[redhari123]

It started several weeks ago, I would click a link and end up somwhere else.I didn't bother me that much, everything else seemed ok. It wasn't untill some time later I noticed that windows
security service had shut down as well as system restore. I started downloading the free antivirus and malware programms only to no avail, problems persisted so I started buying them thinking that might work. My last attempt was with VIPRE Internet Security but it would not install. It said to remove other anti virus programms but stopzilla will not uninstall. Oh, and yesterday I recieved this from my ISP.
We have received reports from the ACMA's Australian Internet Security
Initiative (AISI) that a machine accessing the Internet using your TPG
Service is causing unwanted traffic to be transmitted, such as spam
and viruses.

A summary of the last few complaints have been provided below:

[2012-11-09 11:42:00] [123.243.78.145] proxy
[2012-11-09 06:54:30] [123.243.78.145] Trojan: Beagle/Bagel
[2012-11-08 11:14:00] [123.243.78.145] proxy
[2012-11-08 09:08:15] [123.243.78.145] Spam Sender-SendSafe


It may be that your equipment has been compromised by a hacker or some
other malicious software has been installed onto your system. Please
obtain an up to date antivirus software and ensure that all your
machines are cleaned as a matter of urgency. If you fail to do so and
the malicious traffic persists, TPG may take steps to limit it by
suspending your service.

Can you help me please.

OTL logfile created on: 11/11/2012 1:22:13 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = D:\Users\hari\Desktop
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

3.00 Gb Total Physical Memory | 1.69 Gb Available Physical Memory | 56.43% Memory free
6.00 Gb Paging File | 4.76 Gb Available in Paging File | 79.39% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = D: | %SystemRoot% = D:\Windows | %ProgramFiles% = D:\Program Files
Drive D: | 465.76 Gb Total Space | 98.89 Gb Free Space | 21.23% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive F: | 3.73 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive H: | 465.76 Gb Total Space | 54.96 Gb Free Space | 11.80% Space Free | Partition Type: NTFS

Computer Name: HARI | User Name: hari | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/11/11 01:19:29 | 000,602,112 | ---- | M] (OldTimer Tools) -- D:\Users\hari\Desktop\OTL.exe
PRC - [2012/10/31 01:27:32 | 000,388,576 | ---- | M] (Mozilla Corporation) -- D:\Program Files\Mozilla Thunderbird\thunderbird.exe
PRC - [2012/09/14 17:31:20 | 000,067,448 | R--- | M] (iS3, Inc.) -- D:\Program Files\STOPzilla!\SZServer.exe
PRC - [2012/09/14 17:31:10 | 000,194,424 | R--- | M] (iS3, Inc.) -- D:\Program Files\STOPzilla!\STOPzilla.exe
PRC - [2012/02/02 08:55:58 | 000,784,240 | ---- | M] () -- D:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
PRC - [2012/02/02 08:55:58 | 000,214,896 | ---- | M] () -- D:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
PRC - [2012/01/18 14:02:04 | 000,508,136 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2011/04/20 03:04:38 | 000,393,216 | ---- | M] (AMD) -- D:\Windows\System32\atieclxx.exe
PRC - [2011/04/20 03:04:08 | 000,176,128 | ---- | M] (AMD) -- D:\Windows\System32\atiesrxx.exe
PRC - [2011/02/25 16:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- D:\Windows\explorer.exe
PRC - [2010/10/14 21:40:22 | 001,866,864 | ---- | M] (PeerBlock, LLC) -- D:\Program Files\PeerBlock\peerblock.exe
PRC - [2009/06/17 13:02:36 | 000,023,552 | ---- | M] (Creative Technology Ltd) -- D:\Windows\System32\CTXFIHLP.EXE
PRC - [2009/06/17 12:57:44 | 001,225,216 | ---- | M] (Creative Technology Ltd) -- D:\Windows\System32\CTXFISPI.EXE
PRC - [2009/04/14 08:43:42 | 000,604,704 | ---- | M] (Realtek Semiconductor Corp.) -- D:\Windows\SOUNDMAN.EXE
PRC - [2009/04/08 21:38:14 | 000,092,008 | ---- | M] (TomTom) -- D:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
PRC - [2009/02/23 12:43:56 | 000,307,200 | ---- | M] (Creative Technology Ltd) -- D:\Program Files\Creative\Shared Files\CTAudSvc.exe
PRC - [2008/09/16 13:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) -- D:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe


========== Modules (No Company Name) ==========

MOD - [2012/10/31 01:27:34 | 002,111,456 | ---- | M] () -- D:\Program Files\Mozilla Thunderbird\mozjs.dll
MOD - [2012/10/31 01:27:34 | 000,157,664 | ---- | M] () -- D:\Program Files\Mozilla Thunderbird\nsldap32v60.dll
MOD - [2012/10/31 01:27:34 | 000,021,984 | ---- | M] () -- D:\Program Files\Mozilla Thunderbird\nsldappr32v60.dll
MOD - [2012/02/02 08:55:58 | 000,784,240 | ---- | M] () -- D:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
MOD - [2009/06/17 13:02:40 | 000,002,560 | ---- | M] () -- D:\Windows\CTXFIRES.DLL
MOD - [2009/04/20 12:55:58 | 000,148,480 | ---- | M] () -- D:\Windows\System32\APOMngr.DLL
MOD - [2008/09/16 21:18:06 | 000,132,608 | ---- | M] () -- D:\Program Files\WinRAR\RarExt.dll


========== Services (SafeList) ==========

SRV - [2012/11/10 17:45:13 | 000,115,168 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- D:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/11/10 10:30:20 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- D:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/09/14 17:31:20 | 000,067,448 | R--- | M] (iS3, Inc.) [Auto | Running] -- D:\Program Files\STOPzilla!\SZServer.exe -- (szserver)
SRV - [2012/06/11 12:33:26 | 000,724,376 | ---- | M] (Nokia) [On_Demand | Stopped] -- D:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2012/02/02 08:55:58 | 000,214,896 | ---- | M] () [Auto | Running] -- D:\Program Files\Motorola\MotoHelper\MotoHelperService.exe -- (MotoHelper)
SRV - [2011/04/20 03:04:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- D:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010/08/21 00:19:07 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- D:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe -- (Creative ALchemy AL6 Licensing Service)
SRV - [2010/08/21 00:16:37 | 000,079,360 | ---- | M] (Creative Labs) [On_Demand | Stopped] -- D:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe -- (Creative Audio Engine Licensing Service)
SRV - [2010/05/07 21:46:37 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/07/14 12:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 12:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 12:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- D:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/04/08 21:38:14 | 000,092,008 | ---- | M] (TomTom) [Auto | Running] -- D:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/02/23 12:43:56 | 000,307,200 | ---- | M] (Creative Technology Ltd) [Auto | Running] -- D:\Program Files\Creative\Shared Files\CTAudSvc.exe -- (CTAudSvcService)
SRV - [2009/02/10 18:01:49 | 000,116,104 | ---- | M] () [On_Demand | Stopped] -- D:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2008/09/16 13:03:18 | 000,169,312 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- D:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor7.0)


========== Driver Services (SafeList) ==========

DRV - File not found [File_System | Boot | Stopped] -- -- (XMS1563K)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\synth3dvsc.sys -- (Synth3dVsc)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (ap1espga)
DRV - [2012/06/11 12:33:46 | 000,019,072 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2012/05/04 14:05:34 | 000,073,008 | R--- | M] (iS3, Inc.) [Kernel | Boot | Running] -- D:\Windows\System32\drivers\SZKGFS.sys -- (szkgfs)
DRV - [2012/03/20 10:51:02 | 000,099,728 | R--- | M] (iS3 Inc.) [Kernel | Boot | Running] -- D:\Windows\System32\drivers\SZKG.sys -- (szkg5)
DRV - [2012/03/20 10:51:02 | 000,099,728 | R--- | M] (iS3 Inc.) [Kernel | Boot | Stopped] -- D:\Windows\System32\drivers\is3srv.sys -- (is3srv)
DRV - [2012/01/12 09:26:20 | 000,101,112 | ---- | M] (GFI Software) [Kernel | System | Running] -- D:\Windows\System32\drivers\SBREDrv.sys -- (SBRE)
DRV - [2012/01/12 09:26:16 | 000,077,816 | R--- | M] (GFI Software) [File_System | Auto | Running] -- D:\Windows\System32\drivers\sbapifs.sys -- (sbapifs)
DRV - [2012/01/09 18:28:20 | 000,023,168 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\ccdcmbo.sys -- (nmwcdc)
DRV - [2012/01/09 18:28:20 | 000,018,176 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\ccdcmb.sys -- (nmwcd)
DRV - [2012/01/09 18:28:20 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\usbser_lowerfltj.sys -- (UsbserFilt)
DRV - [2012/01/09 18:28:20 | 000,008,192 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\usbser_lowerflt.sys -- (upperdev)
DRV - [2011/09/22 14:38:40 | 000,087,536 | ---- | M] (CyberLink Corp.) [2010/04/30 01:06:48] [Kernel | Auto | Running] -- D:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl -- ({1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC})
DRV - [2011/04/20 03:43:42 | 007,772,160 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2011/04/20 03:43:42 | 007,772,160 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2011/04/20 02:22:10 | 000,243,712 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010/11/22 11:25:22 | 000,046,184 | ---- | M] (Exent Technologies Ltd.) [Kernel | Auto | Running] -- D:\Program Files\Free Ride Games\X6XSEx.sys -- (X6XSEx)
DRV - [2010/11/20 23:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- D:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 23:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- D:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 23:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 21:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 21:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010/11/20 20:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 20:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 20:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/10/14 21:40:22 | 000,020,080 | ---- | M] () [Kernel | On_Demand | Running] -- D:\Program Files\PeerBlock\pbfilter.sys -- (pbfilter)
DRV - [2010/07/09 13:18:54 | 000,020,328 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | Auto | Running] -- D:\Windows\System32\drivers\cpuz134_x32.sys -- (cpuz134)
DRV - [2010/04/03 19:46:18 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- D:\Windows\System32\drivers\sptd.sys -- (sptd)
DRV - [2009/07/14 11:18:07 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2009/07/14 11:14:49 | 000,020,480 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\WSDScan.sys -- (WSDScan)
DRV - [2009/06/27 04:14:36 | 000,051,472 | ---- | M] () [File_System | Boot | Running] -- D:\Windows\System32\drivers\MFX.sys -- (MFX)
DRV - [2009/06/18 20:45:02 | 004,172,832 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\RTKVAC.SYS -- (ALCXWDM)
DRV - [2009/06/17 17:01:34 | 001,178,136 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\HA20X2K.SYS -- (ha20x2k)
DRV - [2009/06/17 17:01:14 | 000,095,768 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\EMUPIA2K.SYS -- (emupia)
DRV - [2009/06/17 17:00:46 | 000,158,744 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2009/06/17 17:00:32 | 000,014,360 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\CTPRXY2K.SYS -- (ctprxy2k)
DRV - [2009/06/17 17:00:16 | 000,129,560 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2009/06/17 17:00:00 | 000,527,640 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\CTAUD2K.SYS -- (ctaud2k)
DRV - [2009/06/17 16:59:44 | 000,511,000 | ---- | M] (Creative Technology Ltd) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\CTAC32K.SYS -- (ctac32k)
DRV - [2009/06/17 16:59:22 | 001,324,568 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- D:\Windows\System32\CTEXFIFX.DLL -- (CTEXFIFX.DLL)
DRV - [2009/06/17 16:59:06 | 000,072,728 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- D:\Windows\System32\CTHWIUT.DLL -- (CTHWIUT.DLL)
DRV - [2009/06/17 16:58:50 | 000,171,032 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- D:\Windows\System32\CT20XUT.DLL -- (CT20XUT.DLL)
DRV - [2009/04/29 16:37:26 | 000,025,088 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\KMWDFILTER.sys -- (KMWDFILTERx86)
DRV - [2009/04/22 13:01:11 | 000,429,056 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\nvm60x32.sys -- (NVENETFD)
DRV - [2009/02/24 19:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- D:\Windows\System32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2008/01/21 18:43:42 | 000,039,472 | ---- | M] (Paragon Software Group) [Kernel | Boot | Running] -- D:\Windows\System32\drivers\hotcore3.sys -- (hotcore3)
DRV - [2007/08/29 04:04:04 | 000,116,264 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- D:\Windows\System32\drivers\SI3112r.sys -- (SI3112r)
DRV - [2007/08/29 04:04:04 | 000,019,240 | ---- | M] (Silicon Image, Inc) [Kernel | Boot | Running] -- D:\Windows\System32\drivers\SiWinAcc.sys -- (SiFilter)
DRV - [2007/06/21 18:18:12 | 000,042,000 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- D:\Windows\System32\drivers\aztech_npf32.sys -- (NPF)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default Download Directory = H:\Downloads
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://iat.ninemsn.c....aspx?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 71 91 4A E0 DA B5 CD 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...&rlz=1I7AMSB_en
IE - HKCU\..\SearchScopes\{AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8}: "URL" = http://www.daemon-se...q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search Results"
FF - prefs.js..browser.search.defaultthis.engineName: "IsoBuster Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.search.order.1: "Search Results"
FF - prefs.js..browser.search.selectedEngine: "Search Results"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com.au/"
FF - prefs.js..extensions.enabledAddons: %7BDA1B0AB5-7DD3-4066-BC2A-64AABBDD0A8B%7D:1.2.337.1
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:17.0
FF - prefs.js..extensions.enabledItems: {af5514fc-7603-4cec-9894-f07f3d8672a5}:1.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: [email protected]:9.0.0.736
FF - prefs.js..extensions.enabledItems: [email protected]:1.1.8
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:14.0.1
FF - prefs.js..keyword.URL: "http://dts.search-re...id=406&sr=0&q="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: D:\Windows\system32\Macromed\Flash\NPSWF32_11_5_502_110.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: D:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@exent.com/npExentCtl,version=7.0.0.0: D:\Program Files\Free Ride Games\npExentCtl.dll (Exent Technologies Ltd.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: D:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: D:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: D:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.647: d:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.647: d:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.660: D:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.660: D:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.660: d:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: D:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: D:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: D:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: D:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: D:\Users\hari\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: D:\Users\hari\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: D:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/07/21 01:24:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: D:\Program Files\fbphotozoom\fbphotozoom14.xpi [2012/03/19 23:06:59 | 000,102,505 | ---- | M] ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 17.0\extensions\\Components: D:\Program Files\Mozilla Firefox 4.0 Beta 7\components [2012/11/10 17:45:15 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 16.0.2\extensions\\Components: D:\Program Files\Mozilla Thunderbird\components [2012/10/31 01:27:15 | 000,000,000 | ---D | M]

[2012/03/01 01:05:00 | 000,000,000 | ---D | M] (No name found) -- D:\Users\hari\AppData\Roaming\Mozilla\Extensions
[2010/09/01 09:40:51 | 000,000,000 | ---D | M] (No name found) -- D:\Users\hari\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/05/26 00:01:55 | 000,000,000 | ---D | M] (No name found) -- D:\Users\hari\AppData\Roaming\Mozilla\Extensions\[email protected]
[2012/10/22 21:50:10 | 000,000,000 | ---D | M] (No name found) -- D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\extensions
[2010/06/13 09:13:47 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/01 23:25:04 | 000,000,000 | ---D | M] (Currency Converter) -- D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\extensions\{af5514fc-7603-4cec-9894-f07f3d8672a5}
[2012/10/22 21:50:10 | 000,020,320 | ---- | M] () (No name found) -- D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\extensions\[email protected]
[2012/09/13 00:06:42 | 000,621,521 | ---- | M] () (No name found) -- D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\extensions\[email protected]
[2012/02/15 20:06:03 | 000,098,637 | ---- | M] () (No name found) -- D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\extensions\{DA1B0AB5-7DD3-4066-BC2A-64AABBDD0A8B}.xpi
[2010/01/21 08:27:20 | 000,000,909 | ---- | M] () -- D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\searchplugins\conduit.xml
[2010/04/30 01:15:21 | 000,002,059 | ---- | M] () -- D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\searchplugins\daemon-search.xml
[2012/02/29 21:04:15 | 000,002,519 | ---- | M] () -- D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\searchplugins\Search_Results.xml
[2011/02/11 22:27:19 | 000,000,000 | ---D | M] (No name found) -- D:\Program Files\Mozilla Firefox\extensions
[2010/05/06 23:36:08 | 000,000,000 | ---D | M] (Java Console) -- D:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/03/06 23:40:01 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- D:\Program Files\Mozilla Firefox\extensions\[email protected]
[2010/04/12 18:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- D:\Program Files\mozilla firefox\plugins\npdeployJava1.dll

========== Chrome ==========

CHR - homepage: http://www.searchqu.com/406
CHR - default_search_provider: Search Results (Enabled)
CHR - default_search_provider: search_url = http://dts.search-re...q={searchTerms}
CHR - default_search_provider: suggest_url =
CHR - homepage: http://www.searchqu.com/406
CHR - Extension: General Crawler = D:\Users\hari\AppData\Local\Google\Chrome\User Data\Default\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel\2.5_0\
CHR - Extension: avast! WebRep = D:\Users\hari\AppData\Local\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1466_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = D:\Users\hari\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\
CHR - Extension: FBPHOTOZOOM = D:\Users\hari\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpieaakhacmfleokhjcjnpcnmnmpfkid\1.4_0\

O1 HOSTS File: ([2012/10/23 00:06:04 | 000,000,862 | ---- | M]) - D:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [CTxfiHlp] D:\Windows\System32\CTXFIHLP.EXE (Creative Technology Ltd)
O4 - HKLM..\Run: [SoundMan] D:\Windows\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UpdReg] D:\Windows\Updreg.EXE (Creative Technology Ltd.)
O4 - HKCU..\Run: [PeerBlock] D:\Program Files\PeerBlock\peerblock.exe (PeerBlock, LLC)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 60
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Anti-Banner - Reg Error: Value error. File not found
O8 - Extra context menu item: Download with &Media Finder - Reg Error: Value error. File not found
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3D21D9D4-39AA-45E6-8E24-BE99D1EB4ED6}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (explorer.exe) - D:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (D:\Windows\system32\userinit.exe) - D:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - D:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WgaLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 0
O32 - AutoRun File - [2009/06/11 08:42:20 | 000,000,024 | ---- | M] () - D:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2009/03/21 02:42:25 | 000,000,024 | ---- | M] () - H:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{89d91777-28a8-11e1-a6a7-001a4d954853}\Shell - "" = AutoRun
O33 - MountPoints2\{f88a9053-4798-11de-ad4f-000feae37829}\Shell - "" = AutoRun
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/11/11 01:20:13 | 000,602,112 | ---- | C] (OldTimer Tools) -- D:\Users\hari\Desktop\OTL.exe
[2012/11/10 21:57:48 | 000,000,000 | ---D | C] -- D:\ProgramData\ErrorEND
[2012/11/10 21:57:40 | 000,000,000 | ---D | C] -- D:\Users\hari\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ErrorEND
[2012/11/10 21:57:40 | 000,000,000 | ---D | C] -- D:\Program Files\ErrorEND
[2012/11/10 21:42:22 | 000,000,000 | ---D | C] -- D:\ProgramData\Downloaded Installations
[2012/11/10 21:29:00 | 000,000,000 | ---D | C] -- D:\Program Files\GFI Software
[2012/11/10 21:27:37 | 000,000,000 | ---D | C] -- D:\Users\hari\AppData\Roaming\GFI Software
[2012/11/10 17:44:45 | 000,000,000 | ---D | C] -- D:\Program Files\Mozilla Firefox 4.0 Beta 7
[2012/11/07 15:48:50 | 000,000,000 | ---D | C] -- D:\Windows\Panther
[2012/10/31 20:34:19 | 000,012,872 | ---- | C] (SurfRight B.V.) -- D:\Windows\System32\bootdelete.exe
[2012/10/31 19:47:25 | 000,000,000 | ---D | C] -- D:\Program Files\HitmanPro
[2012/10/31 19:47:10 | 000,000,000 | ---D | C] -- D:\ProgramData\HitmanPro
[2012/10/31 01:27:13 | 000,000,000 | ---D | C] -- D:\Program Files\Mozilla Thunderbird
[2012/10/23 21:30:30 | 000,077,816 | R--- | C] (GFI Software) -- D:\Windows\System32\drivers\sbapifs.sys
[2012/10/23 21:25:35 | 000,000,000 | ---D | C] -- D:\Users\hari\AppData\Roaming\Malwarebytes
[2012/10/23 21:25:24 | 000,000,000 | ---D | C] -- D:\ProgramData\Malwarebytes
[2012/10/23 21:24:45 | 010,669,896 | ---- | C] (Malwarebytes Corporation ) -- D:\Users\hari\Desktop\mbam-setup.exe
[2012/10/23 00:18:25 | 000,000,000 | -HSD | C] -- D:\Config.Msi
[2012/10/22 21:28:04 | 000,000,000 | ---D | C] -- D:\ProgramData\Microsoft\Windows\Start Menu\Programs\STOPzilla
[2012/10/22 21:27:56 | 000,000,000 | ---D | C] -- D:\Program Files\STOPzilla!
[2012/10/22 21:27:55 | 000,000,000 | ---D | C] -- D:\ProgramData\STOPzilla!
[2012/10/20 00:24:29 | 000,000,000 | ---D | C] -- D:\ProgramData\Google
[2012/10/20 00:22:20 | 000,000,000 | ---D | C] -- D:\ProgramData\AVAST Software
[2012/10/20 00:22:20 | 000,000,000 | ---D | C] -- D:\Program Files\AVAST Software
[1 D:\Windows\System32\*.tmp files -> D:\Windows\System32\*.tmp -> ]
[1 D:\*.tmp files -> D:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/11/11 01:19:29 | 000,602,112 | ---- | M] (OldTimer Tools) -- D:\Users\hari\Desktop\OTL.exe
[2012/11/11 00:43:53 | 000,021,840 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/11/11 00:43:53 | 000,021,840 | -H-- | M] () -- D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/11/11 00:43:01 | 000,620,830 | ---- | M] () -- D:\Windows\System32\perfh009.dat
[2012/11/11 00:43:01 | 000,562,406 | ---- | M] () -- D:\Windows\System32\perfh008.dat
[2012/11/11 00:43:01 | 000,110,536 | ---- | M] () -- D:\Windows\System32\perfc009.dat
[2012/11/11 00:43:01 | 000,097,338 | ---- | M] () -- D:\Windows\System32\perfc008.dat
[2012/11/11 00:41:00 | 000,000,882 | ---- | M] () -- D:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/11/11 00:39:23 | 000,000,448 | ---- | M] () -- D:\Windows\System32\drivers\kgpcpy.cfg
[2012/11/11 00:38:24 | 000,067,584 | --S- | M] () -- D:\Windows\bootstat.dat
[2012/11/11 00:38:15 | 2414,731,264 | -HS- | M] () -- D:\hiberfil.sys
[2012/11/11 00:37:24 | 000,054,740 | ---- | M] () -- D:\Windows\System32\BMXStateBkp-{00000005-00000000-00000000-00001102-00000005-0034415A}.rfx
[2012/11/11 00:37:24 | 000,054,740 | ---- | M] () -- D:\Windows\System32\BMXState-{00000005-00000000-00000000-00001102-00000005-0034415A}.rfx
[2012/11/11 00:37:24 | 000,000,788 | ---- | M] () -- D:\Windows\System32\DVCState-{00000005-00000000-00000000-00001102-00000005-0034415A}.rfx
[2012/11/10 22:42:01 | 000,000,366 | ---- | M] () -- D:\Windows\tasks\ReclaimerUpdateFiles_hari.job
[2012/11/10 22:39:28 | 000,000,118 | ---- | M] () -- D:\Users\hari\Desktop\-linkid=405.url
[2012/11/10 22:30:00 | 000,000,830 | ---- | M] () -- D:\Windows\tasks\Adobe Flash Player Updater.job
[2012/11/10 21:57:48 | 000,000,380 | ---- | M] () -- D:\Windows\tasks\ErrorEND.job
[2012/11/10 21:57:40 | 000,000,975 | ---- | M] () -- D:\Users\hari\Desktop\ErrorEND.lnk
[2012/11/10 21:31:24 | 000,001,945 | ---- | M] () -- D:\Windows\epplauncher.mif
[2012/11/10 18:10:44 | 000,002,103 | ---- | M] () -- D:\Users\hari\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox 4.0 Beta 7.lnk
[2012/11/10 14:27:20 | 000,000,362 | ---- | M] () -- D:\Windows\tasks\ReclaimerUpdateXML_hari.job
[2012/11/08 04:06:24 | 000,002,489 | ---- | M] () -- D:\Users\hari\Desktop\Google Chrome.lnk
[2012/11/04 04:14:00 | 000,000,446 | ---- | M] () -- D:\Windows\tasks\Driver Robot.job
[2012/11/01 09:02:40 | 000,002,066 | ---- | M] () -- D:\Users\hari\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk
[2012/11/01 01:21:42 | 000,000,206 | ---- | M] () -- D:\Users\hari\Desktop\hwmonitorw.ini
[2012/10/31 20:34:19 | 000,012,872 | ---- | M] (SurfRight B.V.) -- D:\Windows\System32\bootdelete.exe
[2012/10/23 21:24:02 | 010,669,896 | ---- | M] (Malwarebytes Corporation ) -- D:\Users\hari\Desktop\mbam-setup.exe
[2012/10/20 00:23:19 | 000,002,577 | ---- | M] () -- D:\Windows\System32\config.nt
[1 D:\Windows\System32\*.tmp files -> D:\Windows\System32\*.tmp -> ]
[1 D:\*.tmp files -> D:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/11/11 00:38:55 | 000,000,448 | ---- | C] () -- D:\Windows\System32\drivers\kgpcpy.cfg
[2012/11/10 22:39:28 | 000,000,118 | ---- | C] () -- D:\Users\hari\Desktop\-linkid=405.url
[2012/11/10 21:57:48 | 000,000,380 | ---- | C] () -- D:\Windows\tasks\ErrorEND.job
[2012/11/10 21:57:40 | 000,000,975 | ---- | C] () -- D:\Users\hari\Desktop\ErrorEND.lnk
[2012/06/09 11:16:56 | 000,000,064 | ---- | C] () -- D:\Windows\GPlrLanc.dat
[2011/10/26 23:49:24 | 000,000,100 | ---- | C] () -- D:\Windows\netctrl.ini
[2011/10/25 13:50:17 | 000,000,000 | ---- | C] () -- D:\Windows\pcfriend.INI
[2011/10/03 23:46:48 | 019,726,928 | ---- | C] () -- D:\Program Files\WinMLS2004Ver1.07Installation.exe
[2011/08/11 04:10:54 | 000,033,134 | ---- | C] () -- D:\Users\hari\AppData\Roaming\UserTile.png
[2011/07/15 19:23:40 | 000,000,076 | ---- | C] () -- D:\Windows\System32\dtirc.dll
[2011/07/13 22:28:08 | 000,016,302 | ---- | C] () -- D:\Windows\System32\llbror.dll
[2011/06/15 23:23:49 | 000,001,006 | ---- | C] () -- D:\Windows\netdet.ini
[2011/06/10 07:34:52 | 000,080,416 | ---- | C] () -- D:\Windows\System32\RtNicProp32.dll
[2011/04/20 02:21:02 | 000,037,376 | ---- | C] () -- D:\Windows\System32\atitmpxx.dll
[2011/03/17 18:51:46 | 000,003,929 | ---- | C] () -- D:\Windows\System32\atipblag.dat
[2011/02/28 22:30:06 | 000,233,012 | ---- | C] () -- D:\Windows\System32\atiicdxx.dat
[2011/02/24 20:02:52 | 000,080,896 | ---- | C] () -- D:\Windows\System32\RDVGHelper.exe
[2011/02/24 20:00:47 | 000,066,048 | ---- | C] () -- D:\Windows\System32\PrintBrmUi.exe
[2010/05/15 01:11:19 | 000,000,990 | -HS- | C] () -- D:\Users\hari\AppData\Roaming\systemfl.$dk
[2010/03/16 23:35:30 | 000,007,605 | ---- | C] () -- D:\Users\hari\AppData\Local\resmon.resmoncfg

========== ZeroAccess Check ==========

[2009/07/14 15:42:31 | 000,000,227 | RHS- | M] () -- D:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 15:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 23:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 12:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2010/05/15 01:39:31 | 000,000,000 | -HSD | M] -- D:\Users\hari\AppData\Roaming\.#
[2010/03/01 23:24:34 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\.myibay
[2012/02/17 22:06:57 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\Babylon
[2011/12/15 09:17:42 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\Binverse
[2011/07/09 12:33:25 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\Canon
[2011/08/17 21:59:22 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\CD-LabelPrint
[2010/03/04 21:13:09 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2010/04/30 01:16:40 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\DAEMON Tools Lite
[2010/04/03 19:57:32 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\DAEMON Tools Pro
[2010/03/01 23:24:35 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\FileZilla
[2012/10/03 21:14:28 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\foobar2000
[2012/11/10 21:27:37 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\GFI Software
[2010/03/01 23:24:35 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\Homecast
[2011/07/16 01:11:07 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\J River
[2011/03/15 20:45:20 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\LimeWire
[2012/06/16 14:20:52 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\Media Finder
[2012/11/08 00:56:56 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\MediaMonkey
[2010/03/01 23:24:37 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\Medieval Software
[2012/05/09 00:49:15 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\Motorola
[2011/03/24 19:15:29 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\Nokia
[2011/12/04 21:50:45 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\PC Suite
[2010/09/01 09:39:53 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\Thunderbird
[2010/03/01 23:25:05 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\TomTom
[2012/10/20 09:24:07 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\uTorrent
[2011/09/28 00:25:04 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\WebApp
[2011/03/12 01:06:03 | 000,000,000 | ---D | M] -- D:\Users\hari\AppData\Roaming\ZiggyTV

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 879 bytes -> D:\Users\hari\Desktop\Benchmark HDR.eml:OECustomProperty
@Alternate Data Stream - 121 bytes -> D:\ProgramData\Temp:63238B95

< End of report >

[Advertisements]

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
  
  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
  
  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
  
  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

• Download Security Check by screen317 from here.
• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

• Please download AdwCleaner by Xplode onto your desktop.
  
• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

• Download & SAVE to your Desktop RogueKiller or from here
  
• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start"
• For Windows XP, double-click to start.
• Wait until Prescan has finished ...
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
• Exit/Close RogueKiller+

Gringo

[gringo_pr]

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
  
  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
  
  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
  
  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

• Download Security Check by screen317 from here.
• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

• Please download AdwCleaner by Xplode onto your desktop.
  
• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

• Download & SAVE to your Desktop RogueKiller or from here
  
• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start"
• For Windows XP, double-click to start.
• Wait until Prescan has finished ...
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
• Exit/Close RogueKiller+

Gringo

[redhari123]

Results of screen317's Security Check version 0.99.54
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
CCleaner
DH Driver Cleaner Professional Edition
Java™ 6 Update 31
Java version out of Date!
Adobe Flash Player 11.5.502.110
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (17.0)
Mozilla Thunderbird (16.0.2)
Google Chrome 21.0.1180.83
Google Chrome 21.0.1180.89
Google Chrome 22.0.1229.79
Google Chrome 22.0.1229.92
Google Chrome 22.0.1229.94
Google Chrome 23.0.1271.64
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive D: 0%
````````````````````End of Log``````````````````````

[redhari123]

# AdwCleaner v2.007 - Logfile created 11/11/2012 at 14:20:45
# Updated 06/11/2012 by Xplode
# Operating system : Windows 7 Ultimate Service Pack 1 (32 bits)
# User : hari - HARI
# Boot Mode : Normal
# Running from : D:\Users\hari\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\searchplugins\Conduit.xml
File Deleted : D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\searchplugins\daemon-search.xml
File Deleted : D:\Users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\searchplugins\Search_Results.xml
Folder Deleted : D:\Program Files\Conduit
Folder Deleted : D:\Program Files\Ilivid
Folder Deleted : D:\Program Files\Windows iLivid Toolbar
Folder Deleted : D:\ProgramData\{B49A644A-1076-4A3D-B124-DAA7862F2318}
Folder Deleted : D:\ProgramData\Babylon
Folder Deleted : D:\ProgramData\boost_interprocess
Folder Deleted : D:\ProgramData\InstallMate
Folder Deleted : D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ilivid
Folder Deleted : D:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Finder
Folder Deleted : D:\ProgramData\Tarma Installer
Folder Deleted : D:\Users\hari\AppData\Local\Babylon
Folder Deleted : D:\Users\hari\AppData\Local\Google\Chrome\User Data\Default\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel
Folder Deleted : D:\Users\hari\AppData\Local\Ilivid Player
Folder Deleted : D:\Users\hari\AppData\LocalLow\Conduit
Folder Deleted : D:\Users\hari\AppData\LocalLow\searchquband
Folder Deleted : D:\Users\hari\AppData\Roaming\Babylon
Folder Deleted : D:\Users\hari\AppData\Roaming\Media Finder
Folder Deleted : D:\Users\hari\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\Fun Web Products
Key Deleted : HKCU\Software\AppDataLow\Software\FunWebProducts
Key Deleted : HKCU\Software\AppDataLow\Software\MyWebSearch
Key Deleted : HKCU\Software\AppDataLow\Software\searchqutoolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\MediaFinder
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AD22EBAF-0D18-4FC7-90CC-5EA0ABBE9EB8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A4730EBE-43A6-443E-9776-36915D323AD3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
Key Deleted : HKLM\SOFTWARE\Classes\MF
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT1700389
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai
Key Deleted : HKLM\Software\ilivid
Key Deleted : HKLM\Software\Iminent
Key Deleted : HKLM\Software\Informer Technologies, Inc.\OpenCandy
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilivid
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{99079A25-328F-4BD4-BE04-00955ACAA0A7}]

***** [Internet Browsers] *****


RogueKiller V8.2.3 [11/07/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Website: http://tigzy.geeksto...roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : hari [Admin rights]
Mode : Remove -- Date : 11/11/2012 14:37:28

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} (D:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl) -> DELETED
[Services][ROGUE ST] HKLM\[...]\ControlSet002\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} (D:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl) -> DELETED
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> REPLACED (2)
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[370] : NtTerminateProcess @ 0x832A4BFB -> HOOKED (\SystemRoot\system32\drivers\szkgfs.sys @ 0x837B59C6)
IRP[IRP_MJ_CREATE] : \SystemRoot\system32\drivers\winhv.sys -> HOOKED ([MAJOR] Unknown @ 0x8597B1F8)
IRP[IRP_MJ_CLOSE] : \SystemRoot\system32\drivers\winhv.sys -> HOOKED ([MAJOR] Unknown @ 0x8597B1F8)
IRP[IRP_MJ_DEVICE_CONTROL] : \SystemRoot\system32\drivers\winhv.sys -> HOOKED ([MAJOR] Unknown @ 0x8597B1F8)
IRP[IRP_MJ_INTERNAL_DEVICE_CONTROL] : \SystemRoot\system32\drivers\winhv.sys -> HOOKED ([MAJOR] Unknown @ 0x8597B1F8)
IRP[IRP_MJ_POWER] : \SystemRoot\system32\drivers\winhv.sys -> HOOKED ([MAJOR] Unknown @ 0x8597B1F8)
IRP[IRP_MJ_SYSTEM_CONTROL] : \SystemRoot\system32\drivers\winhv.sys -> HOOKED ([MAJOR] Unknown @ 0x8597B1F8)
IRP[IRP_MJ_PNP] : \SystemRoot\system32\drivers\winhv.sys -> HOOKED ([MAJOR] Unknown @ 0x8597B1F8)

¤¤¤ Extern Hives: ¤¤¤
-> H:\windows\system32\config\SOFTWARE
-> H:\Users\Default\NTUSER.DAT
-> H:\Users\George\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> D:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5002ABYS-01B1B0 ATA Device +++++
--- User ---
[MBR] 3310b3a840d28b01cb79f62e1072a44a
[BSP] cc2c36621d94cc70b2f5283c19e9b7a4 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476938 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: ST3500418AS ATA Device +++++
--- User ---
[MBR] fea8147e7f36e53cb865d398e39f2443
[BSP] 013660a6c7651a66132f4130c67c8bb7 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_11112012_02d1437.txt >>
RKreport[1]_S_11112012_02d1436.txt ; RKreport[2]_D_11112012_02d1437.txt

[gringo_pr]

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
• Log from Combofix
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

[redhari123]

Hi Gringo,
Have done as you instructed and all seems well. One error message popped up after combofix had finished -windows could
not find NIRCMD.EXE etc.
System restore has come back everything seems to be ok. I would still like to get rid of stopzilla but everything else is working fine.

Thank you very very much,
George

ComboFix 12-11-09.02 - hari 11/11/2012 17:21:46.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.3070.2009 [GMT 11:00]
Running from: d:\users\hari\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GFUH7Q59\ComboFix.exe
AV: STOPzilla! *Disabled/Updated* {17032AB1-6644-0721-EEB5-A39B8B646009}
SP: STOPzilla! *Disabled/Updated* {AC62CB55-407E-08AF-D405-98E9F0E32AB4}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
d:\program files\WinMLS2004Ver1.07Installation.exe
d:\programdata\100
d:\users\hari\AppData\Roaming\.#
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-10-11 to 2012-11-11 )))))))))))))))))))))))))))))))
.
.
2012-11-11 06:19 . 2012-11-11 06:19 12568 ----a-w- d:\windows\system32\drivers\PROCEXP113.SYS
2012-11-10 10:57 . 2012-11-10 11:08 -------- d-----w- d:\programdata\ErrorEND
2012-11-10 10:57 . 2012-11-10 11:08 -------- d-----w- d:\program files\ErrorEND
2012-11-10 10:42 . 2012-11-10 10:42 -------- d-----w- d:\programdata\Downloaded Installations
2012-11-10 10:29 . 2012-11-10 10:29 -------- d-----w- d:\program files\GFI Software
2012-11-10 10:27 . 2012-11-10 10:27 -------- d-----w- d:\users\hari\AppData\Roaming\GFI Software
2012-11-10 06:44 . 2012-11-10 07:10 -------- d-----w- d:\program files\Mozilla Firefox 4.0 Beta 7
2012-11-07 04:48 . 2012-11-07 04:48 -------- d-----w- d:\windows\Panther
2012-10-31 09:34 . 2012-10-31 09:34 12872 ----a-w- d:\windows\system32\bootdelete.exe
2012-10-31 08:47 . 2012-10-31 08:47 -------- d-----w- d:\program files\HitmanPro
2012-10-31 08:47 . 2012-10-31 09:34 -------- d-----w- d:\programdata\HitmanPro
2012-10-30 14:27 . 2012-10-31 22:02 -------- d-----w- d:\program files\Mozilla Thunderbird
2012-10-23 10:30 . 2012-01-11 22:26 77816 ----a-r- d:\windows\system32\drivers\sbapifs.sys
2012-10-23 10:25 . 2012-10-23 10:25 -------- d-----w- d:\users\hari\AppData\Roaming\Malwarebytes
2012-10-23 10:25 . 2012-10-23 10:25 -------- d-----w- d:\programdata\Malwarebytes
2012-10-22 10:27 . 2012-11-10 13:53 -------- d-----w- d:\program files\STOPzilla!
2012-10-22 10:27 . 2012-11-11 06:30 -------- d-----w- d:\programdata\STOPzilla!
2012-10-19 13:22 . 2012-10-22 13:11 -------- d-----w- d:\programdata\AVAST Software
2012-10-19 13:22 . 2012-10-19 13:22 -------- d-----w- d:\program files\AVAST Software
2012-10-17 21:53 . 2012-08-31 17:18 1211760 ----a-w- d:\windows\system32\drivers\ntfs.sys
2012-10-17 21:53 . 2012-08-24 16:57 172544 ----a-w- d:\windows\system32\wintrust.dll
2012-10-17 21:53 . 2012-08-20 17:40 293376 ----a-w- d:\windows\system32\KernelBase.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-09 23:30 . 2012-04-08 09:27 696760 ----a-w- d:\windows\system32\FlashPlayerApp.exe
2012-11-09 23:30 . 2011-06-14 12:38 73656 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-14 06:31 . 2012-09-14 06:31 23416 ----a-r- d:\windows\system32\SZIO5.dll
2012-09-14 06:31 . 2012-09-14 06:31 546680 ----a-r- d:\windows\system32\SZComp5.dll
2012-09-14 06:31 . 2012-09-14 06:31 497528 ----a-r- d:\windows\system32\SZBase5.dll
2012-08-28 02:59 . 2012-08-28 02:59 29048 ----a-r- d:\windows\system32\IS3XDat5.dll
2012-08-28 02:59 . 2012-08-28 02:59 231288 ----a-r- d:\windows\system32\IS3Win325.dll
2012-08-28 02:59 . 2012-08-28 02:59 391032 ----a-r- d:\windows\system32\IS3UI5.dll
2012-08-28 02:59 . 2012-08-28 02:59 100216 ----a-r- d:\windows\system32\IS3Svc5.dll
2012-08-28 02:59 . 2012-08-28 02:59 104312 ----a-r- d:\windows\system32\IS3Inet5.dll
2012-08-28 02:59 . 2012-08-28 02:59 132984 ----a-r- d:\windows\system32\IS3HTUI5.dll
2012-08-28 02:59 . 2012-08-28 02:59 67448 ----a-r- d:\windows\system32\IS3Hks5.dll
2012-08-28 02:59 . 2012-08-28 02:59 460664 ----a-r- d:\windows\system32\IS3DBA5.dll
2012-08-28 02:59 . 2012-08-28 02:59 812920 ----a-r- d:\windows\system32\IS3Base5.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="d:\program files\PeerBlock\peerblock.exe" [2010-10-14 1866864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SoundMan"="SOUNDMAN.EXE" [2009-04-13 604704]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-17 23552]
"UpdReg"="d:\windows\UpdReg.EXE" [2000-05-10 90112]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"="d:\program files\Free Ride Games\GPlayer.exe" [2012-03-21 4862384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKLM\~\startupfolder\D:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\D:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=d:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\D:^Users^hari^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=d:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\D:^Users^hari^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=d:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\D:^Users^hari^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=d:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\D:^Users^hari^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ZiggyTV (Minimized).lnk]
backup=d:\windows\pss\ZiggyTV (Minimized).lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eMuleAutoStart
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Finder
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar Search Scope Monitor
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\removeSearchqudatamngr]
RD [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\removeSearchqutoolbar]
RD [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-12-29 01:26 75048 ------w- d:\program files\CyberLink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-07-26 17:10 1983816 ----a-w- d:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-17 16:40 767312 ----a-w- d:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- d:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScanUtility]
2009-05-19 08:39 136544 ----a-w- d:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSU_agent]
2011-12-13 12:37 190768 ----a-w- d:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2012-06-26 03:10 1516632 ----a-w- d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 15:54 417792 ----a-w- d:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl10]
2011-03-30 03:01 87336 ------w- d:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-04-08 10:38 251240 ----a-w- d:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
R0 is3srv;is3srv;d:\windows\system32\drivers\is3srv.sys [x]
R0 XMS1563K;XMS1563K; [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;d:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;d:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]
R3 KMWDFILTERx86;HIDServiceDesc;d:\windows\system32\DRIVERS\KMWDFILTER.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;d:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;d:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;d:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;d:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;d:\windows\system32\drivers\rdvgkmd.sys [x]
S0 hotcore3;hotcore3;d:\windows\system32\drivers\hotcore3.sys [x]
S0 MFX;MFX; [x]
S0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;d:\windows\system32\DRIVERS\SI3112r.sys [x]
S0 sptd;sptd;d:\windows\System32\Drivers\sptd.sys [x]
S0 szkg5;szkg5;d:\windows\system32\DRIVERS\szkg.sys [x]
S0 szkgfs;szkgfs;d:\windows\system32\drivers\szkgfs.sys [x]
S1 SBRE;SBRE;d:\windows\system32\drivers\SBREDrv.sys [x]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;d:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;d:\windows\system32\atiesrxx.exe [x]
S2 cpuz134;cpuz134;d:\windows\system32\drivers\cpuz134_x32.sys [x]
S2 MotoHelper;MotoHelper Service;d:\program files\Motorola\MotoHelper\MotoHelperService.exe [x]
S2 sbapifs;sbapifs;d:\windows\system32\DRIVERS\sbapifs.sys [x]
S2 TomTomHOMEService;TomTomHOMEService;d:\program files\TomTom HOME 2\TomTomHOMEService.exe [x]
S2 X6XSEx;X6XSEx;d:\program files\Free Ride Games\X6XSEx.Sys [x]
S3 pbfilter;pbfilter;d:\program files\PeerBlock\pbfilter.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;d:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 WSDScan;WSD Scan Support via UMB;d:\windows\system32\DRIVERS\WSDScan.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PBFILTER
*Deregistered* - kl1
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-10 d:\windows\Tasks\Adobe Flash Player Updater.job
- d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 23:30]
.
2012-11-10 d:\windows\Tasks\ErrorEND.job
- d:\program files\ErrorEND\ERROREND.exe [2012-11-02 10:18]
.
2012-10-01 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-12-16 13:48]
.
2012-11-11 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-12-16 13:48]
.
2012-10-01 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-41352046-3642212857-3618352276-1000Core.job
- d:\users\hari\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-23 09:14]
.
2012-10-02 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-41352046-3642212857-3618352276-1000UA.job
- d:\users\hari\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-23 09:14]
.
2012-11-10 d:\windows\Tasks\ReclaimerUpdateFiles_hari.job
- d:\users\hari\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-30 23:46]
.
2012-11-11 d:\windows\Tasks\ReclaimerUpdateXML_hari.job
- d:\users\hari\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-30 23:46]
.
2012-10-02 d:\windows\Tasks\RNUpgradeHelperLogonPrompt_hari.job
- d:\users\hari\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-30 23:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
IE: Add to Anti-Banner
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - d:\users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - ExtSQL: !HIDDEN! 2010-03-01 23:20; {20a82645-c095-46ed-80e3-08825760534b}; d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
HKU-Default-RunOnce-FlashPlayerUpdate - d:\windows\system32\Macromed\Flash\FlashUtil10e.exe
Notify-WgaLogon - (no file)
AddRemove-LspCAD lite (demo) - d:\progra~2\TARMAI~1\{AED42~1\Setup.exe
AddRemove-{8D15E1B2-D2B7-4A17-B44B-D2DDE5981406} - d:\programdata\{B49A644A-1076-4A3D-B124-DAA7862F2318}\iLividSetupV1.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-41352046-3642212857-3618352276-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{19D0C8EF-C6AF-A6DA-B4C4-0717ECC3C327}*]
"iakopdmolmjaagigbd"=hex:6b,61,68,6a,61,70,66,66,64,6d,63,62,69,6e,67,6d,68,69,
64,70,65,61,00,01
"haepjpnnijngdblj"=hex:6b,61,68,6a,61,70,66,66,64,6d,63,62,69,6e,67,6d,68,69,
64,70,6f,70,00,01
.
[HKEY_USERS\S-1-5-21-41352046-3642212857-3618352276-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2A53BFBB-672B-74AD-4EAC-5C39BE49FDB1}*]
"haldmeillmohhpmb"=hex:6a,61,6e,62,65,66,65,63,63,6f,62,70,6c,61,63,6c,65,68,
64,6b,00,85
"iajdgpmndnmncnhifc"=hex:6a,61,67,63,61,67,69,6e,63,65,69,67,6c,6e,69,66,66,62,
68,70,00,85
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="d:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2792)
d:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
d:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
d:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
d:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
d:\program files\STOPzilla!\SZServer.exe
d:\program files\Creative\Shared Files\CTAudSvc.exe
d:\windows\system32\atieclxx.exe
d:\program files\Motorola\MotoHelper\MotoHelperAgent.exe
d:\windows\system32\conhost.exe
d:\windows\SOUNDMAN.EXE
d:\\?\d:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2012-11-11 17:34:47 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-11 06:34
.
Pre-Run: 106,140,508,160 bytes free
Post-Run: 105,987,543,040 bytes free
.
- - End Of File - - 019659286C7B902DA8C50C0B6312959B

[gringo_pr]

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
  
  
• report from Combofix
• let me know of any problems you may have had
• How is the computer doing now after running the script?

Gringo

[redhari123]

Hi Gringo,
Ran combofix with cfscript and here is the logfile. There were no problems and the machine is running fine, it seems a bit
quicker than before. Anything else I should do?

George

ComboFix 12-11-10.03 - hari 12/11/2012 16:22:42.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.3070.2158 [GMT 11:00]
Running from: h:\downloads\ComboFix.exe
Command switches used :: d:\users\hari\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-10-12 to 2012-11-12 )))))))))))))))))))))))))))))))
.
.
2012-11-12 05:27 . 2012-11-12 05:27 -------- d-----w- d:\users\Default\AppData\Local\temp
2012-11-11 08:49 . 2012-11-11 13:18 -------- d-----w- d:\programdata\GFI Software
2012-11-11 06:57 . 2012-10-16 14:32 6918632 ----a-w- d:\programdata\Microsoft\Windows Defender\Definition Updates\{545C8A43-9BAC-47D0-9ED5-7751EFD609C1}\mpengine.dll
2012-11-11 06:27 . 2012-11-12 05:27 -------- d-----w- d:\users\hari\AppData\Local\temp
2012-11-10 10:57 . 2012-11-10 11:08 -------- d-----w- d:\programdata\ErrorEND
2012-11-10 10:57 . 2012-11-10 11:08 -------- d-----w- d:\program files\ErrorEND
2012-11-10 10:42 . 2012-11-10 10:42 -------- d-----w- d:\programdata\Downloaded Installations
2012-11-10 10:29 . 2012-11-10 10:29 -------- d-----w- d:\program files\GFI Software
2012-11-10 10:27 . 2012-11-10 10:27 -------- d-----w- d:\users\hari\AppData\Roaming\GFI Software
2012-11-10 06:44 . 2012-11-10 07:10 -------- d-----w- d:\program files\Mozilla Firefox 4.0 Beta 7
2012-11-07 04:48 . 2012-11-07 04:48 -------- d-----w- d:\windows\Panther
2012-10-31 09:34 . 2012-10-31 09:34 12872 ----a-w- d:\windows\system32\bootdelete.exe
2012-10-31 08:47 . 2012-10-31 08:47 -------- d-----w- d:\program files\HitmanPro
2012-10-31 08:47 . 2012-10-31 09:34 -------- d-----w- d:\programdata\HitmanPro
2012-10-30 14:27 . 2012-10-31 22:02 -------- d-----w- d:\program files\Mozilla Thunderbird
2012-10-23 10:25 . 2012-10-23 10:25 -------- d-----w- d:\users\hari\AppData\Roaming\Malwarebytes
2012-10-23 10:25 . 2012-10-23 10:25 -------- d-----w- d:\programdata\Malwarebytes
2012-10-19 13:22 . 2012-10-22 13:11 -------- d-----w- d:\programdata\AVAST Software
2012-10-19 13:22 . 2012-10-19 13:22 -------- d-----w- d:\program files\AVAST Software
2012-10-17 21:53 . 2012-08-31 17:18 1211760 ----a-w- d:\windows\system32\drivers\ntfs.sys
2012-10-17 21:53 . 2012-08-24 16:57 172544 ----a-w- d:\windows\system32\wintrust.dll
2012-10-17 21:53 . 2012-08-20 17:40 293376 ----a-w- d:\windows\system32\KernelBase.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-11-09 23:30 . 2012-04-08 09:27 696760 ----a-w- d:\windows\system32\FlashPlayerApp.exe
2012-11-09 23:30 . 2011-06-14 12:38 73656 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="d:\program files\PeerBlock\peerblock.exe" [2010-10-14 1866864]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SoundMan"="SOUNDMAN.EXE" [2009-04-13 604704]
"CTxfiHlp"="CTXFIHLP.EXE" [2009-06-17 23552]
"UpdReg"="d:\windows\UpdReg.EXE" [2000-05-10 90112]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"="d:\program files\Free Ride Games\GPlayer.exe" [2012-03-21 4862384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKLM\~\startupfolder\D:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^LaunchU3.exe.lnk]
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\D:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=d:\windows\pss\Logitech Desktop Messenger.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\D:^Users^hari^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=d:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\D:^Users^hari^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
backup=d:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\D:^Users^hari^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=d:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\D:^Users^hari^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ZiggyTV (Minimized).lnk]
backup=d:\windows\pss\ZiggyTV (Minimized).lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\removeSearchqudatamngr]
RD [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\removeSearchqutoolbar]
RD [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-11 19:00 919008 ----a-r- d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
2010-12-29 01:26 75048 ------w- d:\program files\CyberLink\Shared files\brs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-07-26 17:10 1983816 ----a-w- d:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-03-17 16:40 767312 ----a-w- d:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- d:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IJNetworkScanUtility]
2009-05-19 08:39 136544 ----a-w- d:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSU_agent]
2011-12-13 12:37 190768 ----a-w- d:\program files\Nokia\Nokia Software Updater\nsu3ui_agent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2012-06-26 03:10 1516632 ----a-w- d:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-04 15:54 417792 ----a-w- d:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl10]
2011-03-30 03:01 87336 ------w- d:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-04-08 10:38 251240 ----a-w- d:\program files\TomTom HOME 2\TomTomHOMERunner.exe
.
R0 XMS1563K;XMS1563K; [x]
R1 SBRE;SBRE;d:\windows\system32\drivers\SBREDrv.sys [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;d:\program files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;d:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]
R3 KMWDFILTERx86;HIDServiceDesc;d:\windows\system32\DRIVERS\KMWDFILTER.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;d:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;d:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;d:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;d:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;d:\windows\system32\drivers\rdvgkmd.sys [x]
S0 hotcore3;hotcore3;d:\windows\system32\drivers\hotcore3.sys [x]
S0 MFX;MFX; [x]
S0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;d:\windows\system32\DRIVERS\SI3112r.sys [x]
S0 sptd;sptd;d:\windows\System32\Drivers\sptd.sys [x]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;d:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;d:\windows\system32\atiesrxx.exe [x]
S2 cpuz134;cpuz134;d:\windows\system32\drivers\cpuz134_x32.sys [x]
S2 MotoHelper;MotoHelper Service;d:\program files\Motorola\MotoHelper\MotoHelperService.exe [x]
S2 TomTomHOMEService;TomTomHOMEService;d:\program files\TomTom HOME 2\TomTomHOMEService.exe [x]
S2 X6XSEx;X6XSEx;d:\program files\Free Ride Games\X6XSEx.Sys [x]
S3 RTL8167;Realtek 8167 NT Driver;d:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 WSDScan;WSD Scan Support via UMB;d:\windows\system32\DRIVERS\WSDScan.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - kl1
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-10 d:\windows\Tasks\Adobe Flash Player Updater.job
- d:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 23:30]
.
2012-11-10 d:\windows\Tasks\ErrorEND.job
- d:\program files\ErrorEND\ERROREND.exe [2012-11-02 10:18]
.
2012-10-01 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-12-16 13:48]
.
2012-11-12 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2010-12-16 13:48]
.
2012-10-01 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-41352046-3642212857-3618352276-1000Core.job
- d:\users\hari\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-23 09:14]
.
2012-10-02 d:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-41352046-3642212857-3618352276-1000UA.job
- d:\users\hari\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-23 09:14]
.
2012-11-12 d:\windows\Tasks\ReclaimerUpdateFiles_hari.job
- d:\users\hari\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-30 23:46]
.
2012-11-12 d:\windows\Tasks\ReclaimerUpdateXML_hari.job
- d:\users\hari\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-30 23:46]
.
2012-10-02 d:\windows\Tasks\RNUpgradeHelperLogonPrompt_hari.job
- d:\users\hari\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\10.20\agent\rnupgagent.exe [2012-09-30 23:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
IE: Add to Anti-Banner
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - d:\users\hari\AppData\Roaming\Mozilla\Firefox\Profiles\jvf5jjry.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - ExtSQL: !HIDDEN! 2010-03-01 23:20; {20a82645-c095-46ed-80e3-08825760534b}; d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-41352046-3642212857-3618352276-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{19D0C8EF-C6AF-A6DA-B4C4-0717ECC3C327}*]
"iakopdmolmjaagigbd"=hex:6b,61,68,6a,61,70,66,66,64,6d,63,62,69,6e,67,6d,68,69,
64,70,65,61,00,01
"haepjpnnijngdblj"=hex:6b,61,68,6a,61,70,66,66,64,6d,63,62,69,6e,67,6d,68,69,
64,70,6f,70,00,01
.
[HKEY_USERS\S-1-5-21-41352046-3642212857-3618352276-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2A53BFBB-672B-74AD-4EAC-5C39BE49FDB1}*]
"haldmeillmohhpmb"=hex:6a,61,6e,62,65,66,65,63,63,6f,62,70,6c,61,63,6c,65,68,
64,6b,00,85
"iajdgpmndnmncnhifc"=hex:6a,61,67,63,61,67,69,6e,63,65,69,67,6c,6e,69,66,66,62,
68,70,00,85
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@d:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="d:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-12 16:28:28
ComboFix-quarantined-files.txt 2012-11-12 05:28
ComboFix2.txt 2012-11-11 06:34
.
Pre-Run: 105,693,302,784 bytes free
Post-Run: 105,643,352,064 bytes free
.
- - End Of File - - B9FE946A05748D6BA4BC41E986D90FA9

[gringo_pr]

Hello

I would like to see a report that combofix makes.

extra combofix report

• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
• please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

• click ok

copy and paste the report into this topic for me to review

Gringo

[redhari123]

Update for Microsoft Office 2007 (KB2508958)
AC3Filter 1.63b
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop Elements 7.0
Adobe Reader 9.5.2
Apple Application Support
Apple Software Update
ASIO4ALL
ATI AVIVO Codecs
ATI Catalyst Install Manager
µTorrent
AudioConverter Studio 5.5
Auzen X-Fi Prelude 7.1
BayGenie eBay Auction Sniper Pro Edition 3.2.0.0
Binverse
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MP Drivers
Canon MP Navigator EX 3.0
Canon MP640 series MP Drivers
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
CCleaner
CD-LabelPrint
Choice Guard
CLIOwin 7 DEMO
CoreWavPack DirectShow Filters (remove only)
CPUID CPU-Z 1.55
CyberLink PowerDVD 10
Data Lifeguard Diagnostic for Windows 1.24
DH Driver Cleaner Professional Edition
Dolby Digital Live Pack
DTS Connect Pack
dvda-author (uninstall only)
Easy Duplicate Finder v. 1.4.3.0
eMule
ErrorEND
EVEREST Home Edition v2.20
FLAC 1.2.1b (remove only)
Folder Lock
foobar2000 v1.1.12a
Free Ride Games Player
GermaniX Transcoder
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
HC xDrive USB
HDtracks Download Manager
Japanese Fonts Support For Adobe Reader 9
Java Auto Updater
Java™ 6 Update 31
libsndfile-1.0.21
Live TV
Logitech Harmony Remote Software 7
M4a/Flac/Ogg/Ape/Mpc Tag Support Plugin for Media Player v 1.1
MagicDisc 2.7.106
MediaMonkey 4.0
Medieval CUE Splitter
Microsoft .NET Framework 4 Client Profile
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Mixxx 1.9.0
Monkey's Audio
MotoHelper 2.1.40 Driver
MotoHelper MergeModules
Mozilla Firefox 17.0 (x86 en-US)
Mozilla Maintenance Service
Mozilla Thunderbird 16.0.2 (x86 en-GB)
MSVC80_x86_v2
MSVC90_x86
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB973685)
Myibidder Auction Bid Sniper for eBay 1.1.4
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia Software Updater
NP201AV Utility
OGA Notifier 2.0.0048.0
OpenAL
Paragon Partition Manager 9.0 Professional
PC Connectivity Solution
PeerBlock 1.0+ (r484)
Phasure OCX
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
Realtek AC'97 Audio
RealUpgrade 1.1
Recover My Files
Remote Control USB Driver
Roads of Rome
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687314) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2687315) 32-Bit Edition
Speaker Workshop
Spelling Dictionaries Support For Adobe Reader 9
System Requirements Lab
TomTom HOME 2.6.2.1586
TomTom HOME Visual Studio Merge Modules
U3Launcher
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB2596598) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2687407) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VLC media player 2.0.1
Windows Driver Package - Nokia Modem (02/25/2011 4.7)
Windows Driver Package - Nokia Modem (02/25/2011 7.01.0.9)
Windows Driver Package - Nokia pccsmcfd “LegacyDriver” (05/31/2012 7.1.2.0)
Windows Live Sign-in Assistant
Windows Live Upload Tool
WinISO 5.3
WinRAR archiver
Xiph.Org Open Codecs 0.85.17777

[gringo_pr]

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Adobe Reader 9.5.2
µTorrent
eMule
Java™ 6 Update 31
[/list]

• Please download and install Revo Uninstaller Free
• Double click Revo Uninstaller to run it.
• From the list of programs double click on The Program to remove
• When prompted if you want to uninstall click Yes.
• Be sure the Moderate option is selected then click Next.
• The program will run, If prompted again click Yes
• when the built-in uninstaller is finished click on Next.
• Once the program has searched for leftovers click Next.
• Check/tick the bolded items only on the list then click Delete
• when prompted click on Yes and then on next.
• put a check on any folders that are found and select delete
• when prompted select yes then on next
• Once done click Finish.

.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com.../readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

• click on the Free Java Download Button
• click on Agree and start Free download
• click on Run
• click on run again
• click on install
• when install is complete click on close

Clean Out Temp Files

• This small application you may want to keep and use once a week to keep the computer clean.
  
  Download CCleaner from here http://www.ccleaner.com/
  
  
• Run the installer to install the application.
• When it gives you the option to install Yahoo toolbar uncheck the box next to it.
• Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
• Click Run Cleaner.
• Close CCleaner.

: Malwarebytes' Anti-Malware :

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

• Go Here to download HijackThis Installer
• Save HijackThis Installer to your desktop.
• Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.
• Once installed it will launch Hijackthis.
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
• Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

• In your next post I need the following
  
  
• Log From MBAM
• report from Hijackthis
• let me know of any problems you may have had
• How is the computer doing now?

Gringo

[redhari123]

Hi Gringo,
Sorry for the delay, work commitments. Here are the latest results. There were no problems and the computer is woking well.
No redirections qick and responsive.
Anything else to do?

Regards

George




Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.14.02

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
hari :: HARI [administrator]

14/11/2012 8:48:14 PM
mbam-log-2012-11-14 (20-48-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 242025
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:33:33 PM, on 14/11/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16450)
Boot mode: Normal

Running processes:
D:\Windows\system32\Dwm.exe
D:\Program Files\Motorola\MotoHelper\MotoHelperAgent.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Windows\SOUNDMAN.EXE
D:\Windows\System32\mobsync.exe
D:\Windows\Explorer.exe
D:\Windows\system32\wuauclt.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Microsoft Office\Office12\WINWORD.EXE
D:\Program Files\Mozilla Thunderbird\thunderbird.exe
D:\Windows\system32\SearchFilterHost.exe
D:\Program Files\VS Revo Group\Revo Uninstaller\Revouninstaller.exe
D:\Users\hari\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] D:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [PeerBlock] D:\Program Files\PeerBlock\peerblock.exe
O4 - HKUS\S-1-5-18\..\Run: [Exetender] "D:\Program Files\Free Ride Games\GPlayer.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Exetender] "D:\Program Files\Free Ride Games\GPlayer.exe" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - D:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - D:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AMD External Events Utility - AMD - D:\Windows\system32\atiesrxx.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - D:\Program Files\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - D:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - D:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - D:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - D:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: MotoHelper Service (MotoHelper) - Unknown owner - D:\Program Files\Motorola\MotoHelper\MotoHelperService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - D:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: ServiceLayer - Nokia - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TomTomHOMEService - TomTom - D:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 6290 bytes

[gringo_pr]

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  
  • O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [UpdReg] D:\Windows\UpdReg.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [PeerBlock] D:\Program Files\PeerBlock\peerblock.exe
    O4 - HKUS\S-1-5-18\..\Run: [Exetender] "D:\Program Files\Free Ride Games\GPlayer.exe" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Exetender] "D:\Program Files\Free Ride Games\GPlayer.exe" (User 'Default user')
    
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.
  
  NOTE**You can research each of those lines >here< and see if you want to keep them or not
  just copy the name between the brackets and paste into the search space
  O4 - HKLM\..\Run: [IntelliPoint]

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• click on the Run ESET Online Scanner button
• Tick the box next to YES, I accept the Terms of Use.
  
  • Click Start
• When asked, allow the add/on to be installed
  
  • Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings, ensure the options
  Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• wait for the virus definitions to be downloaded
• Wait for the scan to finish

When the scan is complete

• If no threats were found
  
• put a checkmark in "Uninstall application on close"
• close program
• report to me that nothing was found

• If threats were found
  
• click on "list of threats found"
• click on "export to text file" and save it as ESET SCAN and save to the desktop
• Click on back
• put a checkmark in "Uninstall application on close"
• click on finish
• close program
• copy and paste the report here

Gringo

[redhari123]

D:\Users\hari\Desktop\New folder (3)\make windows xp genuine patch.rar multiple threats
D:\Users\hari\Desktop\New folder (3)\Windows XP All Versions SP2 SP3 Genuine Activation Patch (Anti WPA) - January 2010 by H33T.rar a variant of Win32/TrojanDownloader.Delf.PYF trojan
D:\Users\hari\Downloads\Media Monkey Gold 3.2.0.1294 + Keygen\Media Monkey Gold.rar a variant of Win32/Keygen.AG application
H:\Andrea_Bocelli-Discography(Part4)2006-2008_FLAC_CUE_Lossless.exe multiple threats
H:\Anne_Murray_-_The_Best_So_Far_1994_-_Kitlope_downloader.exe a variant of Win32/ExpressFiles application
H:\MyFunCards.exe a variant of Win32/AdInstaller application
H:\The_Best_Exotic_Marigold_Hotel_2011_720p_BluRay_X264-AMIABLE_[EtHD].exe Win32/Adware.1ClickDownload.G application
H:\[2001]_The_Record_(Their_Greatest_Hits)_-_Bee_Gees_1.exe Win32/Adware.1ClickDownload.G application
H:\Downloads\dvd-audio-solo-2.2-build-0945201.exe a variant of Win32/Agent.QHQ trojan
H:\Downloads\Getdata Recover my files.4.6.6.Build.830.rar NSIS/TrojanDownloader.FakeAlert.DK trojan
H:\Downloads\make windows xp genuine patch.rar multiple threats
H:\Downloads\XXHighEnd-09-Z52.zip a variant of MSIL/Packed.CryptoObfuscator.C application
H:\Downloads\Adobe Photoshop Elements 7.0 - Incl Keymaker -CORE !\Adobe Photoshop Elements 7\Activation\disable_activation.cmd BAT/HostsChanger.A application
H:\Downloads\Adobe Photoshop Elements 7.0 - Incl Keymaker -CORE !\Adobe Photoshop Elements 7\Activation\keygen.exe a variant of Win32/Keygen.BH application
H:\Downloads\DAEMON Tools Pro Advanced v4.35.0308 Multilingual With LOADER\DAEMONToolsPro4350308.exe probably a variant of Win32/TrojanDownloader.VB.OIY trojan
H:\Downloads\DVD.2010,new,100%,good,work.Fab.v6.2.1.8.Final.incl.key\DVDFab6218.exe probably a variant of Win32/TrojanDownloader.VB.OIY trojan
H:\Downloads\Folder Lock 6.3.2\FOR.PEOPLE.WHO.ARE.UNABLE.TO.CRACK.FOLDERLOCK.rar a variant of Win32/HackTool.Patcher.A application
H:\Downloads\Media Monkey Gold 3.2.0.1294 + Keygen\Media Monkey Gold.rar a variant of Win32/Keygen.AG application
H:\Downloads\Microstation V8i_8.11.05.17 CRACKED]\Microstation V8i_8.11.05.17 CRACKED].zip.exe Win32/Hoax.ArchSMS.MC application
H:\Downloads\Microstation V8i_8.11.05.17 CRACKED] [LYQT]\Microstation V8i_8.11.05.17 CRACKED] [LYQT].zip.exe Win32/Hoax.ArchSMS.MC application
H:\Downloads\Microstation V8i_8.11.05.17 with Prerequisites Pack x[CRACKED]\Microstation V8i_8.11.05.17 with Prerequisites Pack x[CRACKED].zip.exe Win32/Hoax.ArchSMS.MC application
H:\Downloads\Pse 7 Crack & Dummies\disable_activation.cmd BAT/HostsChanger.A application

[gringo_pr]

Hello

There are some minor things in your online scan that should be removed.


delete files

• Copy all text in the quote box (below)...to Notepad.
  

  @echo off
  del /f /s /q "D:\Users\hari\Desktop\New folder (3)\make windows xp genuine patch.rar"
  del /f /s /q "D:\Users\hari\Desktop\New folder (3)\Windows XP All Versions SP2 SP3 Genuine Activation Patch (Anti WPA) - January 2010 by H33T.rar"
  del /f /s /q "D:\Users\hari\Downloads\Media Monkey Gold 3.2.0.1294 + Keygen\Media Monkey Gold.rar"
  del /f /s /q "H:\Andrea_Bocelli-Discography(Part4)2006-2008_FLAC_CUE_Lossless.exe"
  del /f /s /q "H:\Anne_Murray_-_The_Best_So_Far_1994_-_Kitlope_downloader.exe"
  del /f /s /q "H:\MyFunCards.exe"
  del /f /s /q "H:\The_Best_Exotic_Marigold_Hotel_2011_720p_BluRay_X264-AMIABLE_[EtHD].exe"
  del /f /s /q "H:\[2001]_The_Record_(Their_Greatest_Hits)_-_Bee_Gees_1.exe"
  del /f /s /q "H:\Downloads\dvd-audio-solo-2.2-build-0945201.exe"
  del /f /s /q "H:\Downloads\Getdata Recover my files.4.6.6.Build.830.rar"
  del /f /s /q "H:\Downloads\make windows xp genuine patch.rar"
  del /f /s /q "H:\Downloads\XXHighEnd-09-Z52.zip"
  del /f /s /q "H:\Downloads\Adobe Photoshop Elements 7.0 - Incl Keymaker -CORE !\Adobe Photoshop Elements 7\Activation\disable_activation.cmd"
  del /f /s /q "H:\Downloads\Adobe Photoshop Elements 7.0 - Incl Keymaker -CORE !\Adobe Photoshop Elements 7\Activation\keygen.exe"
  del /f /s /q "H:\Downloads\DAEMON Tools Pro Advanced v4.35.0308 Multilingual With LOADER\DAEMONToolsPro4350308.exe"
  del /f /s /q "H:\Downloads\DVD.2010,new,100%,good,work.Fab.v6.2.1.8.Final.incl.key\DVDFab6218.exe"
  del /f /s /q "H:\Downloads\Folder Lock 6.3.2\FOR.PEOPLE.WHO.ARE.UNABLE.TO.CRACK.FOLDERLOCK.rar"
  del /f /s /q "H:\Downloads\Media Monkey Gold 3.2.0.1294 + Keygen\Media Monkey Gold.rar"
  del /f /s /q "H:\Downloads\Microstation V8i_8.11.05.17 CRACKED]\Microstation V8i_8.11.05.17 CRACKED].zip.exe"
  del /f /s /q "H:\Downloads\Microstation V8i_8.11.05.17 CRACKED] [LYQT]\Microstation V8i_8.11.05.17 CRACKED] [LYQT].zip.exe"
  del /f /s /q "H:\Downloads\Microstation V8i_8.11.05.17 with Prerequisites Pack x[CRACKED]\Microstation V8i_8.11.05.17 with Prerequisites Pack x[CRACKED].zip.exe"
  del /f /s /q "H:\Downloads\Pse 7 Crack & Dummies\disable_activation.cmd"
  del %0

• Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
  It should look like this: <--XP<--vista
• Double click on delfile.bat to execute it.
  A black CMD window will flash, then disappear...this is normal.
• The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.

The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

• To re-enable your Emulation drivers, double click DeFogger to run the tool.
  
• The application window will appear
• Click the Re-enable button to re-enable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger will now ask to reboot the machine - click OK.

Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

• turn off all active protection software
• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
• please copy and past the following into the box ComboFix /Uninstall and click OK.
• Note the space between the X and the /Uninstall, it needs to be there.
• 

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

• Double-click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.
• If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

• Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  
• WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  
• Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)
  
  
  Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Gringo