPC Software
2012-08-06 15:03 - 2012-08-06 15:03 - 00000000 ____D C:\Users\Main\AppData\Roaming\DriverCure
2012-08-06 07:06 - 2012-08-06 07:16 - 00000000 ____D C:\Users\Main\Desktop\PHONE PHOTO PHLUSH
2012-08-05 16:29 - 2012-08-12 12:07 - 00000000 ___SD C:\32788R22FWJFW
2012-08-05 16:29 - 2012-08-05 16:35 - 00000000 ____D C:\Windows\erdnt
2012-08-05 16:29 - 2012-08-05 16:35 - 00000000 ____D C:\Qoobox
2012-08-05 16:13 - 2012-08-05 16:14 - 00000000 ____D C:\Users\Public\Desktop\CC Support
2012-08-05 14:12 - 2012-08-05 14:12 - 00000000 ____D C:\Windows\pss
2012-08-01 09:41 - 2012-08-01 09:41 - 00000043 ____A C:\Windows\DAOCONV.T2C
2012-08-01 09:29 - 2012-08-01 09:41 - 00000000 ____D C:\Program Files (x86)\HT Audio
2012-08-01 09:29 - 2012-08-01 09:29 - 00000043 ____A C:\Windows\DAOCONV.T1C
2012-08-01 09:29 - 1998-08-26 13:26 - 01045776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msjet35.dll
2012-08-01 09:29 - 1998-08-11 15:28 - 00407312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrepl35.dll
2012-08-01 09:29 - 1997-08-29 12:14 - 00270344 ____A () C:\Windows\SysWOW64\Btn32x10.ocx
2012-08-01 09:29 - 1997-07-19 14:55 - 01347344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSVBVM50.DLL
2012-08-01 09:29 - 1997-07-19 14:01 - 00196880 ____N (Microsoft Corporation) C:\Windows\SysWOW64\RICHTX32.OCX
2012-08-01 09:29 - 1997-07-19 14:01 - 00192784 ____N (Microsoft Corporation) C:\Windows\SysWOW64\TABCTL32.OCX
2012-08-01 09:29 - 1997-01-23 22:00 - 00078608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\VB5DB.DLL
2012-08-01 09:29 - 1997-01-13 15:18 - 00037136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSJINT35.DLL
2012-08-01 09:29 - 1996-12-04 22:00 - 00077824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ODBCTL32.DLL
2012-08-01 09:29 - 1996-12-02 16:44 - 00251664 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSRD2X35.DLL
2012-08-01 09:29 - 1996-12-02 16:44 - 00024336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSJTER35.DLL
2012-08-01 09:29 - 1996-01-11 22:00 - 00200704 ____R (Sheridan Software Systems, Inc.) C:\Windows\SysWOW64\THREED32.OCX
2012-08-01 08:15 - 2012-08-01 08:15 - 00000000 ____D C:\Users\Main\AppData\Roaming\YourFileDownloader
2012-07-30 09:42 - 2012-08-16 09:28 - 00001155 ____A C:\Windows\setupact.log
2012-07-30 09:42 - 2012-08-16 09:28 - 00000000 ____A C:\Windows\setuperr.log
2012-07-30 09:03 - 2012-07-30 09:03 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-30 08:43 - 2012-07-30 08:43 - 00000000 ____D C:\Users\Main\AppData\Roaming\WinZip
2012-07-30 08:38 - 2012-07-30 08:39 - 00000000 ____D C:\Users\Main\AppData\Local\WinZip
2012-07-30 08:12 - 2012-07-30 08:12 - 00384844 ____A C:\Users\Main\AppData\Local\funmoods-speeddial.crx
2012-07-30 08:12 - 2012-07-30 08:12 - 00031465 ____A C:\Users\Main\AppData\Local\funmoods.crx
2012-07-30 08:12 - 2012-07-30 08:12 - 00000000 ____D C:\Program Files (x86)\Funmoods
2012-07-27 17:38 - 2012-07-31 12:57 - 00000000 ____D C:\Woodworking
2012-07-26 08:12 - 2012-07-26 08:12 - 04064688 ____A C:\Users\Main\Desktop\Beginning_Game_Level_Design.rar
2012-07-24 10:58 - 2012-08-15 16:42 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-21 14:23 - 2012-07-21 14:23 - 00000000 ____D C:\Users\Main\AppData\Local\MPlayer
2012-07-21 14:22 - 2012-07-21 14:24 - 00000000 ____D C:\Users\Main\.umplayer
2012-07-21 14:22 - 2012-07-21 14:22 - 00000000 ____D C:\Program Files (x86)\UMPlayer
2012-07-21 12:27 - 2012-07-21 12:28 - 00000000 ____D C:\Users\Main\AppData\Roaming\Real
2012-07-21 12:27 - 2012-07-21 12:28 - 00000000 ____D C:\Program Files (x86)\Real
2012-07-21 12:27 - 2012-07-21 12:27 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2012-07-21 12:27 - 2012-07-21 12:27 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2012-07-21 12:27 - 2012-07-21 12:27 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2012-07-21 12:27 - 2012-07-21 12:27 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2012-07-21 12:25 - 2012-07-21 12:28 - 00000000 ____D C:\Users\All Users\Real

============ 3 Months Modified Files ========================

2012-08-16 09:45 - 2012-08-16 09:45 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\hsbbdjqn.sys
2012-08-16 09:45 - 2010-02-11 14:04 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-16 09:44 - 2006-11-02 07:21 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-16 09:44 - 2006-11-02 07:21 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-16 09:43 - 2006-11-02 07:40 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-16 09:34 - 2012-08-16 09:34 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\eumxhleh.sys
2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagwrn.xml
2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagerr.xml
2012-08-16 09:28 - 2012-07-30 09:42 - 00001155 ____A C:\Windows\setupact.log
2012-08-16 09:28 - 2012-07-30 09:42 - 00000000 ____A C:\Windows\setuperr.log
2012-08-16 09:24 - 2012-08-16 09:24 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gugoewef.sys
2012-08-16 09:23 - 2010-02-11 14:04 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-16 09:19 - 2012-08-16 09:19 - 00001099 ____A C:\Users\Main\Desktop\Revo Uninstaller.lnk
2012-08-16 09:13 - 2012-08-16 09:13 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\earqytlr.sys
2012-08-16 08:55 - 2012-08-16 08:55 - 00001912 ____A C:\Users\Main\Desktop\JDownloader.lnk
2012-08-16 08:54 - 2012-08-16 08:54 - 00000304 ____A C:\user.js
2012-08-15 16:42 - 2012-07-24 10:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-15 16:25 - 2006-11-02 07:39 - 00184450 ____A C:\Windows\PFRO.log
2012-08-15 08:25 - 2008-01-20 17:53 - 01951679 ____A C:\Windows\WindowsUpdate.log
2012-08-15 07:16 - 2012-08-15 07:16 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-15 07:14 - 2012-02-16 20:15 - 00725714 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-15 07:13 - 2012-08-15 07:12 - 12621696 ____A (Microsoft Corporation) C:\Users\Main\Desktop\mseinstall.exe
2012-08-15 07:03 - 2006-11-02 04:46 - 00707430 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-14 22:38 - 2012-04-01 16:15 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-14 22:38 - 2011-05-24 10:50 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-14 10:06 - 2009-05-13 08:53 - 00001194 ____A C:\Windows\WINSET32.INI
2012-08-12 12:48 - 2010-03-30 03:24 - 00000426 _RASH C:\Users\Main\ntuser.pol
2012-08-11 07:46 - 2009-12-05 18:54 - 00000177 ____H C:\dvmexp.idx
2012-08-09 13:50 - 2012-08-09 13:50 - 00002013 ____A C:\Users\Public\Desktop\Adobe Digital Editions.lnk
2012-08-09 13:48 - 2012-08-09 13:48 - 00001784 ____A C:\Users\Main\Desktop\RawFoodQuickandEasyOver100HealthyReci9781578263479.acsm
2012-08-06 15:04 - 2010-12-02 08:19 - 00000539 ____A C:\Users\Main\AppData\Roaming\Rim.Desktop.Exception.log
2012-08-06 07:07 - 2012-03-30 07:53 - 00000069 ____A C:\Windows\NeroDigital.ini
2012-08-06 07:07 - 2011-11-02 03:48 - 00000145 ____A C:\Users\Main\AppData\Roaming\default.rss
2012-08-05 16:53 - 2006-11-02 07:40 - 00032600 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-01 14:42 - 2009-12-05 18:11 - 00099904 ____A C:\Users\Main\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-01 14:42 - 2006-11-02 07:21 - 00379200 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-01 09:41 - 2012-08-01 09:41 - 00000043 ____A C:\Windows\DAOCONV.T2C
2012-08-01 09:29 - 2012-08-01 09:29 - 00000043 ____A C:\Windows\DAOCONV.T1C
2012-08-01 08:01 - 2010-01-24 06:00 - 00000680 ____A C:\Users\Main\AppData\Local\d3d9caps.dat
2012-07-30 09:42 - 2009-12-05 18:11 - 00001460 ____A C:\Users\Main\AppData\Local\d3d9caps64.dat
2012-07-30 09:11 - 2010-01-10 11:52 - 00028160 ____A C:\Users\Main\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-07-30 08:12 - 2012-07-30 08:12 - 00384844 ____A C:\Users\Main\AppData\Local\funmoods-speeddial.crx
2012-07-30 08:12 - 2012-07-30 08:12 - 00031465 ____A C:\Users\Main\AppData\Local\funmoods.crx
2012-07-26 08:12 - 2012-07-26 08:12 - 04064688 ____A C:\Users\Main\Desktop\Beginning_Game_Level_Design.rar
2012-07-21 12:27 - 2012-07-21 12:27 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2012-07-21 12:27 - 2012-07-21 12:27 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2012-07-21 12:27 - 2012-07-21 12:27 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2012-07-21 12:27 - 2012-07-21 12:27 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2012-07-21 12:27 - 2010-04-29 01:47 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2012-07-21 12:27 - 2010-04-29 01:47 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2012-07-11 01:06 - 2006-11-02 04:34 - 00002983 ____A C:\Windows\win.ini
2012-07-11 01:03 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-28 13:13 - 2009-12-21 11:51 - 00375794 ____A C:\Users\Main\AppData\Local\dd_depcheck_NETFX_EXP_35.txt
2012-06-28 13:13 - 2009-12-21 11:51 - 00323086 ____A C:\Users\Main\AppData\Local\dd_dotnetfx35install.txt
2012-06-13 05:58 - 2012-07-11 01:01 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-12 05:57 - 2012-06-12 05:57 - 14771880 ____A C:\Users\Main\Documents\cam.zip
2012-06-08 09:59 - 2012-07-10 20:29 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 09:47 - 2012-07-10 20:29 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 08:47 - 2012-07-10 20:29 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 08:47 - 2012-07-10 20:29 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 08:22 - 2012-07-10 20:29 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 08:22 - 2012-07-10 20:29 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-04 07:29 - 2012-07-10 20:29 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-21 14:51 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 14:51 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 14:51 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-21 14:51 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 14:51 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 14:51 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-21 14:51 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-21 14:51 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 14:51 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-21 14:51 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 13:19 - 2012-06-21 14:51 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 13:19 - 2012-06-21 14:51 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 13:15 - 2012-06-21 14:51 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 13:12 - 2012-06-21 14:51 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-02 04:49 - 2012-07-11 01:01 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 01:01 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 01:01 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 01:01 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 01:01 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 01:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 01:01 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 01:01 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 01:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 01:01 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 01:01 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 01:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 01:01 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 01:01 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 01:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 01:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 01:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 01:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 01:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 01:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 01:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 01:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 01:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 01:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 01:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 01:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 01:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 01:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 16:22 - 2012-07-10 20:29 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:22 - 2012-07-10 20:29 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 16:05 - 2012-07-10 20:29 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 16:04 - 2012-07-10 20:29 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 16:03 - 2012-07-10 20:29 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-05-31 10:25 - 2009-12-21 11:54 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-23 14:42 - 2012-05-23 14:42 - 00417088 ____A C:\Users\Main\AppData\Local\dd_vcredistMSI1849.txt
2012-05-23 14:42 - 2012-05-23 14:42 - 00011184 ____A C:\Users\Main\AppData\Local\dd_vcredistUI1849.txt


ZeroAccess:
C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}
C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\@
C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\L
C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U
C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\L\00000004.@
C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\L\201d3dde
C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U\00000008.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe B8844F93D2C5F1DCDB179AAA9AF134B7 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 11%
Total physical RAM: 6134.18 MB
Available physical RAM: 5420.26 MB
Total Pagefile: 5800.35 MB
Available Pagefile: 5384.31 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:1397.26 GB) (Free:969.42 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (FRMCXFRE_EN_DVD) (CDROM) (Total:3.66 GB) (Free:0 GB) UDF
3 Drive e: (SWISSMEMORY) (Removable) (Total:0.49 GB) (Free:0.1 GB) FAT
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 1397 GB 0 B
Disk 1 Online 499 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1397 GB 1024 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 1397 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 498 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E SWISSMEMORY FAT Removable 498 MB Healthy

==================================================================================

Last Boot: 2012-08-15 08:56

======================= End Of Log ==========================
 
Now for "search.txt" for a search on "services.exe".

Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 2012-08-16 13:59:20
Running from E:\VI_TOOLS

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-12-23 11:57] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-12-23 11:57] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:48] - [2008-01-20 18:48] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2009-12-23 11:57] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\System32\services.exe
[2009-12-23 11:57] - [2009-04-10 23:10] - 0381952 ____A (Microsoft Corporation) B8844F93D2C5F1DCDB179AAA9AF134B7

====== End Of Search ======

Thank you in advance for helping me and for the work you do on this site!
Grampz719
 
Hello, and welcome to TechSpot.


rulesx.png
Please see here for the board rules and other FAQ.

Please feel free to introduce yourself, after you follow the steps below to get started.

Information
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe C:\Windows\System32\services.exe
end
Click to expand...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.
 
Wow! It seems to have worked. In fact, I am now using the computer in question and not my OOOOld Prescott (400Mhz Pentium) from 10 years ago. Thank you very much!

So here is Fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
Ran by SYSTEM at 2012-08-17 10:05:32 Run:1
Running from I:\VI_TOOLS

==============================================

C:\Windows\Installer\{58a01c4c-15bb-1eb6-0152-4ea8722ef895} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====
 
Okay. Well, we better continue disinfection..

ComboFix

Please download ComboFix
combofix.gif
by sUBs
From BleepingComputer.com

Please save the file to your Desktop, but rename it first to svchost.exe

Important information about ComboFix

Before the download:
  • Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  • It is important to rename ComboFix before the download.
  • Please do not rename ComboFix to other names, but only the one indicated.
After the download:
  • Close any open browsers.
  • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
Running ComboFix:
  • Double click on svchost.exe & follow the prompts.
  • It will attempt to install the Recovery Console:
  • When ComboFix finishes, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" in your next reply.
Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
 
Here is the ComboFix log file:
ComboFix 12-08-17.03 - Main 08/17/2012 11:23:16.1.8 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.6134.3990 [GMT -6:00]
Running from: c:\users\Main\Desktop\svchost.exe.exe
AV: COMODO Antivirus *Disabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\searchplugins\bing-zugo.xml
c:\users\Main\g2mdlhlpx.exe
c:\users\Main\GoToAssistDownloadHelper.exe
c:\windows\XSxS
.
c:\windows\SysWow64\userinit.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-07-17 to 2012-08-17 )))))))))))))))))))))))))))))))
.
.
2012-08-17 16:43 . 2012-08-17 18:27 -------- d-----w- c:\programdata\CPA_VA
2012-08-17 16:20 . 2012-08-17 16:42 -------- d-----w- c:\programdata\Comodo
2012-08-17 15:43 . 2012-08-17 15:43 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-17 15:36 . 2012-08-17 16:20 -------- d-----w- c:\program files\COMODO
2012-08-17 15:36 . 2012-08-17 15:36 1700352 ----a-w- c:\windows\SysWow64\gdiplus.dll
2012-08-17 15:36 . 2012-08-17 15:36 1060864 ----a-w- c:\windows\SysWow64\mfc71.dll
2012-08-16 17:34 . 2012-08-16 17:34 50392 ----a-w- c:\windows\system32\drivers\eumxhleh.sys
2012-08-16 17:29 . 2012-08-16 17:29 -------- d-----w- C:\$WINDOWS.~BT
2012-08-16 17:24 . 2012-08-16 17:24 50392 ----a-w- c:\windows\system32\drivers\gugoewef.sys
2012-08-16 17:19 . 2012-08-16 17:19 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-08-16 17:13 . 2012-08-16 17:13 50392 ----a-w- c:\windows\system32\drivers\earqytlr.sys
2012-08-16 17:08 . 2012-08-16 17:44 -------- d-----w- C:\FRST
2012-08-16 16:54 . 2012-08-16 16:54 304 ----a-w- C:\user.js
2012-08-16 16:41 . 2012-08-16 16:41 -------- d-----w- c:\users\Main\AppData\Roaming\Babylon
2012-08-16 16:41 . 2012-08-16 16:41 -------- d-----w- c:\programdata\Babylon
2012-08-06 23:03 . 2012-08-06 23:03 -------- d-----w- c:\users\Main\AppData\Roaming\SpeedyPC Software
2012-08-06 23:03 . 2012-08-06 23:03 -------- d-----w- c:\users\Main\AppData\Roaming\DriverCure
2012-08-06 23:03 . 2012-08-06 23:09 -------- d-----w- c:\programdata\SpeedyPC Software
2012-08-01 16:15 . 2012-08-01 16:15 -------- d-----w- c:\users\Main\AppData\Roaming\YourFileDownloader
2012-07-30 17:03 . 2012-07-30 17:03 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-30 16:43 . 2012-07-30 16:43 -------- d-----w- c:\users\Main\AppData\Roaming\WinZip
2012-07-30 16:38 . 2012-07-30 16:39 -------- d-----w- c:\users\Main\AppData\Local\WinZip
2012-07-30 16:15 . 2012-08-01 16:22 -------- d-----w- c:\programdata\Tarma Installer
2012-07-28 01:38 . 2012-07-31 20:57 -------- d-----w- C:\Woodworking
2012-07-27 06:36 . 2012-06-29 10:04 9133488 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{819AF1F3-EA56-47B4-8B00-3684B863E99E}\mpengine.dll
2012-07-21 22:23 . 2012-07-21 22:23 -------- d-----w- c:\users\Main\AppData\Local\MPlayer
2012-07-21 22:22 . 2012-07-21 22:24 -------- d-----w- c:\users\Main\.umplayer
2012-07-21 22:22 . 2012-07-21 22:22 -------- d-----w- c:\program files (x86)\UMPlayer
2012-07-21 20:28 . 2012-07-21 20:28 11776 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nprjplug.dll
2012-07-21 20:27 . 2012-07-21 20:27 -------- d-----w- c:\program files (x86)\Common Files\xing shared
2012-07-21 20:27 . 2012-07-21 20:27 150736 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nppl3260.dll
2012-07-21 20:27 . 2012-07-21 20:27 129176 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\nprpplugin.dll
2012-07-21 20:27 . 2012-07-21 20:28 -------- d-----w- c:\program files (x86)\Real
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 06:38 . 2012-04-02 00:15 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-15 06:38 . 2011-05-24 18:50 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-21 20:27 . 2010-04-29 09:47 499712 ----a-w- c:\windows\SysWow64\msvcp71.dll
2012-07-21 20:27 . 2010-04-29 09:47 348160 ----a-w- c:\windows\SysWow64\msvcr71.dll
2012-07-11 09:03 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-07-03 19:46 . 2011-09-03 11:51 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:58 . 2012-07-11 09:01 2769408 ----a-w- c:\windows\system32\win32k.sys
2012-06-08 17:59 . 2012-07-11 04:29 12899840 ----a-w- c:\windows\system32\shell32.dll
2012-06-05 16:47 . 2012-07-11 04:29 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-05 16:47 . 2012-07-11 04:29 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-05 16:22 . 2012-07-11 04:29 1797120 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:22 . 2012-07-11 04:29 1869824 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:29 . 2012-07-11 04:29 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-21 22:51 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 22:51 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 22:51 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 22:51 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 22:51 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-21 22:51 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-21 22:51 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-21 22:51 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 22:51 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-21 22:51 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 21:19 . 2012-06-21 22:51 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 21:19 . 2012-06-21 22:51 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 21:15 . 2012-06-21 22:51 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 21:12 . 2012-06-21 22:51 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-02 12:49 . 2012-07-11 09:01 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-06-02 12:17 . 2012-07-11 09:01 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-06-02 12:12 . 2012-07-11 09:01 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 12:05 . 2012-07-11 09:01 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-02 12:05 . 2012-07-11 09:01 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 12:04 . 2012-07-11 09:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 12:04 . 2012-07-11 09:01 237056 ----a-w- c:\windows\system32\url.dll
2012-06-02 12:03 . 2012-07-11 09:01 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-02 12:01 . 2012-07-11 09:01 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 12:00 . 2012-07-11 09:01 818688 ----a-w- c:\windows\system32\jscript.dll
2012-06-02 11:59 . 2012-07-11 09:01 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-02 11:57 . 2012-07-11 09:01 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-02 11:57 . 2012-07-11 09:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 11:54 . 2012-07-11 09:01 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-02 08:33 . 2012-07-11 09:01 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-02 08:25 . 2012-07-11 09:01 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-02 08:25 . 2012-07-11 09:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 09:01 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 09:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-02 00:22 . 2012-07-11 04:29 347136 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:22 . 2012-07-11 04:29 254464 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 00:05 . 2012-07-11 04:29 77312 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 00:04 . 2012-07-11 04:29 278528 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 00:03 . 2012-07-11 04:29 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-05-31 18:25 . 2009-12-21 19:54 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-11-20 2363392]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"HydraVisionMDEngine"="c:\program files (x86)\ATI Technologies\HydraVision\HydraMD.exe" [2010-08-04 569344]
"HydraVisionDesktopManager"="c:\program files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [2010-08-04 393216]
"Grid"="c:\program files (x86)\ATI Technologies\HydraVision\HydraGrd.exe" [2010-08-04 401408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"TurboV"="c:\program files\ASUS\TurboV\TurboV.exe" [2009-05-25 5391872]
"PlexUtilities"="c:\program files (x86)\Plextor\PlexUTILITIES\PlexRadar.exe" [2009-05-15 1746944]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2008-04-15 1310720]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-06-08 421776]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2012-07-21 296096]
"COMODO"="c:\program files\COMODO\COMODO GeekBuddy\CLPSLA.exe" [2011-11-23 213304]
"CPA"="c:\program files\COMODO\COMODO GeekBuddy\VALA.exe" [2011-11-23 184120]
.
c:\users\Main\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Main\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files (x86)\WinZip\WZQKPICK32.EXE [2012-4-4 603536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\SysWOW64\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 250056]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 21:28 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 06:38]
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-11 22:04]
.
2012-08-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-11 22:04]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Main\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAX"="c:\program files (x86)\Analog Devices\SoundMAX\SoundMAX.exe" [2008-09-11 3858432]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-12 9569096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\windows\System32\guard64.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_ss&mntrId=9e7f146600000000000090e6ba1f8bf8
mStart Page = hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open Client to monitor &1 - c:\windows\web\AOpenClient.htm
IE: Open Client to monitor &2 - c:\windows\web\AOpenClient.htm
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=KW_ss&mntrId=9e7f146600000000000090e6ba1f8bf8&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
FF - user.js: extensions.funmoods.hmpg - true
FF - user.js: extensions.funmoods.hmpgUrl - hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370
FF - user.js: extensions.funmoods.dfltSrch - true
FF - user.js: extensions.funmoods.srchPrvdr - Search
FF - user.js: extensions.funmoods.dnsErr - true
FF - user.js: extensions.funmoods_i.newTab - true
FF - user.js: extensions.funmoods.newTabUrl - hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370
FF - user.js: extensions.funmoods.tlbrSrchUrl - hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370&q=
FF - user.js: extensions.funmoods.id - 90E6BA1F8BF91466
FF - user.js: extensions.funmoods.instlDay - 15551
FF - user.js: extensions.funmoods.vrsn - 1.5.23.22
FF - user.js: extensions.funmoods.vrsni - 1.5.23.22
FF - user.js: extensions.funmoods_i.vrsnTs - 1.5.23.2210:12
FF - user.js: extensions.funmoods.prtnrId - funmoods
FF - user.js: extensions.funmoods.prdct - funmoods
FF - user.js: extensions.funmoods.aflt - nv1
FF - user.js: extensions.funmoods_i.smplGrp - none
FF - user.js: extensions.funmoods.tlbrId - base
FF - user.js: extensions.funmoods.instlRef - nv1
FF - user.js: extensions.funmoods.dfltLng -
FF - user.js: extensions.funmoods.excTlbr - false
FF - user.js: extensions.funmoods.autoRvrt - false
FF - user.js: extensions.funmoods.envrmnt - production
FF - user.js: extensions.funmoods.isdcmntcmplt - true
FF - user.js: extensions.funmoods.mntrvrsn - 1.3.0
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=110796&tt=3312_2
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://www.google.com/search?babsrc=TB_ggl&q=
FF - user.js: extensions.BabylonToolbar.id - 9e7f146600000000000090e6ba1f8bf8
FF - user.js: extensions.BabylonToolbar.instlDay - 15568
FF - user.js: extensions.BabylonToolbar.vrsn - 1.6.4.6
FF - user.js: extensions.BabylonToolbar.vrsni - 1.6.4.6
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.6.4.610:54
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - tb9
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.admin - false
.
- - - - ORPHANS REMOVED - - - -
.
Notify-GoToAssist - (no file)
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-MozillaMaintenanceService - c:\program files (x86)\Mozilla Maintenance Service\uninstall.exe
AddRemove-Prism - c:\program files (x86)\NCH Software\Prism\uninst.exe
AddRemove-Switch - c:\program files (x86)\NCH Swift Sound\Switch\uninst.exe
AddRemove-WavePad - c:\program files (x86)\NCH Swift Sound\WavePad\uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\asus.sys\CONFIG\DVMExportService.exe
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe
.
**************************************************************************
.
Completion time: 2012-08-17 12:33:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-17 18:33
.
Pre-Run: 1,037,579,714,560 bytes free
Post-Run: 1,038,735,683,584 bytes free
.
- - End Of File - - 74EA7DF2FDD206297564EA061E5D51B2
 
ComboFix Script

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    ClearJavaCache::

    SRPEEK::
    userinit.exe

    NOORPHANS::
    Click to expand...
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif
  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.
 
I can't get this to complete. I drag the "CFScript.txt" into the ComboFix.exe icon on my desktop and it starts a scan for infected files. It completes stage 50 then comes up with the message "System file is infected!! Attempting to restore "C:\Windows\system32\services.exe"" It sits there for a long time, then the computer reboots. It keeps installing a weird looking internet explorer icon on my desktop that has Babylon search installed. I keep trashing this, but it keeps coming back on reboot. I have looked for the "ComboFix.txt" and can't find it (even using the search function).
 
Here is the combo fix log, I found this in the c:\svchost.exe sub-directory.

ComboFix 12-08-20.01 - Main 08/20/2012 7:18:17.5.8 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.6134.4032 [GMT -6:00]
Running from: C:\Users\Main\Desktop\svchost.exe.exe
Command switches used :: C:\Users\Main\Desktop\CFScript.txt
AV: COMODO Antivirus *Disabled/Updated* {458BB331-2324-0753-3D5F-1472EB102AC0}
FW: COMODO Firewall *Disabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
SP: COMODO Defense+ *Disabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
Okay. That didn't work...

  • Please download Hitman Pro by Surfright from here and save it to your desktop.
  • Double click HitmanPro36.exe to run the scanner
  • Click Next
  • Accept the license conditions and click Next
  • Choose to do only a single scan. Do not enter any e-mail address and click Next
  • Hitman Pro will now scan your computer
  • After the scan, choose to ignore all threats - I want to have a look first, before deciding what to do
  • Click Next
  • You will now find an option to export the results of the scan to an XML file (log.xml). Please do so. Close Hitman Pro.
  • Please copy and paste the contents of log.xml into your next reply (You can open XML files with notepad)

Note: For best results, keep Hitman Pro for the future to prevent re-infection. Consider purchasing it now.
 
Hitman Pro Log:

<Log computer="COREI7" scan="Normal" version="3.6.1.164" date="2012-08-21T09:14:43" timeSpentInSecs="322" filesProcessed="48926"><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:a1.interclick.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.nascar.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.pointroll.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:at.atwola.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:content.yieldmanager.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:interclick.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:pointroll.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:questionmarket.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:tacoda.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Cookies:yadro.ru" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Microsoft\Windows\Cookies\2F6660ZK.txt" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Microsoft\Windows\Cookies\AUSS38KY.txt" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Microsoft\Windows\Cookies\SLWQI8FQ.txt" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Microsoft\Windows\Cookies\V81P6J9W.txt" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:247realmedia.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:7search.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:a1.interclick.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ad.360yield.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:adbrite.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ads.nascar.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ads.pointroll.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ads.pubmatic.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ads.undertone.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ads.us.e-planning.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:adserver.adtechus.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ar.atwola.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:at.atwola.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:atwola.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:clicksor.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:collective-media.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:dmtracker.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:interclick.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:invitemedia.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:livejasmin.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:matcher.realmedia.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:media6degrees.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:myroitracking.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:network.realmedia.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:pointroll.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:questionmarket.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:realmedia.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:revsci.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:ru4.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:serving-sys.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:specificclick.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:stats.bokf.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:tacoda.at.atwola.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:tacoda.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:track.prd1.netshelter.net" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:trafficmp.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:tribalfusion.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:www.etracker.de" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:xiti.com" /></Item><Item type="Repair" score="0.0" status="Deleted"><File path="C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\cookies.sqlite:yieldmanager.net" /></Item></Log>
 
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    userinit.*
    Click to expand...
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
Here is the SystemLook.txt log file:

SystemLook 30.07.11 by jpshortstuff
Log created at 16:08 on 21/08/2012 by Main
Administrator - Elevation successful

========== filefind ==========

Searching for "userinit.*"
C:\Windows\erdnt\cache64\userinit.exe --a---- 28160 bytes [18:31 17/08/2012] [02:48 21/01/2008] A0AB2BB9A92293D9CE66E252719AB5FE
C:\Windows\erdnt\cache86\userinit.exe --a---- 25088 bytes [18:31 17/08/2012] [02:49 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9
C:\Windows\System32\userinit.exe --a---- 28160 bytes [02:48 21/01/2008] [02:48 21/01/2008] A0AB2BB9A92293D9CE66E252719AB5FE
C:\Windows\System32\en-US\userinit.exe.mui --a---- 3584 bytes [15:13 02/11/2006] [15:13 02/11/2006] 7A820F1B24D266DE11444D6C8FA8AC8A
C:\Windows\SysWOW64\userinit.exe --a---- 25088 bytes [02:49 21/01/2008] [02:49 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9
C:\Windows\SysWOW64\en-US\userinit.exe.mui --a---- 4096 bytes [15:13 02/11/2006] [15:13 02/11/2006] F058F2BAE89E70B2A79D5EB820092EEB
C:\Windows\winsxs\amd64_microsoft-windows-userinit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_e9d87fb38dc4f328\userinit.exe.mui --a---- 3584 bytes [15:13 02/11/2006] [15:13 02/11/2006] 7A820F1B24D266DE11444D6C8FA8AC8A
C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941\userinit.exe --a---- 28160 bytes [02:48 21/01/2008] [02:48 21/01/2008] A0AB2BB9A92293D9CE66E252719AB5FE
C:\Windows\winsxs\x86_microsoft-windows-userinit.resources_31bf3856ad364e35_6.0.6000.16386_en-us_8db9e42fd56781f2\userinit.exe.mui --a---- 4096 bytes [15:13 02/11/2006] [15:13 02/11/2006] F058F2BAE89E70B2A79D5EB820092EEB
C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe --a---- 25088 bytes [02:49 21/01/2008] [02:49 21/01/2008] 0E135526E9785D085BCD9AEDE6FBCBF9

-= EOF =-
 
ComboFix Script

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    FCopy::
    C:\Windows\erdnt\cache86\userinit.exe | C:\Windows\System32\userinit.exe

    Reboot::
    Click to expand...
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif

  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.
 
Here it is...doesn't look like much

ComboFix 12-08-22.03 - Main 08/22/2012 16:01:30.7.8 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.6134.4622 [GMT -6:00]
Running from: C:\Users\Main\Desktop\ComboFix.exe
Command switches used :: C:\Users\Main\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
  • Click Start or wait for the scanner to load.
  • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, there are a couple of things to keep in mind:
  • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
  • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
  • Open the logfile from wherever you saved it
  • Copy and paste the contents in your next reply.
 
Now we are talking, found the little buggers:

C:\FRST\Quarantine\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U\000000cb.@ Win64/Conedex.B trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U\80000000.@ Win64/Sirefef.AP trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\{58a01c4c-15bb-1eb6-0152-4ea8722ef895}\U\80000032.@ a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\FRST\Quarantine\services.exe Win64/Patched.A trojan deleted - quarantined
 
Nah. Just quarantine. They were already safely killed earlier. No biggie.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

  • Slow computer
  • Error messages
  • Fake antivirus alerts or the icon in the system tray
  • svchost.exe running at 100%
  • System crashes or blue screen of death
 
The only weirdness is when attempting to open IE or Firefox, there seems to be a problem writing the graphics. For example if you drag a dialog window over the open browser a series of tracers are written across the window, that never clear. Google Chrome does not seem to have these problems.

I also have the graphics write issue with Windows Photo Gallery. It shows a picture in the side bar preview pane (as normal), but then never displays the photo in the main viewing pane, so that you can adjust exposure/contrast/saturation, etc.

There is also Babylon infesting the browsers. For example in Firefox, when you open a new tab it goes to a Babylon search rather than displaying the "pined" sites designated. Both IE & Firefox have an odd home page, instead of the pages I had specified. Firefox home was specified as www.google.com and IE was for the local real estate MLS. Here is the URL:

http://webhelper.centurylink.com/index.php?origURL=http://www.google.ocm/&r=

note the ".ocm" instead of ".com" in the end google part.

I have DSL through Century Link, but I don't know if that has anything to do with this.

I have played Need for Speed, Most Wanted (an oldie but a goodie), and it runs flawlessly with all graphic settings maxed out. I told my wife I was testing the system, but she didn't buy that...oh well.

The photo desk top background image and all other graphic functions seem normal.

When looking at the task manager processes, "System Idle Process" is around 97-98% with "Winword.exe" and wnpetwk.exe at 1% each (also taskmngr.exe is 1% when in use as expected).

No BSOD, Slowness, Antivirus or crashes.

I have downloaded the video card drivers (AMD/ATI) to my flash drive, but wanted to touch base with you before reinstalling the video drivers.

Thank you again, so much for all of your help.

Sincerely,

Granpz719
 
Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.


Additional FRST Scan

Once again, please boot to the System Recovery Options and run FRST, as done previously.

Type the following text in the blank box after Search:

userinit.exe

Click: Search file(s)

FRST2.gif


When done searching, FRST makes a log, Search.txt, on the C:\ drive.

Please provide the Search.txt in your reply.
 
Here we go...Logs, logs and more logs.

First the AdwCleaner[R1].txt log:

# AdwCleaner v1.801 - Logfile created 08/24/2012 at 13:03:50
# Updated 14/08/2012 by Xplode
# Operating system : Windows (TM) Vista Ultimate Service Pack 2 (64 bits)
# User : Main - COREI7
# Boot Mode : Normal
# Running from : J:\VI_TOOLS\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Folder Found : C:\Users\Main\AppData\LocalLow\AskToolbar
Folder Found : C:\Users\Main\AppData\Roaming\Babylon
Folder Found : C:\ProgramData\Babylon
Folder Found : C:\ProgramData\InstallMate
Folder Found : C:\ProgramData\Tarma Installer
Folder Found : C:\ProgramData\Premium
File Found : C:\Users\Main\AppData\Local\funmoods.crx
File Found : C:\Users\Main\AppData\Local\funmoods-speeddial.crx
File Found : C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\searchplugins\Askcom.xml
File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Found : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
File Found : C:\user.js

***** [Registry] *****

Key Found : HKCU\Software\Conduit
Key Found : HKLM\SOFTWARE\Babylon
Key Found : HKLM\SOFTWARE\bflixtoolbar
Key Found : HKLM\SOFTWARE\Classes\f
Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore
Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1
Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Found : HKLM\SOFTWARE\Iminent
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
[x64] Key Found : HKCU\Software\Conduit
[x64] Key Found : HKLM\SOFTWARE\Classes\f
[x64] Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore
[x64] Key Found : HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1
[x64] Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
[x64] Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\funmoods

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Found : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Found : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Found : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Found : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Found : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
[x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
[x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
[x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
[x64] Key Found : HKLM\SOFTWARE\Classes\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}
[x64] Key Found : HKLM\SOFTWARE\Classes\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
[x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}
[x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
[x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
[x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\prefs.js

Found : user_pref("backup.old.browser.startup.homepage", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&[...]
Found : user_pref("browser.babylon.HPOnNewTab", "");
Found : user_pref("browser.newtab.url", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=NT_ss&mntr[...]
Found : user_pref("browser.search.defaultengine", "Ask.com");
Found : user_pref("browser.search.defaultenginename", "Search the web (Babylon)");
Found : user_pref("browser.search.order.1", "Search the web (Babylon)");
Found : user_pref("browser.search.selectedEngine", "Search the web (Babylon)");
Found : user_pref("extensions.BabylonToolbar.admin", false);
Found : user_pref("extensions.BabylonToolbar.aflt", "babsst");
Found : user_pref("extensions.BabylonToolbar.dfltLng", "en");
Found : user_pref("extensions.BabylonToolbar.excTlbr", false);
Found : user_pref("extensions.BabylonToolbar.id", "9e7f146600000000000090e6ba1f8bf8");
Found : user_pref("extensions.BabylonToolbar.instlDay", "15568");
Found : user_pref("extensions.BabylonToolbar.instlRef", "sst");
Found : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
Found : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
Found : user_pref("extensions.BabylonToolbar.tlbrId", "tb9");
Found : user_pref("extensions.BabylonToolbar.tlbrSrchUrl", "hxxp://www.google.com/search?babsrc=TB_ggl&q=");
Found : user_pref("extensions.BabylonToolbar.vrsn", "1.6.4.6");
Found : user_pref("extensions.BabylonToolbar.vrsni", "1.6.4.6");
Found : user_pref("extensions.BabylonToolbar_i.babExt", "");
Found : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=110796&tt=3312_2");
Found : user_pref("extensions.BabylonToolbar_i.newTab", true);
Found : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=110796&tt=3312_[...]
Found : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Found : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Found : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.6.4.610:54:30");
Found : user_pref("extensions.funmoods.aflt", "nv1");
Found : user_pref("extensions.funmoods.autoRvrt", false);
Found : user_pref("extensions.funmoods.brwsrsrc", "ietlbr");
Found : user_pref("extensions.funmoods.cntry", "US");
Found : user_pref("extensions.funmoods.cv", "cv5");
Found : user_pref("extensions.funmoods.dfltLng", "");
Found : user_pref("extensions.funmoods.dfltSrch", true);
Found : user_pref("extensions.funmoods.dfltlng", "en");
Found : user_pref("extensions.funmoods.dfltsrch", true);
Found : user_pref("extensions.funmoods.dnsErr", true);
Found : user_pref("extensions.funmoods.envrmnt", "production");
Found : user_pref("extensions.funmoods.excTlbr", false);
Found : user_pref("extensions.funmoods.hdrMd5", "F3C2ADFE15F591416430C001CC606ACF");
Found : user_pref("extensions.funmoods.hmpg", true);
Found : user_pref("extensions.funmoods.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2[...]
Found : user_pref("extensions.funmoods.hrdid", "90E6BA1F8BF91466");
Found : user_pref("extensions.funmoods.id", "90E6BA1F8BF91466");
Found : user_pref("extensions.funmoods.instlDay", "15551");
Found : user_pref("extensions.funmoods.instlRef", "nv1");
Found : user_pref("extensions.funmoods.instlday", "15551");
Found : user_pref("extensions.funmoods.instlref", "nv1");
Found : user_pref("extensions.funmoods.isdcmntcmplt", true);
Found : user_pref("extensions.funmoods.keywordurl", "");
Found : user_pref("extensions.funmoods.lastVrsnTs", "1.5.23.2210:12:23");
Found : user_pref("extensions.funmoods.mntrvrsn", "1.3.0");
Found : user_pref("extensions.funmoods.newTab", true);
Found : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEt[...]
Found : user_pref("extensions.funmoods.newtab", true);
Found : user_pref("extensions.funmoods.newtaburl", "hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEt[...]
Found : user_pref("extensions.funmoods.prdct", "funmoods");
Found : user_pref("extensions.funmoods.prtnrId", "funmoods");
Found : user_pref("extensions.funmoods.prtnrid", "funmoods");
Found : user_pref("extensions.funmoods.savedVrsnTs", "1");
Found : user_pref("extensions.funmoods.sg", "none");
Found : user_pref("extensions.funmoods.smplGrp", "none");
Found : user_pref("extensions.funmoods.smplgrp", "none");
Found : user_pref("extensions.funmoods.srch", "");
Found : user_pref("extensions.funmoods.srchPrvdr", "Search");
Found : user_pref("extensions.funmoods.srchprvdr", "Search");
Found : user_pref("extensions.funmoods.tlbrId", "base");
Found : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2Xzuy[...]
Found : user_pref("extensions.funmoods.tlbrid", "base");
Found : user_pref("extensions.funmoods.tlbrsrchurl", "hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2Xzuy[...]
Found : user_pref("extensions.funmoods.vrsn", "1.5.23.22");
Found : user_pref("extensions.funmoods.vrsnTs", "1.5.23.2210:12:23");
Found : user_pref("extensions.funmoods.vrsni", "1.5.23.22");
Found : user_pref("extensions.funmoods.vrsnts", "1.5.23.2210:12:23");
Found : user_pref("extensions.funmoods.xpestat\\xpereportdata", "30-6-2012");
Found : user_pref("extensions.funmoods_i.newTab", true);
Found : user_pref("extensions.funmoods_i.smplGrp", "none");
Found : user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.2210:12:23");
Found : user_pref("keyword.URL", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=KW_ss&mntrId=9e7f[...]

-\\ Google Chrome v21.0.1180.83

File : C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found : "homepage": "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_ss&mntrId=9e7f1466000[...]
Found : "urls_to_restore_on_startup": [ "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=H[...]
Found : "name": "Funmoods",
Found : "update_url": "hxxp://funmoods.com/public/download/chrome/update.xml",
Found : "baseUrl": "hxxp://start.funmoods.com/results.php?",
Found : "update_url": "hxxp://update.funmoods.com/speeddial/update.xml?bu=st",
Found : "homepage": "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_ss&mntrId=9e7f1466000000[...]
Found : "urls_to_restore_on_startup": [ "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_s[...]

*************************

AdwCleaner[R1].txt - [13767 octets] - [24/08/2012 13:03:50]

########## EOF - C:\AdwCleaner[R1].txt - [13896 octets] ##########















Next the FRST.txt


Scan result of Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 24-08-2012 13:17:00
Running from F:\VI_TOOLS
Windows Vista (TM) Ultimate Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM-x32\...\Run: [TurboV] "C:\Program Files\ASUS\TurboV\TurboV.exe" [5391872 2009-05-25] ()
HKLM-x32\...\Run: [PlexUtilities] "C:\Program Files (x86)\Plextor\PlexUTILITIES\PlexRadar.exe" [1746944 2009-05-15] ()
HKLM-x32\...\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1310720 2008-04-15] (Analog Devices, Inc.)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [311296 2010-03-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [79192 2011-02-18] (Research In Motion Limited)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [296096 2012-07-21] (RealNetworks, Inc.)
HKLM-x32\...\Run: [combofix] C:\ComboFix\CF14863.3XE /c C:\ComboFix\Combobatch.bat [8272 2012-08-22] ()
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter [2438656 2009-04-10] (Microsoft Corporation)
HKU\Main\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [2363392 2009-11-20] (Hewlett-Packard Company)
HKU\Main\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Main\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Main\...\Run: [HydraVisionMDEngine] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraMD.exe" [569344 2010-08-03] (AMD)
HKU\Main\...\Run: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe" [393216 2010-08-03] (AMD)
HKU\Main\...\Run: [Grid] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraGrd.exe" [401408 2010-08-03] ()
HKLM-x32\...\Runonce: [combofix] C:\ComboFix\CF14863.3XE /c C:\ComboFixCombobatch.bat [x]
HKLM-x32\...\runonceex: [flags] 8
HKLM\...\Winlogon: [Userinit] C:\Windows\explorer.exe, [3079168 2009-04-10] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 205.171.3.25
AppInit_DLLs: C:\Windows\System32\guard64.dll
Startup: C:\Users\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files (x86)\WinZip\WZQKPICK32.EXE (WinZip Computing, S.L.)
Startup: C:\Users\Main\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)
Startup: C:\Users\Main\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ======

2 AEADIFilters; C:\Windows\System32\AEADISRV.EXE [111616 2008-07-14] (Andrea Electronics Corporation)
2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [90112 2009-04-01] ()
2 MDES; C:\ASUS.SYS\CONFIG\DVMExportService.exe [315392 2009-02-18] (DeviceVM)
2 Net Driver HPZ12; C:\Windows\System32\svchost.exe -k HPZ12 [27648 2008-01-20] (Microsoft Corporation)
2 Net Driver HPZ12; C:\Windows\SysWow64\svchost.exe -k HPZ12 [21504 2008-01-20] (Microsoft Corporation)
3 NtmsSvc; C:\Windows\System32\ntmssvc.dll [521216 2008-01-20] (Microsoft Corporation)
2 Pml Driver HPZ12; C:\Windows\System32\svchost.exe -k HPZ12 [27648 2008-01-20] (Microsoft Corporation)
2 Pml Driver HPZ12; C:\Windows\SysWow64\svchost.exe -k HPZ12 [21504 2008-01-20] (Microsoft Corporation)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
3 WinDefend; C:\Program Files (x86)\Windows Defender\mpsvc.dll [x]

========================== Drivers (Whitelisted) =============

3 ADIHdAudAddService; C:\Windows\System32\drivers\ADIHdAud.sys [472576 2008-08-20] (Analog Devices, Inc.)
1 Amfilter; C:\Windows\System32\DRIVERS\Amfltx64.sys [12288 2007-10-15] ((Standard mouse types))
3 Amusbprt; C:\Windows\System32\DRIVERS\Amusbx64.sys [17920 2008-02-13] (A4Tech Co.,Ltd.)
1 AsIO; C:\Windows\SysWow64\Drivers\AsIO.sys [13368 2009-04-05] ()
0 mrdd; C:\Windows\System32\Drivers\mrdd.sys [22568 2008-11-11] (Marvell Semiconductor, Inc.)
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15680 2006-10-31] ()
0 mv61xx; C:\Windows\System32\Drivers\mv61xx.sys [176680 2009-02-08] (Marvell Semiconductor, Inc.)
1 Beep; [x]
3 catchme; [x]
2 cpuz132; [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
1 isjarjoc; [x]
3 MozillaMaintenance; [x]
3 NAVENG; [x]
3 NAVEX15; [x]
2 Norton Internet Security; [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
1 SRTSP; [x]
1 SRTSPX; [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-24 11:03 - 2012-08-24 11:03 - 00013836 ____A C:\AdwCleaner[R1].txt
2012-08-23 06:21 - 2012-08-23 06:21 - 00000000 ____D C:\Program Files (x86)\ESET
2012-08-22 13:55 - 2012-08-24 07:06 - 00000000 ___SD C:\ComboFix
2012-08-22 12:10 - 2012-08-22 12:10 - 00000000 ____D C:\Program Files\COMODO
2012-08-21 07:21 - 2012-08-21 07:21 - 00020606 ____A C:\HitmanPro_20120821_0921.log
2012-08-21 07:14 - 2012-08-21 07:14 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-08-17 09:17 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-17 09:17 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-17 09:17 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-17 09:17 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-17 09:17 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-17 09:17 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-17 09:17 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-17 09:17 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-17 08:43 - 2012-08-22 12:06 - 00000000 ____D C:\Users\All Users\CPA_VA
2012-08-17 08:42 - 2012-08-17 08:42 - 00000000 ____D C:\Users\Public\Documents\COMODO
2012-08-17 08:40 - 2012-08-17 09:11 - 00505232 ____A C:\Windows\System32\Drivers\sfi.dat
2012-08-17 07:36 - 2012-08-17 07:36 - 01700352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gdiplus.dll
2012-08-17 07:36 - 2012-08-17 07:36 - 01060864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc71.dll
2012-08-16 09:34 - 2012-08-16 09:34 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\eumxhleh.sys
2012-08-16 09:29 - 2012-08-16 09:29 - 00000000 ____D C:\$WINDOWS.~BT
2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagwrn.xml
2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagerr.xml
2012-08-16 09:24 - 2012-08-16 09:24 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gugoewef.sys
2012-08-16 09:19 - 2012-08-16 09:19 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2012-08-16 09:13 - 2012-08-16 09:13 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\earqytlr.sys
2012-08-16 09:08 - 2012-08-16 09:44 - 00000000 ____D C:\FRST
2012-08-16 08:54 - 2012-08-16 08:54 - 00000304 ____A C:\user.js
2012-08-16 08:41 - 2012-08-16 08:41 - 00000000 ____D C:\Users\Main\AppData\Roaming\Babylon
2012-08-16 08:41 - 2012-08-16 08:41 - 00000000 ____D C:\Users\All Users\Babylon
2012-08-15 07:16 - 2012-08-17 09:09 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-09 13:50 - 2012-08-20 05:14 - 00000000 ____D C:\Users\Main\Documents\My Digital Editions
2012-08-09 13:48 - 2012-08-09 13:48 - 00001784 ____A C:\Users\Main\Desktop\RawFoodQuickandEasyOver100HealthyReci9781578263479.acsm
2012-08-06 15:03 - 2012-08-06 15:09 - 00000000 ____D C:\Users\All Users\SpeedyPC Software
2012-08-06 15:03 - 2012-08-06 15:03 - 00000000 ____D C:\Users\Main\AppData\Roaming\SpeedyPC Software
2012-08-06 15:03 - 2012-08-06 15:03 - 00000000 ____D C:\Users\Main\AppData\Roaming\DriverCure
2012-08-05 16:29 - 2012-08-22 14:00 - 00000000 ____D C:\Qoobox
2012-08-05 16:29 - 2012-08-18 10:12 - 00000000 ____D C:\Windows\erdnt
2012-08-05 14:12 - 2012-08-05 14:12 - 00000000 ____D C:\Windows\pss
2012-08-01 09:41 - 2012-08-01 09:41 - 00000043 ____A C:\Windows\DAOCONV.T2C
2012-08-01 09:29 - 2012-08-01 09:41 - 00000000 ____D C:\Program Files (x86)\HT Audio
2012-08-01 09:29 - 2012-08-01 09:29 - 00000043 ____A C:\Windows\DAOCONV.T1C
2012-08-01 09:29 - 1998-08-26 13:26 - 01045776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msjet35.dll
2012-08-01 09:29 - 1998-08-11 15:28 - 00407312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrepl35.dll
2012-08-01 09:29 - 1997-08-29 12:14 - 00270344 ____A () C:\Windows\SysWOW64\Btn32x10.ocx
2012-08-01 09:29 - 1997-07-19 14:55 - 01347344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSVBVM50.DLL
2012-08-01 09:29 - 1997-07-19 14:01 - 00196880 ____N (Microsoft Corporation) C:\Windows\SysWOW64\RICHTX32.OCX
2012-08-01 09:29 - 1997-07-19 14:01 - 00192784 ____N (Microsoft Corporation) C:\Windows\SysWOW64\TABCTL32.OCX
2012-08-01 09:29 - 1997-01-23 22:00 - 00078608 ____A (Microsoft Corporation) C:\Windows\SysWOW64\VB5DB.DLL
2012-08-01 09:29 - 1997-01-13 15:18 - 00037136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSJINT35.DLL
2012-08-01 09:29 - 1996-12-04 22:00 - 00077824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ODBCTL32.DLL
2012-08-01 09:29 - 1996-12-02 16:44 - 00251664 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSRD2X35.DLL
2012-08-01 09:29 - 1996-12-02 16:44 - 00024336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSJTER35.DLL
2012-08-01 09:29 - 1996-01-11 22:00 - 00200704 ____R (Sheridan Software Systems, Inc.) C:\Windows\SysWOW64\THREED32.OCX
2012-08-01 08:15 - 2012-08-01 08:15 - 00000000 ____D C:\Users\Main\AppData\Roaming\YourFileDownloader
2012-07-30 09:42 - 2012-08-16 09:28 - 00001155 ____A C:\Windows\setupact.log
2012-07-30 09:42 - 2012-08-16 09:28 - 00000000 ____A C:\Windows\setuperr.log
2012-07-30 09:03 - 2012-07-30 09:03 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-30 08:43 - 2012-07-30 08:43 - 00000000 ____D C:\Users\Main\AppData\Roaming\WinZip
2012-07-30 08:38 - 2012-07-30 08:39 - 00000000 ____D C:\Users\Main\AppData\Local\WinZip
2012-07-30 08:12 - 2012-07-30 08:12 - 00384844 ____A C:\Users\Main\AppData\Local\funmoods-speeddial.crx
2012-07-30 08:12 - 2012-07-30 08:12 - 00031465 ____A C:\Users\Main\AppData\Local\funmoods.crx
2012-07-27 17:38 - 2012-07-31 12:57 - 00000000 ____D C:\Woodworking
2012-07-26 08:12 - 2012-07-26 08:12 - 04064688 ____A C:\Users\Main\Desktop\Beginning_Game_Level_Design.rar

============ 3 Months Modified Files ========================

2012-08-24 11:05 - 2008-01-20 17:53 - 01874307 ____A C:\Windows\WindowsUpdate.log
2012-08-24 11:05 - 2006-11-02 07:40 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-24 11:05 - 2006-11-02 07:40 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-24 11:05 - 2006-11-02 07:21 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-24 11:05 - 2006-11-02 07:21 - 00003712 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-24 11:05 - 2006-11-02 04:46 - 00707430 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-24 11:03 - 2012-08-24 11:03 - 00013836 ____A C:\AdwCleaner[R1].txt
2012-08-24 10:37 - 2012-07-24 10:58 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-24 10:23 - 2010-02-11 14:04 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-08-24 10:22 - 2010-02-11 14:04 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-08-24 08:45 - 2010-03-30 03:24 - 00000426 _RASH C:\Users\Main\ntuser.pol
2012-08-23 12:43 - 2009-05-13 08:53 - 00001194 ____A C:\Windows\WINSET32.INI
2012-08-23 11:00 - 2010-01-10 11:52 - 00029184 ____A C:\Users\Main\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-08-22 14:19 - 2009-12-05 18:54 - 00000177 ____H C:\dvmexp.idx
2012-08-22 14:09 - 2006-11-02 07:39 - 00193006 ____A C:\Windows\PFRO.log
2012-08-21 07:21 - 2012-08-21 07:21 - 00020606 ____A C:\HitmanPro_20120821_0921.log
2012-08-17 10:25 - 2006-11-02 04:34 - 00000215 ____A C:\Windows\system.ini
2012-08-17 09:11 - 2012-08-17 08:40 - 00505232 ____A C:\Windows\System32\Drivers\sfi.dat
2012-08-17 09:09 - 2012-08-15 07:16 - 00001945 ____A C:\Windows\epplauncher.mif
2012-08-17 07:36 - 2012-08-17 07:36 - 01700352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\gdiplus.dll
2012-08-17 07:36 - 2012-08-17 07:36 - 01060864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mfc71.dll
2012-08-16 09:34 - 2012-08-16 09:34 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\eumxhleh.sys
2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagwrn.xml
2012-08-16 09:28 - 2012-08-16 09:28 - 00001887 ____A C:\Windows\diagerr.xml
2012-08-16 09:28 - 2012-07-30 09:42 - 00001155 ____A C:\Windows\setupact.log
2012-08-16 09:28 - 2012-07-30 09:42 - 00000000 ____A C:\Windows\setuperr.log
2012-08-16 09:24 - 2012-08-16 09:24 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\gugoewef.sys
2012-08-16 09:13 - 2012-08-16 09:13 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\earqytlr.sys
2012-08-16 08:54 - 2012-08-16 08:54 - 00000304 ____A C:\user.js
2012-08-15 07:14 - 2012-02-16 20:15 - 00725714 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-08-14 22:38 - 2012-04-01 16:15 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-08-14 22:38 - 2011-05-24 10:50 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-08-09 13:48 - 2012-08-09 13:48 - 00001784 ____A C:\Users\Main\Desktop\RawFoodQuickandEasyOver100HealthyReci9781578263479.acsm
2012-08-06 15:04 - 2010-12-02 08:19 - 00000539 ____A C:\Users\Main\AppData\Roaming\Rim.Desktop.Exception.log
2012-08-06 07:07 - 2012-03-30 07:53 - 00000069 ____A C:\Windows\NeroDigital.ini
2012-08-06 07:07 - 2011-11-02 03:48 - 00000145 ____A C:\Users\Main\AppData\Roaming\default.rss
2012-08-01 14:42 - 2009-12-05 18:11 - 00099904 ____A C:\Users\Main\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-01 14:42 - 2006-11-02 07:21 - 00379200 ____A C:\Windows\System32\FNTCACHE.DAT
2012-08-01 09:41 - 2012-08-01 09:41 - 00000043 ____A C:\Windows\DAOCONV.T2C
2012-08-01 09:29 - 2012-08-01 09:29 - 00000043 ____A C:\Windows\DAOCONV.T1C
2012-08-01 08:01 - 2010-01-24 06:00 - 00000680 ____A C:\Users\Main\AppData\Local\d3d9caps.dat
2012-07-30 09:42 - 2009-12-05 18:11 - 00001460 ____A C:\Users\Main\AppData\Local\d3d9caps64.dat
2012-07-30 08:12 - 2012-07-30 08:12 - 00384844 ____A C:\Users\Main\AppData\Local\funmoods-speeddial.crx
2012-07-30 08:12 - 2012-07-30 08:12 - 00031465 ____A C:\Users\Main\AppData\Local\funmoods.crx
2012-07-26 08:12 - 2012-07-26 08:12 - 04064688 ____A C:\Users\Main\Desktop\Beginning_Game_Level_Design.rar
2012-07-21 12:27 - 2012-07-21 12:27 - 00272896 ____A (Progressive Networks) C:\Windows\SysWOW64\pncrt.dll
2012-07-21 12:27 - 2012-07-21 12:27 - 00198864 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\rmoc3260.dll
2012-07-21 12:27 - 2012-07-21 12:27 - 00006656 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5016.dll
2012-07-21 12:27 - 2012-07-21 12:27 - 00005632 ____A (RealNetworks, Inc.) C:\Windows\SysWOW64\pndx5032.dll
2012-07-21 12:27 - 2010-04-29 01:47 - 00499712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcp71.dll
2012-07-21 12:27 - 2010-04-29 01:47 - 00348160 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msvcr71.dll
2012-07-11 01:06 - 2006-11-02 04:34 - 00002983 ____A C:\Windows\win.ini
2012-07-11 01:03 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-28 13:13 - 2009-12-21 11:51 - 00375794 ____A C:\Users\Main\AppData\Local\dd_depcheck_NETFX_EXP_35.txt
2012-06-28 13:13 - 2009-12-21 11:51 - 00323086 ____A C:\Users\Main\AppData\Local\dd_dotnetfx35install.txt
2012-06-13 05:58 - 2012-07-11 01:01 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-12 05:57 - 2012-06-12 05:57 - 14771880 ____A C:\Users\Main\Documents\cam.zip
2012-06-08 09:59 - 2012-07-10 20:29 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 09:47 - 2012-07-10 20:29 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 08:47 - 2012-07-10 20:29 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 08:47 - 2012-07-10 20:29 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 08:22 - 2012-07-10 20:29 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 08:22 - 2012-07-10 20:29 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-04 07:29 - 2012-07-10 20:29 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-21 14:51 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 14:51 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 14:51 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-21 14:51 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 14:51 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 14:51 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-21 14:51 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-21 14:51 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 14:51 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-21 14:51 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 13:19 - 2012-06-21 14:51 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 13:19 - 2012-06-21 14:51 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 13:15 - 2012-06-21 14:51 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 13:12 - 2012-06-21 14:51 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-02 04:49 - 2012-07-11 01:01 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 01:01 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 01:01 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 01:01 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 01:01 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 01:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 01:01 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 01:01 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 01:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 01:01 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 01:01 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 01:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 01:01 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 01:01 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 01:01 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 01:01 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 01:01 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 01:01 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 01:01 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 01:01 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 01:01 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 01:01 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 01:01 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 01:01 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 01:01 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 01:01 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 01:01 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 01:01 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 16:22 - 2012-07-10 20:29 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:22 - 2012-07-10 20:29 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 16:05 - 2012-07-10 20:29 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 16:04 - 2012-07-10 20:29 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 16:03 - 2012-07-10 20:29 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-05-31 10:25 - 2009-12-21 11:54 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 13%
Total physical RAM: 6134.18 MB
Available physical RAM: 5294.03 MB
Total Pagefile: 5800.35 MB
Available Pagefile: 5257.14 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:1397.26 GB) (Free:968.9 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (FRMCXFRE_EN_DVD) (CDROM) (Total:3.66 GB) (Free:0 GB) UDF
3 Drive e: (UDISK) (Removable) (Total:1.89 GB) (Free:0.26 GB) FAT32
4 Drive f: (SWISSMEMORY) (Removable) (Total:0.49 GB) (Free:0.28 GB) FAT
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 1397 GB 0 B
Disk 1 Online 1944 MB 0 B
Disk 2 Online 499 MB 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B
Disk 6 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1397 GB 1024 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 1397 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1944 MB 32 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E UDISK FAT32 Removable 1944 MB Healthy

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 498 MB 16 KB

==================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F SWISSMEMORY FAT Removable 498 MB Healthy

==================================================================================

Last Boot: 2012-08-24 02:25

======================= End Of Log ==========================







Now the search.txt log for userinit.exe

Farbar Recovery Scan Tool Version: 15-08-2012
Ran by SYSTEM at 2012-08-24 14:00:19
Running from F:\VI_TOOLS

================== Search: "userinit.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_dc28ba15d1aff80b\userinit.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0025088 ____A (Microsoft Corporation) 0E135526E9785D085BCD9AEDE6FBCBF9

C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.0.6001.18000_none_384755998a0d6941\userinit.exe
[2008-01-20 18:48] - [2008-01-20 18:48] - 0028160 ____A (Microsoft Corporation) A0AB2BB9A92293D9CE66E252719AB5FE

C:\Windows\SysWOW64\userinit.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0025088 ____A (Microsoft Corporation) 0E135526E9785D085BCD9AEDE6FBCBF9

C:\Windows\System32\userinit.exe
[2008-01-20 18:48] - [2008-01-20 18:48] - 0028160 ____A (Microsoft Corporation) A0AB2BB9A92293D9CE66E252719AB5FE

C:\Windows\erdnt\cache86\userinit.exe
[2012-08-17 10:31] - [2008-01-20 18:49] - 0025088 ____N (Microsoft Corporation) 0E135526E9785D085BCD9AEDE6FBCBF9

C:\Windows\erdnt\cache64\userinit.exe
[2012-08-17 10:31] - [2008-01-20 18:48] - 0028160 ____A (Microsoft Corporation) A0AB2BB9A92293D9CE66E252719AB5FE

====== End Of Search ======
 
FRST64 Fixlist

Please run the following:

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
Replace: C:\Windows\SysWOW64\userinit.exe C:\Windows\System32\userinit.exe
end
Click to expand...

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now, please enter System Recovery Options then select Command Prompt.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now restart, let it boot normally and tell me how it went.


Remove the Adware.
  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
Please post the log.
 
Upon reboot the IE/Firefox/Photo Gallery stuff is all the same. IE and Chrome had error messages about the preference files being corrupt or invalid. Also note the "funmoods" & "Babylon" crap seems to be gone.

Here are the logs, first Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 15-08-2012
Ran by SYSTEM at 2012-08-26 09:59:41 Run:2
Running from I:\VI_TOOLS

==============================================

C:\Windows\System32\userinit.exe moved successfully.
C:\Windows\SysWOW64\userinit.exe copied successfully to C:\Windows\System32\userinit.exe

==== End of Fixlog ====




Now for AdwCleaner[S1].txt


# AdwCleaner v1.801 - Logfile created 08/26/2012 at 10:03:50
# Updated 14/08/2012 by Xplode
# Operating system : Windows (TM) Vista Ultimate Service Pack 2 (64 bits)
# User : Main - COREI7
# Boot Mode : Normal
# Running from : J:\VI_TOOLS\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Deleted on reboot : C:\Users\Main\AppData\LocalLow\AskToolbar
Deleted on reboot : C:\Users\Main\AppData\Roaming\Babylon
Deleted on reboot : C:\ProgramData\Babylon
Deleted on reboot : C:\ProgramData\InstallMate
Deleted on reboot : C:\ProgramData\Tarma Installer
Deleted on reboot : C:\ProgramData\Premium
File Deleted : C:\Users\Main\AppData\Local\funmoods.crx
File Deleted : C:\Users\Main\AppData\Local\funmoods-speeddial.crx
File Deleted : C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\searchplugins\Askcom.xml
File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
File Deleted : C:\user.js

***** [Registry] *****

Key Deleted : HKCU\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\bflixtoolbar
Key Deleted : HKLM\SOFTWARE\Classes\f
Key Deleted : HKLM\SOFTWARE\Classes\funmoodsApp.appCore
Key Deleted : HKLM\SOFTWARE\Classes\funmoodsApp.appCore.1
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\SOFTWARE\Iminent
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
[x64] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
[x64] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\funmoods

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0D80F1C5-D17B-4177-AC68-955F3EF9F191}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BCFF5F55-6F44-11D2-86F8-00104B265ED5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1D085C0A-E4F4-4F66-BDBF-4BE51015BFC3}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
[x64] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
[x64] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2Y1L1QzuzytD0EyC0B0AtC0Fzz0B0FzytCyEyCyCtN0D0Tzu0CtBtCtCtN1L2XzutBtFtCtFtDtFtAtDtC&cr=604335370 --> hxxp://www.google.com

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\prefs.js

C:\Users\Main\AppData\Roaming\Mozilla\Firefox\Profiles\ux83yb1u.default\user.js ... Deleted !

Deleted : user_pref("backup.old.browser.startup.homepage", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&[...]
Deleted : user_pref("browser.babylon.HPOnNewTab", "");
Deleted : user_pref("browser.newtab.url", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=NT_ss&mntr[...]
Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Search the web (Babylon)");
Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");
Deleted : user_pref("browser.search.selectedEngine", "Search the web (Babylon)");
Deleted : user_pref("extensions.BabylonToolbar.admin", false);
Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");
Deleted : user_pref("extensions.BabylonToolbar.dfltLng", "en");
Deleted : user_pref("extensions.BabylonToolbar.excTlbr", false);
Deleted : user_pref("extensions.BabylonToolbar.id", "9e7f146600000000000090e6ba1f8bf8");
Deleted : user_pref("extensions.BabylonToolbar.instlDay", "15568");
Deleted : user_pref("extensions.BabylonToolbar.instlRef", "sst");
Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");
Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");
Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "tb9");
Deleted : user_pref("extensions.BabylonToolbar.tlbrSrchUrl", "hxxp://www.google.com/search?babsrc=TB_ggl&q=");
Deleted : user_pref("extensions.BabylonToolbar.vrsn", "1.6.4.6");
Deleted : user_pref("extensions.BabylonToolbar.vrsni", "1.6.4.6");
Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=110796&tt=3312_2");
Deleted : user_pref("extensions.BabylonToolbar_i.newTab", true);
Deleted : user_pref("extensions.BabylonToolbar_i.newTabUrl", "hxxp://search.babylon.com/?affID=110796&tt=3312_[...]
Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.6.4.610:54:30");
Deleted : user_pref("extensions.funmoods.aflt", "nv1");
Deleted : user_pref("extensions.funmoods.autoRvrt", false);
Deleted : user_pref("extensions.funmoods.brwsrsrc", "ietlbr");
Deleted : user_pref("extensions.funmoods.cntry", "US");
Deleted : user_pref("extensions.funmoods.cv", "cv5");
Deleted : user_pref("extensions.funmoods.dfltLng", "");
Deleted : user_pref("extensions.funmoods.dfltSrch", true);
Deleted : user_pref("extensions.funmoods.dfltlng", "en");
Deleted : user_pref("extensions.funmoods.dfltsrch", true);
Deleted : user_pref("extensions.funmoods.dnsErr", true);
Deleted : user_pref("extensions.funmoods.envrmnt", "production");
Deleted : user_pref("extensions.funmoods.excTlbr", false);
Deleted : user_pref("extensions.funmoods.hdrMd5", "F3C2ADFE15F591416430C001CC606ACF");
Deleted : user_pref("extensions.funmoods.hmpg", true);
Deleted : user_pref("extensions.funmoods.hmpgUrl", "hxxp://start.funmoods.com/?f=1&a=nv1&chnl=nv1&cd=2XzuyEtN2[...]
Deleted : user_pref("extensions.funmoods.hrdid", "90E6BA1F8BF91466");
Deleted : user_pref("extensions.funmoods.id", "90E6BA1F8BF91466");
Deleted : user_pref("extensions.funmoods.instlDay", "15551");
Deleted : user_pref("extensions.funmoods.instlRef", "nv1");
Deleted : user_pref("extensions.funmoods.instlday", "15551");
Deleted : user_pref("extensions.funmoods.instlref", "nv1");
Deleted : user_pref("extensions.funmoods.isdcmntcmplt", true);
Deleted : user_pref("extensions.funmoods.keywordurl", "");
Deleted : user_pref("extensions.funmoods.lastVrsnTs", "1.5.23.2210:12:23");
Deleted : user_pref("extensions.funmoods.mntrvrsn", "1.3.0");
Deleted : user_pref("extensions.funmoods.newTab", true);
Deleted : user_pref("extensions.funmoods.newTabUrl", "hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEt[...]
Deleted : user_pref("extensions.funmoods.newtab", true);
Deleted : user_pref("extensions.funmoods.newtaburl", "hxxp://start.funmoods.com/?f=2&a=nv1&chnl=nv1&cd=2XzuyEt[...]
Deleted : user_pref("extensions.funmoods.prdct", "funmoods");
Deleted : user_pref("extensions.funmoods.prtnrId", "funmoods");
Deleted : user_pref("extensions.funmoods.prtnrid", "funmoods");
Deleted : user_pref("extensions.funmoods.savedVrsnTs", "1");
Deleted : user_pref("extensions.funmoods.sg", "none");
Deleted : user_pref("extensions.funmoods.smplGrp", "none");
Deleted : user_pref("extensions.funmoods.smplgrp", "none");
Deleted : user_pref("extensions.funmoods.srch", "");
Deleted : user_pref("extensions.funmoods.srchPrvdr", "Search");
Deleted : user_pref("extensions.funmoods.srchprvdr", "Search");
Deleted : user_pref("extensions.funmoods.tlbrId", "base");
Deleted : user_pref("extensions.funmoods.tlbrSrchUrl", "hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2Xzuy[...]
Deleted : user_pref("extensions.funmoods.tlbrid", "base");
Deleted : user_pref("extensions.funmoods.tlbrsrchurl", "hxxp://start.funmoods.com/?f=3&a=nv1&chnl=nv1&cd=2Xzuy[...]
Deleted : user_pref("extensions.funmoods.vrsn", "1.5.23.22");
Deleted : user_pref("extensions.funmoods.vrsnTs", "1.5.23.2210:12:23");
Deleted : user_pref("extensions.funmoods.vrsni", "1.5.23.22");
Deleted : user_pref("extensions.funmoods.vrsnts", "1.5.23.2210:12:23");
Deleted : user_pref("extensions.funmoods.xpestat\\xpereportdata", "30-6-2012");
Deleted : user_pref("extensions.funmoods_i.newTab", true);
Deleted : user_pref("extensions.funmoods_i.smplGrp", "none");
Deleted : user_pref("extensions.funmoods_i.vrsnTs", "1.5.23.2210:12:23");
Deleted : user_pref("keyword.URL", "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=KW_ss&mntrId=9e7f[...]

-\\ Google Chrome v21.0.1180.83

File : C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted : "homepage": "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_ss&mntrId=9e7f1466000[...]
Deleted : "urls_to_restore_on_startup": [ "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=H[...]
Deleted : "name": "Funmoods",
Deleted : "update_url": "hxxp://funmoods.com/public/download/chrome/update.xml",
Deleted : "baseUrl": "hxxp://start.funmoods.com/results.php?",
Deleted : "update_url": "hxxp://update.funmoods.com/speeddial/update.xml?bu=st",
Deleted : "homepage": "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_ss&mntrId=9e7f1466000000[...]
Deleted : "urls_to_restore_on_startup": [ "hxxp://search.babylon.com/?affID=110796&tt=3312_2&babsrc=HP_s[...]

*************************

AdwCleaner[R1].txt - [13836 octets] - [24/08/2012 13:03:50]
AdwCleaner[S1].txt - [11905 octets] - [26/08/2012 10:03:50]

########## EOF - C:\AdwCleaner[S1].txt - [12034 octets] ##########
 
You must log in or register to reply here.

Similar threads

C
Solved Another 'Ads by lu' victim!
Replies
21
Views
4K
Broni
Broni
M
  • Locked
Solved Another Win64 sirefef victim - constant auto reboot of PC
2 3
Replies
55
Views
8K
Jay Pfoutz
Jay Pfoutz
J
  • Locked
Inactive [A] Windows 7: Reboots after 1 minute, browser redirects, sirefef variants
2
Replies
38
Views
6K
Broni
Broni

Latest posts

Back