Solved Malware sirefef.y and similar found in MSE on Vista HP x86

Here you go Broni, scan successfully completed. ASW.dat saved to desktop as well. Thanks for your patience... you're a diamond my friend :)


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-07-16 03:58:36
-----------------------------
03:58:36.752 OS Version: Windows 6.0.6002 Service Pack 2
03:58:36.752 Number of processors: 2 586 0x1706
03:58:36.752 ComputerName: GREG-PC UserName: Greg
03:58:53.850 Initialize success
04:00:12.806 AVAST engine defs: 12071500
04:00:37.001 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
04:00:37.001 Disk 0 Vendor: SAMSUNG_HD502IJ 1AA01113 Size: 476940MB BusType: 3
04:00:37.017 Disk 0 MBR read successfully
04:00:37.017 Disk 0 MBR scan
04:00:37.017 Disk 0 Windows VISTA default MBR code
04:00:37.033 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
04:00:37.048 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 129024
04:00:37.064 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 461516 MB offset 31586304
04:00:37.095 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 1 MB offset 976771072
04:00:37.095 Disk 0 Partition 4 **INFECTED** MBR:Alureon-K [Rtk]
04:00:37.126 Disk 0 scanning sectors +976773152
04:00:37.204 Disk 0 scanning C:\Windows\system32\drivers
04:01:10.900 Service scanning
04:02:28.838 Modules scanning
04:02:49.742 Disk 0 trace - called modules:
04:02:49.773 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys
04:02:49.773 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ce3780]
04:02:49.789 3 CLASSPNP.SYS[8bbac8b3] -> nt!IofCallDriver -> [0x86b2bb58]
04:02:49.789 5 acpi.sys[805bc6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x86b06b98]
04:02:58.119 AVAST engine scan C:\Windows
04:03:11.675 AVAST engine scan C:\Windows\system32
04:07:12.169 AVAST engine scan C:\Windows\system32\drivers
04:07:32.153 AVAST engine scan C:\Users\Greg
04:08:06.426 File: C:\Users\Greg\AppData\Local\Apps\2.0\KCEKG8JM.QTD\650PDRZ4.GZ0\cros..tion_18dde0b6f0266e94_0001.0000_60f416b8a42422e9\CrossFire Hack.exe **INFECTED** Win32:Malware-gen
04:08:34.100 File: C:\Users\Greg\AppData\Local\hqopmya.exe **INFECTED** Win32:Susn-AK [Trj]
04:08:37.891 File: C:\Users\Greg\AppData\Local\jkpcpukocn.exe **INFECTED** Win32:FakeAV-DNP [Trj]
04:14:26.896 File: C:\Users\Greg\AppData\Local\Temp\cdoqovxndc.exe **INFECTED** Win32:Malware-gen
04:59:02.988 File: C:\Users\Greg\Music\iTunes\iTunes Music\CrossFire Afk Bot\CrossFire Afk Bot\CrossFire d3d v.6.exe **INFECTED** Win32:Malware-gen
05:03:49.258 AVAST engine scan C:\ProgramData
05:17:05.453 Scan finished successfully
05:18:26.973 Disk 0 MBR has been saved successfully to "C:\Users\Greg\Desktop\MBR.dat"
05:18:26.973 The log file has been saved successfully to "C:\Users\Greg\Desktop\aswMBR.txt"
 
OK, we still have that infected partition.

For x86 (x32) bit systems please download Listparts to your Desktop.
For x64 bit systems please download Listparts64 to your Desktop.
Double click on downloaded file to start the program.

Click on Scan button.

Scan result will open in Notepad (Result.txt).
Post it in your next reply.
 
Results for your perusal :)


ListParts by Farbar Version: 15-07-2012
Ran by Greg (administrator) on 16-07-2012 at 05:41:57
Windows Vista (X86)
Running From: C:\Users\Greg\Desktop
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 42%
Total physical RAM: 3070.45 MB
Available physical RAM: 1759.82 MB
Total Pagefile: 6369.88 MB
Available Pagefile: 5188.91 MB
Total Virtual: 2047.88 MB
Available Virtual: 1976.38 MB
======================= Partitions =========================
1 Drive c: (OS) (Fixed) (Total:450.7 GB) (Free:178.96 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:6.25 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 63 MB 32 KB
Partition 2 Primary 15 GB 63 MB
Partition 3 Primary 451 GB 15 GB
Partition 4 Primary 1040 KB 466 GB
======================================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
There is no volume associated with this partition.
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D RECOVERY NTFS Partition 15 GB Healthy
======================================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy System (partition with boot components)
======================================================================================================
Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F RAW Partition 1040 KB Healthy
======================================================================================================
****** End Of Log ******
 
  • Please open Notepad (Start>All Programs>Accessories>Notepad).
  • Copy and paste the contents of the quote box below into Notepad.

Disk=0 partition=4 delete
Click to expand...

  • Save as Fix.txt to your Desktop (must be in this location).

Next

  • Double click ListParts.exe/ListParts64.exe to launch the program.
  • Press the Fix button.
  • ListParts will process the script in Fix.txt
  • When finished please press the Scan button.
  • A log Result.txt will open on your Desktop.
  • Please post me the contents of the log.
 
Result log,


ListParts by Farbar Version: 15-07-2012
Ran by Greg (administrator) on 16-07-2012 at 05:57:48
Windows Vista (X86)
Running From: C:\Users\Greg\Desktop
Language: 0409
************************************************************
========================= Memory info ======================
Percentage of memory in use: 43%
Total physical RAM: 3070.45 MB
Available physical RAM: 1748 MB
Total Pagefile: 6369.88 MB
Available Pagefile: 5186.45 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.2 MB
======================= Partitions =========================
1 Drive c: (OS) (Fixed) (Total:450.7 GB) (Free:178.96 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:15 GB) (Free:6.25 GB) NTFS
Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 466 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Partitions of Disk 0:
===============
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 63 MB 32 KB
Partition 2 Primary 15 GB 63 MB
Partition 3 Primary 451 GB 15 GB
======================================================================================================
Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No
There is no volume associated with this partition.
======================================================================================================
Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D RECOVERY NTFS Partition 15 GB Healthy
======================================================================================================
Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes
Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy System (partition with boot components)
======================================================================================================
****** End Of Log ******
 
Good job :)

Delete your Combofix file, download fresh one and try to run it again (try safe mode if needed).

If still no go post new FRST log.
 
Combo Fix scan log for your perusal Broni :)


ComboFix 12-07-14.01 - Greg 16/07/2012 6:31.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3070.1735 [GMT 10:00]
Running from: c:\users\Greg\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\cflog\CrashLog_20100807.txt
c:\cflog\CrashLog_20100810.txt
c:\cflog\CrashLog_20100811.txt
c:\cflog\CrashLog_20100821.txt
c:\cflog\CrashLog_20100826.txt
c:\cflog\CrashLog_20100827.txt
c:\cflog\CrashLog_20100830.txt
c:\cflog\CrashLog_20100902.txt
c:\cflog\CrashLog_20100907.txt
c:\cflog\CrashLog_20100909.txt
c:\cflog\CrashLog_20100911.txt
c:\cflog\CrashLog_20100912.txt
c:\cflog\CrashLog_20100913.txt
c:\cflog\CrashLog_20100921.txt
c:\cflog\CrashLog_20100924.txt
c:\cflog\CrashLog_20100925.txt
c:\cflog\CrashLog_20100926.txt
c:\cflog\CrashLog_20100927.txt
c:\cflog\CrashLog_20100930.txt
c:\cflog\CrashLog_20101010.txt
c:\cflog\CrashLog_20101011.txt
c:\cflog\CrashLog_20101016.txt
c:\cflog\CrashLog_20101017.txt
c:\cflog\CrashLog_20101018.txt
c:\cflog\CrashLog_20101023.txt
c:\cflog\CrashLog_20101024.txt
c:\cflog\CrashLog_20101030.txt
c:\cflog\CrashLog_20101103.txt
c:\cflog\CrashLog_20101104.txt
c:\cflog\CrashLog_20101106.txt
c:\cflog\CrashLog_20101107.txt
c:\cflog\CrashLog_20101108.txt
c:\cflog\CrashLog_20101114.txt
c:\cflog\CrashLog_20101201.txt
c:\cflog\CrashLog_20101204.txt
c:\cflog\CrashLog_20101208.txt
c:\cflog\CrashLog_20101209.txt
c:\cflog\CrashLog_20101211.txt
c:\cflog\CrashLog_20101214.txt
c:\cflog\CrashLog_20101215.txt
c:\cflog\CrashLog_20101218.txt
c:\cflog\CrashLog_20101220.txt
c:\cflog\CrashLog_20101221.txt
c:\cflog\CrashLog_20101225.txt
c:\cflog\CrashLog_20101227.txt
c:\cflog\CrashLog_20101230.txt
c:\cflog\CrashLog_20101231.txt
c:\cflog\CrashLog_20110101.txt
c:\cflog\CrashLog_20110103.txt
c:\cflog\CrashLog_20110104.txt
c:\cflog\CrashLog_20110105.txt
c:\cflog\CrashLog_20110106.txt
c:\cflog\CrashLog_20110108.txt
c:\cflog\CrashLog_20110113.txt
c:\cflog\CrashLog_20110115.txt
c:\cflog\CrashLog_20110116.txt
c:\cflog\CrashLog_20110118.txt
c:\cflog\CrashLog_20110217.txt
c:\cflog\CrashLog_20110218.txt
c:\cflog\CrashLog_20110304.txt
c:\cflog\CrashLog_20110305.txt
c:\cflog\CrashLog_20110328.txt
c:\cflog\CrashLog_20110426.txt
c:\cflog\CrashLog_20110427.txt
c:\cflog\CrashLog_20110428.txt
c:\cflog\CrashLog_20110429.txt
c:\cflog\CrashLog_20111119.txt
c:\cflog\CrashLog_20111122.txt
c:\cflog\CrashLog_20111124.txt
c:\cflog\CrashLog_20111125.txt
c:\cflog\CrashLog_20111129.txt
c:\cflog\CrashLog_20111130.txt
c:\cflog\CrashLog_20111201.txt
c:\cflog\CrashLog_20111213.txt
c:\cflog\CrashLog_20111214.txt
c:\cflog\CrashLog_20111216.txt
c:\cflog\CrashLog_20111218.txt
c:\cflog\CrashLog_20111219.txt
c:\cflog\CrashLog_20111221.txt
c:\cflog\CrashLog_20120411.txt
c:\cflog\CrashLog_20120416.txt
c:\cflog\CrashLog_20120502.txt
c:\program files\Automated Content Enhancer
c:\program files\Automated Content Enhancer\4.2.0.5360\ACEIeaddon.dll
c:\program files\Automated Content Enhancer\4.2.0.5360\Data\config.md
c:\program files\Automated Content Enhancer\4.2.0.5360\FF\chrome.manifest
c:\program files\Automated Content Enhancer\4.2.0.5360\FF\chrome\ACEAddOn.jar
c:\program files\Automated Content Enhancer\4.2.0.5360\FF\chrome\content\ACEAddOn.js
c:\program files\Automated Content Enhancer\4.2.0.5360\FF\chrome\content\ACEAddOn.xul
c:\program files\Automated Content Enhancer\4.2.0.5360\FF\components\ACEFFAddOn.dll
c:\program files\Automated Content Enhancer\4.2.0.5360\FF\components\ACEFFAddOn.xpt
c:\program files\Automated Content Enhancer\4.2.0.5360\FF\components\ACEFFHelperComponent.js
c:\program files\Automated Content Enhancer\4.2.0.5360\FF\install.rdf
c:\program files\Automated Content Enhancer\4.2.0.5360\unins000.dat
c:\program files\Automated Content Enhancer\4.2.0.5360\unins000.exe
c:\program files\BasicScan
c:\program files\BasicScan\uninstall.exe
c:\program files\Content Management Wizard
c:\program files\Content Management Wizard\1.2.0.2080\CMWIe.dll
c:\program files\Content Management Wizard\1.2.0.2080\cmwsh.dll
c:\program files\Content Management Wizard\1.2.0.2080\config.mx
c:\program files\Content Management Wizard\1.2.0.2080\data.mx
c:\program files\Content Management Wizard\1.2.0.2080\exclude.mx
c:\program files\Content Management Wizard\1.2.0.2080\MatchingData.zd5
c:\program files\Content Management Wizard\1.2.0.2080\pxtmpdata.mx
c:\program files\Content Management Wizard\1.2.0.2080\unins000.dat
c:\program files\Content Management Wizard\1.2.0.2080\unins000.exe
c:\program files\Customized Platform Advancer
c:\program files\Customized Platform Advancer\4.2.0.2050\CPACommon.dll
c:\program files\Customized Platform Advancer\4.2.0.2050\CPAIEAddOn.dll
c:\program files\Customized Platform Advancer\4.2.0.2050\Data\config.md
c:\program files\Customized Platform Advancer\4.2.0.2050\FF\chrome.manifest
c:\program files\Customized Platform Advancer\4.2.0.2050\FF\chrome\content\CPAAddOn.js
c:\program files\Customized Platform Advancer\4.2.0.2050\FF\chrome\content\CPAAddOn.xul
c:\program files\Customized Platform Advancer\4.2.0.2050\FF\chrome\CPAAddOn.jar
c:\program files\Customized Platform Advancer\4.2.0.2050\FF\components\CPAFFAddOn.dll
c:\program files\Customized Platform Advancer\4.2.0.2050\FF\components\CPAFFAddOn.xpt
c:\program files\Customized Platform Advancer\4.2.0.2050\FF\components\CPAFFHelperComponent.js
c:\program files\Customized Platform Advancer\4.2.0.2050\FF\install.rdf
c:\program files\Customized Platform Advancer\4.2.0.2050\unins000.dat
c:\program files\Customized Platform Advancer\4.2.0.2050\unins000.exe
c:\program files\FunWebProducts
c:\program files\HyperCam Toolbar\tbHElper.dll
c:\program files\Internet Today
c:\program files\Internet Today\1.2.0.1420\InternetToday.ico
c:\program files\Internet Today\1.2.0.1420\InternetToday.skf
c:\program files\Internet Today\1.2.0.1420\mfc80.dll
c:\program files\Internet Today\1.2.0.1420\Microsoft.VC80.CRT.manifest
c:\program files\Internet Today\1.2.0.1420\Microsoft.VC80.MFC.manifest
c:\program files\Internet Today\1.2.0.1420\msvcr80.dll
c:\program files\Internet Today\1.2.0.1420\SkinCrafterDll.dll
c:\program files\Internet Today\1.2.0.1420\unins000.dat
c:\program files\Internet Today\1.2.0.1420\unins000.exe
c:\program files\IObitBar\toolbar\1.bin\i0SRcas.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\CHROME.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\2.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTmlmu.dll
c:\program files\MyWebSearch\bar\2.bin\F3HTtpct.dll
c:\program files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\2.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\2.bin\F3SCrctr.dll
c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\2.bin\INSTALL.RDF
c:\program files\MyWebSearch\bar\2.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\2.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\2.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSMLBTN.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSUABTN.DLL
c:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Overlay\COMMON.F3S
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\Textual Content Provider
c:\program files\Textual Content Provider\1.2.0.2040\data\pxtmpdata.mx
c:\program files\Textual Content Provider\1.2.0.2040\data\TP_Config.mx
c:\program files\Textual Content Provider\1.2.0.2040\data\TP_Data.mx
c:\program files\Textual Content Provider\1.2.0.2040\data\TP_DomainExcludeList.mx
c:\program files\Textual Content Provider\1.2.0.2040\data\TP_DomainInterval.mx
c:\program files\Textual Content Provider\1.2.0.2040\data\TP_KeywordInterval.mx
c:\program files\Textual Content Provider\1.2.0.2040\unins000.dat
c:\program files\Textual Content Provider\1.2.0.2040\unins000.exe
c:\program files\Web Search Operator
c:\program files\Web Search Operator\4.2.0.2150\Data\config.md
c:\program files\Web Search Operator\4.2.0.2150\FF\chrome.manifest
c:\program files\Web Search Operator\4.2.0.2150\FF\chrome\content\WSOAddOn.js
c:\program files\Web Search Operator\4.2.0.2150\FF\chrome\content\WSOAddOn.xul
c:\program files\Web Search Operator\4.2.0.2150\FF\chrome\WSOAddOn.jar
c:\program files\Web Search Operator\4.2.0.2150\FF\components\WSOFFAddOn.dll
c:\program files\Web Search Operator\4.2.0.2150\FF\components\WSOFFAddOn.xpt
c:\program files\Web Search Operator\4.2.0.2150\FF\components\WSOFFHelperComponent.js
c:\program files\Web Search Operator\4.2.0.2150\FF\install.rdf
c:\program files\Web Search Operator\4.2.0.2150\unins000.dat
c:\program files\Web Search Operator\4.2.0.2150\unins000.exe
c:\program files\Web Search Operator\4.2.0.2150\WSOCommon.dll
c:\program files\YouTube Downloader Toolbar\SeARchsettings.dll
c:\programdata\17dc64539899890e926c4339ab349fa3_c
c:\programdata\SPL408C.tmp
c:\programdata\SPL442E.tmp
c:\programdata\SPL7CDC.tmp
c:\programdata\SPL9432.tmp
c:\programdata\SPL9A4B.tmp
c:\users\Greg\AppData\Local\hqopmya.exe
c:\users\Greg\AppData\Local\Internet Today
c:\users\Greg\AppData\Local\jkpcpukocn.exe
c:\users\Greg\AppData\Roaming\ac.exe
c:\users\Greg\AppData\Roaming\appdata
c:\users\Greg\AppData\Roaming\Greglog.dat
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\cb.sys
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.dll
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.drv
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.sys
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\ddv.exe
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\ddv.tmp
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\delfile.drv
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\delfile.sys
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\dudl.dll
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\eb.drv
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\eb.tmp
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\energy.dll
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\energy.sys
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\exec.sys
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\exec.tmp
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\fix.sys
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\FS.dll
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\hymt.sys
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\kernel32.sys
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\pal.exe
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\pal.tmp
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\PE.sys
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\ppal.drv
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\runddlkey.tmp
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.exe
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.tmp
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\sld.dll
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\sld.exe
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\sld.tmp
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\SM.dll
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\std.drv
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\std.sys
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.dll
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\tjd.dll
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Recent\tjd.drv
c:\users\Greg\AppData\Roaming\Poum
c:\users\Greg\AppData\Roaming\Poum\ulih.exe
c:\users\Greg\AppData\Roaming\rundll32.exe
c:\users\Greg\Favorites\actiontrip girls - Google Search.ur
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\DEBUG.log
c:\windows\system32\f3PSSavr.scr
.
.
((((((((((((((((((((((((( Files Created from 2012-06-15 to 2012-07-15 )))))))))))))))))))))))))))))))
.
.
2012-07-15 20:39 . 2012-07-15 20:46 -------- d-----w- c:\users\Greg\AppData\Local\temp
2012-07-15 20:39 . 2012-07-15 20:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-15 07:23 . 2012-07-15 07:23 -------- d-----w- C:\FRST
2012-07-10 11:31 . 2012-07-10 11:31 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-08 07:59 . 2012-07-08 07:59 -------- d-----w- c:\users\Greg\AppData\Local\etax2012
2012-07-07 06:08 . 2012-07-07 06:20 -------- d-----w- c:\users\Greg\AppData\Roaming\Ovwua
2012-07-04 08:46 . 2012-07-04 08:46 -------- d-----w- c:\program files\Lame For Audacity
2012-07-04 02:19 . 2012-07-04 02:19 -------- d-----w- c:\programdata\Sony
2012-07-03 07:37 . 2012-07-08 07:59 -------- d-----w- c:\program files\etax2012
2012-07-03 07:14 . 2012-07-03 07:14 -------- d-----w- c:\users\Greg\AppData\Roaming\Publish Providers
2012-07-03 07:11 . 2012-07-03 07:12 -------- d-----w- c:\users\Greg\AppData\Local\Sony
2012-07-03 07:11 . 2012-07-03 07:11 -------- d-----w- c:\program files\Sony
2012-07-03 07:10 . 2012-07-04 02:18 -------- d-----w- c:\users\Greg\AppData\Roaming\Sony
2012-07-02 10:36 . 2012-07-02 10:36 -------- d-----w- c:\program files\Ask.com
2012-07-02 10:34 . 2012-07-02 10:34 -------- d-----w- c:\program files\FreeTime
2012-06-27 00:12 . 2012-06-30 03:09 -------- d-----w- C:\Log
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 19:02 . 2012-04-04 07:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-15 19:02 . 2011-08-14 01:40 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-17 17:14 . 2012-07-15 18:11 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{300AB105-98E1-4012-879C-C5EC6F777073}\mpengine.dll
2012-06-02 22:19 . 2012-06-08 23:29 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-08 23:29 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-08 23:28 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-08 23:28 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-08 23:29 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-08 23:29 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-08 23:28 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 05:19 . 2012-06-08 23:28 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 05:12 . 2012-06-08 23:28 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 02:25 . 2010-04-11 09:16 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-17 22:45 . 2012-06-13 10:03 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35 . 2012-06-13 10:03 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35 . 2012-06-13 10:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29 . 2012-06-13 10:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24 . 2012-06-13 10:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-15 19:51 . 2012-06-13 05:15 2045440 ----a-w- c:\windows\system32\win32k.sys
2012-05-03 02:54 . 2012-05-03 02:54 42392 ----a-w- c:\windows\system32\xfcodec.dll
2012-05-01 14:03 . 2012-06-13 05:15 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 16:00 . 2012-06-13 05:15 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-04-23 16:00 . 2012-06-13 05:15 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-23 16:00 . 2012-06-13 05:15 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-18 10:56 . 2012-04-18 10:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-18 10:56 . 2012-04-18 10:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
"{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
"{6d8d66f3-14fc-4736-a096-fac0ea66289c}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
"{970a72ad-2603-4b4e-bb28-aff6ab80cccd}"= "c:\program files\CrazyForCricket_3k\bar\1.bin\3kSrcAs.dll" [2011-11-09 62864]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
.
[HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
.
[HKEY_CLASSES_ROOT\clsid\{970a72ad-2603-4b4e-bb28-aff6ab80cccd}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-29 05:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-06-03 08:24 2736736 ----a-w- c:\program files\Softonic-Eng7\tbSoft.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2010-04-15 02:33 2515552 ----a-w- c:\program files\XfireXO\tbXfir.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64d23501-5195-4224-9446-e2b0fb64e859}]
2010-03-25 06:56 2349080 ----a-w- c:\program files\HiGames\tbHiG1.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
2011-01-03 00:16 175400 ----a-w- c:\program files\midicase\prxtbmidi.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
2010-12-09 02:51 3911776 ----a-w- c:\program files\Elf_1.15\tbElf_.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2011-08-24 08:21 1299248 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{64d23501-5195-4224-9446-e2b0fb64e859}"= "c:\program files\HiGames\tbHiG1.dll" [2010-03-25 2349080]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-04-15 2515552]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
"{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
"{6d8d66f3-14fc-4736-a096-fac0ea66289c}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2011-08-24 1299248]
.
[HKEY_CLASSES_ROOT\clsid\{64d23501-5195-4224-9446-e2b0fb64e859}]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
.
[HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{64D23501-5195-4224-9446-E2B0FB64E859}"= "c:\program files\HiGames\tbHiG1.dll" [2010-03-25 2349080]
"{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
"{B9D63C58-90CC-428B-8D3B-CBB88EB07E7E}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
"{6D8D66F3-14FC-4736-A096-FAC0EA66289C}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
.
[HKEY_CLASSES_ROOT\clsid\{64d23501-5195-4224-9446-e2b0fb64e859}]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
.
[HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-03 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"Steam"="c:\program files\Steam\steam.exe" [2011-08-02 1242448]
"DeskSpace"="c:\users\Greg\Deskspace\deskspace.exe" [2002-01-01 1066496]
"Facebook Update"="c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-15 138096]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-05-02 17355912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-18 6246400]
"dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-03-17 668912]
"dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-03-17 16624]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-10 30192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"VX1000"="c:\windows\vVX1000.exe" [2009-07-24 762208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
"IObitBar Browser Plugin Loader"="c:\progra~1\IObitBar\toolbar\1.bin\i0brmon.exe" [2010-08-02 20480]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2011-08-01 114992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
"CrazyForCricket Search Scope Monitor"="c:\progra~1\CRAZYF~2\bar\1.bin\3ksrchmn.exe" [2011-11-09 38440]
"CrazyForCricket_3k Browser Plugin Loader"="c:\progra~1\CRAZYF~2\bar\1.bin\3kbrmon.exe" [2011-11-09 30096]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
DeskSpace.lnk - l:\deskspace\deskspace.exe [N/A]
Facebook Messenger.lnk - c:\users\Greg\AppData\Local\Facebook\Messenger\2.1.4570.0\FacebookMessenger.exe [2012-7-6 217536]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2012-5-3 3553176]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 19:02]
.
2012-07-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000Core.job
- c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-03 18:09]
.
2012-07-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000UA.job
- c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-03 18:09]
.
2012-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000Core.job
- c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-02 10:13]
.
2012-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000UA.job
- c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-02 10:13]
.
2012-07-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 05:40]
.
2012-07-15 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2008-10-03 11:18]
.
2012-07-15 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 05:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/index.php?lh=c0eff49bfa52c6577d051ffa05300cc9&eu=XVUHAKl-eM-CZ8lbII58wQ
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>;*.local
TCP: DhcpNameServer = 61.9.211.33 61.9.211.1
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\PageRage\tbPage.dll
BHO-{9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\PageRage\tbPage.dll
Toolbar-{9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\PageRage\tbPage.dll
WebBrowser-{9565115D-C7D6-46D3-BD63-B67B481A4368} - c:\program files\PageRage\tbPage.dll
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-KamikazeKat - c:\program files\ScreenMates\kamikazekat.exe
HKCU-Run-Felix - c:\program files\ScreenMates\felix.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-hpqSRMon - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Addictive Football Demo - c:\program files\Addictive Football Demo\Uninstal.exe
AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe
AddRemove-Backyard Basketball 2007 - c:\program files\Backyard Basketball 2007\Uninstall.exe
AddRemove-CNXT_MODEM_PCI_HSF - c:\program files\CONEXANT\CNXT_MODEM_PCI_HSF\UIU32m.exe
AddRemove-Crossfire - c:\program files\cf-uninst.exe
AddRemove-PageRage Toolbar - c:\progra~1\PageRage\UNWISE.EXE
AddRemove-{2C08D7E7-9EE1-4A08-AFE0-745F02DCD6A4}_is1 - c:\users\Greg\Desktop\Pokemon Online\unins000.exe
AddRemove-{C12A198C-E751-4729-839A-8FA07CF941C1}_is1 - c:\program files\EA Sports\Fifa Online 2\unins000.exe
AddRemove-Crossfire 1.7a - c:\program files\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-16 06:44
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2530732781-1678084383-3266196856-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{65D3B8F8-3D45-C03F-F0D7-2C3C92B5E16E}*]
"papldpmnaoaokohaemlpjfgiafpoaann"=hex:6a,61,6a,6d,6a,68,6d,6f,67,6a,64,6d,68,
61,62,6a,63,65,62,65,00,b9
"abflnpbnmhgfbbbjclgejpimilboigghfe"=hex:69,61,6b,6d,62,69,6c,64,69,6a,67,64,
6c,67,6d,67,6d,67,00,00
.
[HKEY_USERS\S-1-5-21-2530732781-1678084383-3266196856-1000\Software\SecuROM\License information*]
"datasecu"=hex:ca,17,21,f5,a4,ce,b8,3a,5a,b5,99,3f,ce,f0,13,82,df,1d,b6,f2,71,
fd,e5,c5,d2,17,b1,07,53,70,dc,1c,b7,d4,65,a8,3b,5b,0f,75,79,a2,22,a1,43,1c,\
"rkeysecu"=hex:d3,70,bf,92,47,4f,b0,52,8c,2f,3f,54,b3,70,9c,1c
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5304)
c:\program files\SweetIM\Messenger\mgAdaptersProxy.dll
c:\users\Greg\Deskspace\deskspace151.dll
c:\program files\CrazyForCricket_3k\bar\1.bin\3kbrstub.dll
c:\program files\IObitBar\toolbar\1.bin\i0brstub.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Dell\DellDock\DockLogin.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Application Updater\ApplicationUpdater.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\progra~1\CRAZYF~2\bar\1.bin\3kbarsvc.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTsvcCDA.exe
c:\windows\system32\dldncoms.exe
c:\progra~1\IObitBar\toolbar\1.bin\i0barsvc.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\RtHDVCpl.exe
c:\program files\IObitBar\toolbar\1.bin\i0brmon.exe
c:\program files\CrazyForCricket_3k\bar\1.bin\3kbrmon.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\HP\Digital Imaging\bin\hpqtra08.exe
c:\program files\Dell V105\dldnMsdMon.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
c:\windows\system32\msiexec.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Common Files\Steam\SteamService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-07-16 06:56:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-15 20:56
.
Pre-Run: 192,126,926,848 bytes free
Post-Run: 205,086,515,200 bytes free
.
- - End Of File - - 75CC9DD810A7BBDD8109325250573E49
 
1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
RegNull::
[HKEY_USERS\S-1-5-21-2530732781-1678084383-3266196856-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{65D3B8F8-3D45-C03F-F0D7-2C3C92B5E16E}*]

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Hi Broni,

I'm getting the following window

"C:\Users\Greg\Desktop\ComboFix.exe
Illegal operation attempted on a registry key marked for deletion"

All I have is the "OK" radio button to select. ????

I've actually deleted MSE a few threads back. Don't know if that info helps. I know windows firewall is operational.
 
I should have mentioned that this occured when I tried to drag and drop. Haven't selected OK however. Will wait for your reply in case it is malware :-(
 
Illegal operation attempted on a registry key marked for deletion"
Click to expand...
Restart computer to fix the issue..

Then reinstall MSE.
Update, run full scan.

Next....

Download Malwarebytes' Anti-Malware (MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.
NOTE. If you already have MBAM installed, update it before running the scan.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer IF MBAM asks you to do so.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Hi again Broni,

Combo Fix latest log. I'll wait for your reply.


ComboFix 12-07-14.01 - Greg 16/07/2012 8:07.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.3070.1935 [GMT 10:00]
Running from: c:\users\Greg\Desktop\ComboFix.exe
Command switches used :: c:\users\Greg\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-15 to 2012-07-15 )))))))))))))))))))))))))))))))
.
.
2012-07-15 22:13 . 2012-07-15 22:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-15 20:39 . 2012-07-15 22:13 -------- d-----w- c:\users\Greg\AppData\Local\temp
2012-07-15 18:11 . 2012-06-17 17:14 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{300AB105-98E1-4012-879C-C5EC6F777073}\mpengine.dll
2012-07-15 07:23 . 2012-07-15 07:23 -------- d-----w- C:\FRST
2012-07-10 11:31 . 2012-07-10 11:31 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-08 07:59 . 2012-07-08 07:59 -------- d-----w- c:\users\Greg\AppData\Local\etax2012
2012-07-07 06:08 . 2012-07-07 06:20 -------- d-----w- c:\users\Greg\AppData\Roaming\Ovwua
2012-07-04 08:46 . 2012-07-04 08:46 -------- d-----w- c:\program files\Lame For Audacity
2012-07-04 02:19 . 2012-07-04 02:19 -------- d-----w- c:\programdata\Sony
2012-07-03 07:37 . 2012-07-08 07:59 -------- d-----w- c:\program files\etax2012
2012-07-03 07:14 . 2012-07-03 07:14 -------- d-----w- c:\users\Greg\AppData\Roaming\Publish Providers
2012-07-03 07:11 . 2012-07-03 07:12 -------- d-----w- c:\users\Greg\AppData\Local\Sony
2012-07-03 07:11 . 2012-07-03 07:11 -------- d-----w- c:\program files\Sony
2012-07-03 07:10 . 2012-07-04 02:18 -------- d-----w- c:\users\Greg\AppData\Roaming\Sony
2012-07-02 10:36 . 2012-07-02 10:36 -------- d-----w- c:\program files\Ask.com
2012-07-02 10:34 . 2012-07-02 10:34 -------- d-----w- c:\program files\FreeTime
2012-06-27 00:12 . 2012-06-30 03:09 -------- d-----w- C:\Log
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-15 19:02 . 2012-04-04 07:49 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-15 19:02 . 2011-08-14 01:40 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-08 23:29 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-08 23:29 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-08 23:28 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-08 23:28 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-08 23:29 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-08 23:29 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-08 23:28 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 05:19 . 2012-06-08 23:28 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 05:12 . 2012-06-08 23:28 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 02:25 . 2010-04-11 09:16 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-17 22:45 . 2012-06-13 10:03 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35 . 2012-06-13 10:03 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35 . 2012-06-13 10:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29 . 2012-06-13 10:03 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24 . 2012-06-13 10:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-15 19:51 . 2012-06-13 05:15 2045440 ----a-w- c:\windows\system32\win32k.sys
2012-05-03 02:54 . 2012-05-03 02:54 42392 ----a-w- c:\windows\system32\xfcodec.dll
2012-05-01 14:03 . 2012-06-13 05:15 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 16:00 . 2012-06-13 05:15 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-04-23 16:00 . 2012-06-13 05:15 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-04-23 16:00 . 2012-06-13 05:15 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-04-18 10:56 . 2012-04-18 10:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-18 10:56 . 2012-04-18 10:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
"{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
"{6d8d66f3-14fc-4736-a096-fac0ea66289c}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
"{970a72ad-2603-4b4e-bb28-aff6ab80cccd}"= "c:\program files\CrazyForCricket_3k\bar\1.bin\3kSrcAs.dll" [2011-11-09 62864]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
.
[HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
.
[HKEY_CLASSES_ROOT\clsid\{970a72ad-2603-4b4e-bb28-aff6ab80cccd}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-29 05:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-06-03 08:24 2736736 ----a-w- c:\program files\Softonic-Eng7\tbSoft.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2010-04-15 02:33 2515552 ----a-w- c:\program files\XfireXO\tbXfir.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64d23501-5195-4224-9446-e2b0fb64e859}]
2010-03-25 06:56 2349080 ----a-w- c:\program files\HiGames\tbHiG1.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
2011-01-03 00:16 175400 ----a-w- c:\program files\midicase\prxtbmidi.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
2010-12-09 02:51 3911776 ----a-w- c:\program files\Elf_1.15\tbElf_.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2011-08-24 08:21 1299248 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{64d23501-5195-4224-9446-e2b0fb64e859}"= "c:\program files\HiGames\tbHiG1.dll" [2010-03-25 2349080]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2010-04-15 2515552]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-29 3908192]
"{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
"{6d8d66f3-14fc-4736-a096-fac0ea66289c}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2011-08-24 1299248]
.
[HKEY_CLASSES_ROOT\clsid\{64d23501-5195-4224-9446-e2b0fb64e859}]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
.
[HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
.
[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.IEToolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{64D23501-5195-4224-9446-E2B0FB64E859}"= "c:\program files\HiGames\tbHiG1.dll" [2010-03-25 2349080]
"{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSoft.dll" [2010-06-03 2736736]
"{B9D63C58-90CC-428B-8D3B-CBB88EB07E7E}"= "c:\program files\Elf_1.15\tbElf_.dll" [2010-12-09 3911776]
"{6D8D66F3-14FC-4736-A096-FAC0EA66289C}"= "c:\program files\midicase\prxtbmidi.dll" [2011-01-03 175400]
.
[HKEY_CLASSES_ROOT\clsid\{64d23501-5195-4224-9446-e2b0fb64e859}]
.
[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
.
[HKEY_CLASSES_ROOT\clsid\{b9d63c58-90cc-428b-8d3b-cbb88eb07e7e}]
.
[HKEY_CLASSES_ROOT\clsid\{6d8d66f3-14fc-4736-a096-fac0ea66289c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-03 68856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"Steam"="c:\program files\Steam\steam.exe" [2011-08-02 1242448]
"DeskSpace"="c:\users\Greg\Deskspace\deskspace.exe" [2002-01-01 1066496]
"Facebook Update"="c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe" [2012-07-15 138096]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-05-02 17355912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-18 6246400]
"dldnmon.exe"="c:\program files\Dell V105\dldnmon.exe" [2008-03-17 668912]
"dldnamon"="c:\program files\Dell V105\dldnamon.exe" [2008-03-17 16624]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-10 30192]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"VX1000"="c:\windows\vVX1000.exe" [2009-07-24 762208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-05 59240]
"IObitBar Browser Plugin Loader"="c:\progra~1\IObitBar\toolbar\1.bin\i0brmon.exe" [2010-08-02 20480]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2011-08-01 114992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-30 59280]
"CrazyForCricket Search Scope Monitor"="c:\progra~1\CRAZYF~2\bar\1.bin\3ksrchmn.exe" [2011-11-09 38440]
"CrazyForCricket_3k Browser Plugin Loader"="c:\progra~1\CRAZYF~2\bar\1.bin\3kbrmon.exe" [2011-11-09 30096]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\users\Greg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
DeskSpace.lnk - l:\deskspace\deskspace.exe [N/A]
Facebook Messenger.lnk - c:\users\Greg\AppData\Local\Facebook\Messenger\2.1.4570.0\FacebookMessenger.exe [2012-7-6 217536]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Xfire.lnk - c:\program files\Xfire\Xfire.exe [2012-5-3 3553176]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-10-3 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-7-15 1226024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 19:02]
.
2012-07-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000Core.job
- c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-03 18:09]
.
2012-07-15 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000UA.job
- c:\users\Greg\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-02-03 18:09]
.
2012-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000Core.job
- c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-02 10:13]
.
2012-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2530732781-1678084383-3266196856-1000UA.job
- c:\users\Greg\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-02 10:13]
.
2012-07-10 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 05:40]
.
2012-07-15 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2008-10-03 11:18]
.
2012-07-15 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 05:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/index.php?lh=c0eff49bfa52c6577d051ffa05300cc9&eu=XVUHAKl-eM-CZ8lbII58wQ
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>;*.local
TCP: DhcpNameServer = 61.9.211.33 61.9.211.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-16 08:13
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2530732781-1678084383-3266196856-1000\Software\SecuROM\License information*]
"datasecu"=hex:ca,17,21,f5,a4,ce,b8,3a,5a,b5,99,3f,ce,f0,13,82,df,1d,b6,f2,71,
fd,e5,c5,d2,17,b1,07,53,70,dc,1c,b7,d4,65,a8,3b,5b,0f,75,79,a2,22,a1,43,1c,\
"rkeysecu"=hex:d3,70,bf,92,47,4f,b0,52,8c,2f,3f,54,b3,70,9c,1c
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4408)
c:\program files\IObitBar\toolbar\1.bin\i0brstub.dll
c:\program files\CrazyForCricket_3k\bar\1.bin\3kbrstub.dll
.
Completion time: 2012-07-16 08:15:18
ComboFix-quarantined-files.txt 2012-07-15 22:15
ComboFix2.txt 2012-07-15 20:56
.
Pre-Run: 204,952,776,704 bytes free
Post-Run: 204,909,309,952 bytes free
.
- - End Of File - - 1AFDD56523ACF2FE72D99C14FC964837
 
Hi again Boni,

MSE is currently doing the full scan but it's going to take some considerable time to complete. I imagine the OTL log is going to take some time to do as well. I need to get some shuteye man! I've been awake for two days. Do you mind terribly if I let these scans do their magic and report back to you in about 6- 7 hours ?? It's around 10;18 am here on the south east of Queensland Australia. If I don't here anything I'll know you're OK with this. I'll very briefly report on the result of MSE full scan and post MBAM log for you then. :)
 
You must log in or register to reply here.

Similar threads

E
Nvidia could be working on a new gaming device to rival the Steam Deck
Replies
16
Views
317
Disiw
D
Bob O'Donnell
Is there still room to innovate in PC design? HP seems to think so.
Replies
1
Views
341
Theinsanegamer
T
T
Solved Missing desktop icons and start menu.
Replies
4
Views
2K
Tobiasrieper
T

Latest posts

Back