Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

YRJIE unremovable Chrome extension: possible fix or worse trouble?


  • This topic is locked This topic is locked
30 replies to this topic

#1 barbless

barbless

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 15 April 2013 - 08:21 PM

Hi!

A while ago, I downloaded and installed a game that came with this Chrome extension that is not removable and has no way to disable it. I have since tried just about everything to get rid of it, with no success. So I wrote to YRJIE.com and asked them how to get rid of it. I did mention they should also be ashamed of themselves. This never works, but I was in that kind of a mood thinking I could just make it the central focus of my life to write them all the time and at least be a gnat buzzing around their heads. Instead, the second email included a download to uninstall the extension.

 

I don't want to open this without some advice. Is there some safe way of opening this attachment? 

 

Thanks for any suggestions.

 

barbe



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:37 PM

Posted 15 April 2013 - 08:38 PM


Hello barbe

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.





I need to get some reports to get a base to start from so I need you to run these programs first.


-DeFogger-
  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

-Security Check-
  • Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-Download DDS-
  • Please download DDS from one of the links below and save it to your desktop:

    dds_scr.gif
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply
information and logs
  • In your next post I need the following
    • both reports from DDS
      • report from security check
        • let me know of any problems you may have had
      Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 barbless

barbless
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 15 April 2013 - 09:41 PM

Hello Gringo and thanks so much for your kind attention. This YRJIE extension has never been a noticeable problem, although it could be a real nasty one without me knowing. It just frosts my hide that this guy would write something so annoying. I'm not sure why you want me to run these tests since I was just hoping for some advice as to whether it would be royally stupid to open the attachment the malware maker sent me. If I could try it, I was wondering if there was some virtual place like the empty field they use to detonate old ammunition, you know what I mean? I don't want to waste your time. Nevertheless, thanks again for your expert attention and I have done as you instructed.
 
Defogger: followed your instructions.
 
 
Report from Security check:
 
Results of screen317's Security Check version 0.99.62  
 Windows Vista Service Pack 2 x86 (UAC is disabled!)  
 Internet Explorer 9  
``````````````Antivirus/Firewall Check:`````````````` 
ZoneAlarm Free Firewall Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 WinPatrol 
 Secunia PSI    
 Malwarebytes Anti-Malware version 1.70.0.1100  
 CCleaner     
 Java™ 6 Update 37  
 Java 7 Update 17  
 Adobe Flash Player 11.6.602.180  
 Adobe Reader 8 Adobe Reader out of Date! 
 Google Chrome 26.0.1410.43  
 Google Chrome 26.0.1410.64  
 Google Chrome plugins...  
````````Process Check: objlist.exe by Laurent````````  
 WinPatrol winpatrol.exe 
 BillP Studios WinPatrol WinPatrol.exe  
 CheckPoint ZoneAlarm vsmon.exe  
 CheckPoint ZoneAlarm zatray.exe  
 ZABackup Service.exe    
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 2 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 
 
 
 
DDS Results (both) - I have some confusion since the popup window for this tool says I should zip it and then include it as an attachment. Your instructions say to copy and include both reports here. Going to follow your instructions.
 
 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16476  BrowserJavaVersion: 10.17.2
Run by barbless at 22:19:44 on 2013-04-15
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3069.1681 [GMT -4:00]
.
AV: ZoneAlarm Free Firewall Antivirus *Enabled/Updated* {DE038A5B-9EDD-18A9-2361-FF7D98D43730}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Free Firewall Anti-Spyware *Enabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Stickies\stickies.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\1.3.21.135\GoogleCrashHandler.exe
C:\Program Files\XPSMiniViewGadget\XPSMiniViewGadget.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\ZoneAlarmBackup\ZABackup Service.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\PROGRAM FILES\RAINLENDAR2\RAINLENDAR2.EXE
C:\PROGRAM FILES\CANON\MYPRINTER\BJMYPRT.EXE
C:\PROGRAM FILES\CANON\SOLUTION MENU EX\CNSEMAIN.EXE
C:\PROGRAM FILES\CANON\SOLUTION MENU EX\CNSEUPDT.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Java\jre7\bin\jp2launcher.exe
C:\Program Files\Java\jre7\bin\java.exe
C:\Users\barbless\Desktop\SecurityCheck.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k WindowsMobile
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071204
uWindow Title = Internet Explorer provided by Dell
uSearch Bar = Preserve
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071204
uURLSearchHooks: RealoreStudios Toolbar: {03fee850-0101-4e9e-b6d4-6fc74d3db360} - c:\program files\realorestudios\tbReal.dll
mURLSearchHooks: RealoreStudios Toolbar: {03fee850-0101-4e9e-b6d4-6fc74d3db360} - c:\program files\realorestudios\tbReal.dll
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
mWinlogon: Userinit = c:\windows\system32\userinit.exe
BHO: AutorunsDisabled - <orphaned>
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
EB: Canon Easy-WebPrint EX: {21347690-EC41-4F9A-8887-1F4AEE672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [GoogleDriveSync] "c:\program files\google\drive\googledrivesync.exe" /autostart
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [CCUTRAYICON] "c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe"
mRun: [ECenter] c:\dell\e-center\EULALAUNCHER.EXE
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [ISW] <no file>
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\stickies.lnk - c:\program files\stickies\stickies.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:255
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - {B119EB0C-C021-46CF-85B0-34A760E0D5FE} - c:\program files\iepro\IEPro.dll
IE: {1A93C934-025B-4c3a-B38E-9654A7003239} - {6F282B65-56BF-4BD1-A8B2-A4449A05863D}
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: bfgclient.exe
Trusted Zone: bfggamesservices.exe
Trusted Zone: bfgprocess.exe
Trusted Zone: bitdefender.com
Trusted Zone: netzero.com
Trusted Zone: netzero.net
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/OAS/ActiveX/MSDcode.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Burger%20Shop%202/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D0280B1-DC42-4DFA-9525-09BD48838539} - hxxp://www.fenomen-games.com/ashley-jones-heart-egypt/osakitpro.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {43E3F87D-DE7F-4087-BD4F-0DC854981158} - hxxp://download.microsoft.com/download/7/3/8/7384c441-3721-41ee-ae15-b678888f00dd/clearadj.CAB
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242661595028
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1282490218071
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://www.gamehouse.com/games/gamehouse/ghplayer.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {8FA2192F-B95D-40E3-898F-8D7ABB8E00D0} - hxxp://download-games.pogo.com/online2/pogo/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://zone.msn.com/bingame/burg/default/GoBitGamesPlayer_v6.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://pogo.oberon-media.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} - hxxp://zone.msn.com/bingame/fotg/default/ddfotg.1.0.0.37.cab
DPF: {C5326A4D-E9AA-40AD-A09A-E74304D86B47} - hxxp://www.worldwinner.com/games/v52/dinerdash/dinerdash.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {D410AFBD-4E26-4D5F-840F-0412D6F6BB8D} - hxxp://p.playfirst.com/play/game/sandscript/SandScript.1.0.0.21.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E9B80D94-D8BC-43DE-9138-75605A8D9666} - hxxp://zone.msn.com/bingame/wedd/default/WeddingDash.1.0.0.50.cab
DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} - hxxp://pogo.oberon-media.com/online2/pogo/wedding_dash/WeddingDash.1.0.0.47.cab
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
TCP: NameServer = 192.168.1.254
TCP: Interfaces\{8082B016-B680-4195-B9EB-0EFBC05EDBFB} : DHCPNameServer = 192.168.1.254
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-8-6 16184]
R1 kl2;kl2;c:\windows\system32\drivers\kl2.sys [2012-5-10 11352]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-3-16 176128]
R2 DQLWinService;DQLWinService;c:\program files\common files\intel\inteldh\nms\adpplugins\DQLWinService.exe [2007-2-12 208896]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-19 21504]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27056]
R2 nmsunidr;UniDriver for NMS;c:\windows\system32\drivers\nmsunidr.sys [2007-2-18 5376]
R3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-12-4 5632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 DHTRACE;Intel® DHTrace Controller;c:\program files\common files\intel\inteldh\bin\DHTraceController.exe [2007-6-27 39640]
S3 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2012-5-14 913752]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 Boonty Games;Boonty Games;c:\program files\common files\boonty shared\service\Boonty.exe [2009-5-1 69120]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-5-28 14896]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\WINWORD.EXE - HKCR\Unknown\Shell=c:\windows\system32\rundll32.exe c:\windows\system32\shell32.dll,OpenAs_RunDLL %1 [UserChoice] [default=openas]
ShellExec: pi11.exe: Open="c:\program files\microsoft digital image 2006\pi.exe" "%1"
.
=============== Created Last 30 ================
.
2013-04-13 04:25:43 7108640 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{0e1cb117-3ab3-4b8a-8239-3cfead8f4789}\mpengine.dll
2013-04-12 19:34:38 -------- d-----w- c:\program files\Viking Brothers
2013-04-10 18:08:42 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 18:08:40 64000 ----a-w- c:\windows\system32\smss.exe
2013-04-10 18:08:40 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 18:08:40 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 18:08:39 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-10 18:04:21 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-04-10 18:04:18 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-04-10 18:04:14 2049024 ----a-w- c:\windows\system32\win32k.sys
2013-04-01 03:19:36 -------- d-----w- c:\program files\7 Wonders - Magical Mystery Tour
2013-03-30 17:48:24 -------- d-----w- c:\program files\4 Elements II
2013-03-30 17:26:43 -------- d-----w- c:\program files\My Kingdom for the Princess III
2013-03-24 00:30:04 -------- d-----w- c:\users\barbless\appdata\roaming\northerntale_iwin_en
2013-03-23 01:18:37 -------- d-----w- c:\users\barbless\appdata\roaming\adelantado_big_fish_en
2013-03-21 23:32:47 -------- d-----w- c:\users\barbless\appdata\roaming\Nitreal Games
2013-03-21 18:40:18 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-03-21 03:37:20 -------- d-----w- c:\users\barbless\AtlantisQuest
2013-03-20 16:32:15 -------- d-----w- c:\programdata\PogoDGC
2013-03-20 16:31:40 -------- d-----w- c:\program files\Pogo Games
2013-03-20 14:36:46 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
==================== Find3M  ====================
.
2013-03-20 14:36:10 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-20 14:36:10 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-13 00:00:31 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-13 00:00:31 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-12 05:10:56 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-03-05 15:56:49 589 ----a-w- c:\windows\uninstallstickies.bat
2013-02-22 03:46:00 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-22 03:38:00 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-02-22 03:37:50 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-22 03:34:17 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-22 03:34:03 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-02-22 03:31:46 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-10-15 15:33:58 85504 ---ha-w- c:\program files\IeAdsBlocker.dll
2010-07-28 16:12:08 461 ----a-w- c:\program files\0728201012120866.bat
2007-12-25 02:24:47 774144 ----a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 22:21:24.21 ===============
 
 
Report #2:
 
 
 
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft® Windows Vista™ Home Premium 
Boot Device: \Device\HarddiskVolume3
Install Date: 12/4/2007 8:13:00 AM
System Uptime: 4/15/2013 7:52:08 AM (15 hours ago)
.
Motherboard: Dell Inc. |  | 0TP406
Processor: Intel® Core™2 Quad CPU    Q6600  @ 2.40GHz | CPU | 2394/1066mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 283 GiB total, 164.45 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 3.177 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP3633: 3/29/2013 4:23:43 PM - Scheduled Checkpoint
RP3634: 3/30/2013 10:16:22 AM - Scheduled Checkpoint
RP3635: 3/31/2013 1:05:54 PM - Scheduled Checkpoint
RP3636: 4/1/2013 4:31:48 PM - Scheduled Checkpoint
RP3637: 4/2/2013 7:50:58 AM - Scheduled Checkpoint
RP3638: 4/3/2013 1:09:15 AM - Windows Update
RP3639: 4/3/2013 5:16:23 PM - Scheduled Checkpoint
RP3640: 4/4/2013 4:48:37 PM - Scheduled Checkpoint
RP3641: 4/5/2013 4:22:08 PM - Scheduled Checkpoint
RP3642: 4/6/2013 2:53:31 PM - Scheduled Checkpoint
RP3643: 4/7/2013 9:58:26 AM - Scheduled Checkpoint
RP3644: 4/8/2013 9:44:06 AM - Scheduled Checkpoint
RP3645: 4/9/2013 8:57:45 AM - Scheduled Checkpoint
RP3646: 4/10/2013 12:07:26 AM - Windows Update
RP3647: 4/11/2013 12:04:25 AM - Windows Update
RP3648: 4/11/2013 6:35:51 PM - Scheduled Checkpoint
RP3649: 4/12/2013 5:29:42 PM - Scheduled Checkpoint
RP3650: 4/13/2013 10:22:30 AM - Scheduled Checkpoint
RP3651: 4/14/2013 7:37:26 AM - Scheduled Checkpoint
RP3652: 4/15/2013 9:54:27 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
4 Elements II
7-Zip 4.65
7 Wonders: Ancient Alien Makeover
7 Wonders: Magical Mystery Tour
A Gnome's Home: The Great Crystal Crusade
ABBYY FineReader 6.0 Sprint
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Download Manager
Adobe ExtendScript Toolkit 2
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Help Viewer CS3
Adobe PDF Library Files
Adobe Photoshop Elements 6.0
Adobe Premiere Elements 4.0
Adobe Premiere Elements 4.0 Templates
Adobe Reader X (10.1.6)
Adobe Setup
Adobe Shockwave Player 12.0
Adobe Soundbooth CS3
Adobe Soundbooth CS3 Codecs
Adobe Soundbooth CS3 Scores
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Advanced SystemCare 5
Alice Greenfingers Full Version 1.06
Ancient Hearts and Spades
Ancient Seal
Apple Application Support
Apple Software Update
AT&T Self Support Tool
ATI Catalyst Control Center
ATI Catalyst Install Manager
Atlantis
ATT-PRT22
AusLogics System Information
Avery Wizard 3.1
AVG 2012
Barn Yarn Collector's Edition
Bato: Treasures of Tibet
BD Studio Games
BDStudioGames
Big Fish Games: Game Manager
Bing Bar
Bing Rewards Client Installer
Blender (remove only)
Bonjour
Bonjour Print Services
Browser Address Error Redirector
Build-a-lot
Burger Bustle
Burger Bustle: Ellie's Organics
Burger Rush
Burger Shop
Burger Shop 2
Cake Mania 3
Cake Mania Back to the Bakery (remove only)
Call of Atlantis
Canon Easy-PhotoPrint EX
Canon Easy-WebPrint EX
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MG5300 series MP Drivers
Canon MG5300 series On-screen Manual
Canon MG5300 series User Registration
Canon MP Navigator EX 1.0
Canon MP Navigator EX 5.0
Canon MP610 series
Canon MP610 series User Registration
Canon My Printer
Canon Solution Menu EX
Canon Utilities Solution Menu
Catalina Savings Printer
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Polish
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Thai
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help English
CCC Help French
CCC Help German
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Polish
CCC Help Portuguese
CCC Help Spanish
CCC Help Thai
CCC Help Turkish
CCleaner
Christmas Wonderland 2
Clutter II: He Said, She Said
Compatibility Pack for the 2007 Office system
Conexant D850 PCI V.92 Modem
Countryside Buffet
Coupon Printer for Windows
Crayon Physics Deluxe Demo - release 52
Deep Ball Defender 1.0
Defraggler
Delicious - Emily's Childhood Memories Premium Edition
Dell DataSafe Online
Dell Games
Dell Getting Started Guide
Dell Support Center (Support Software)
Digital Line Detect
Diner Dash® 5 - BOOM!
Enchanted Cavern
Everyday Genius - Square Logic (remove only)
Farm Craft 2
Farm Craft 2: Global Vegetable Crisis
Farm Frenzy (remove only)
Farm Frenzy 3: American Pie
Fashion Forward (remove only)
FastStone Photo Resizer 2.6
Fishing Craze
GamesBar 2.0.1.81
Google Chrome
Google Drive
Google Earth
Google Update Helper
Gourmania
Grave Mania: Pandemic Pandemonium
Hardwood Euchre
Haunted Domains
Hidden Expedition: Titanic™
Hotdog Hotshot
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Smart Web Printing
Ice Cream Craze: Tycoon Takeover
IE7Pro
Intel® PRO Network Connections 12.1.12.4
Intel® Viiv™ Software
Internet Explorer Member Plugin
Island Tribe
iWin Games (remove only)
Japanese Fonts Support For Adobe Reader 8
Java 7 Update 17
Java Auto Updater
Java™ 6 Update 37
Jessica's Cupcake Cafe
Jewels of Cleopatra
LandGrabbers
Lightscreen
Liong: The Dragon Dance (remove only)
Liong: The Lost Amulets
Lost in Night
Magic Ball 3 (remove only)
Magic Vines&trade;
Mahjong Towers Eternity ™
Mahjongg Dimensions Deluxe
Malwarebytes Anti-Malware version 1.70.0.1100
McAfee Security Scan
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Standard 2006
Microsoft Digital Image Standard 2006 Editor
Microsoft Digital Image Standard 2006 Library
Microsoft Money 2006
Microsoft Office Accounting 2009
Microsoft Office Accounting 2009 Equifax Addin
Microsoft Office Accounting 2009 Fixed Asset Manager
Microsoft Office Accounting 2009 PayPal Addin
Microsoft Office Accounting 2009 Tax Integration Add-in
Microsoft Office Accounting ADP Payroll Addin
Microsoft Office Live Add-in 1.5
Microsoft Office Small Business Connectivity Components
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft UI Engine
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Microsoft XNA Framework Redistributable 3.1
Modem Diagnostic Tool
Monument Builder: Eiffel Tower
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Music, Photos & Videos Launcher
My Farm Life 2
My Kingdom for the Princess
My Kingdom for the Princess II
My Kingdom for the Princess III
MyPaint 0.8.2
Mystery Case Files: Ravenhearst 
Mystery P.I.™ - The New York Fortune Evaluation
Mystic Inn (remove only)
Nikakudori (remove only)
Northern Tale
Octoshape add-in for Adobe Flash Player
OGA Notifier 2.0.0048.0
Once Upon a Diner (Diner Dash Hometown Hero - Gourmet)
OpenAL
OrangeNote™
Paradise Beach
Paradise Quest
PC Pitstop Optimize3 3.0
Photobie -- photo editing software from Photobie Design
Pizza Chef
Pogo Games
PowerGramo Basic
Product Documentation Launcher
QuickTime
Rainlendar2 (remove only)
Ranch Rush
Ranch Rush® 2
RealArcade
RealoreStudios Toolbar
Rescue Team
Revo Uninstaller 1.71
Roads of Rome III
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Premier
Roxio Creator Tools
Roxio EasyArchive
Roxio Express Labeler
Roxio MyDVD Premier
Roxio Update Manager
Sally's Salon (remove only)
Sandlot Connect Version 1.2.6
ScanSoft OmniPage SE 4
Secunia PSI
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Shape Shifter
Skins
Skype web features
Skype™ 5.0
Smart Defrag 2
Sonic CinePlayer Decoder Pack
Souptoys
Speccy
SpeedFan (remove only)
Spelling Dictionaries Support For Adobe Reader 8
Stand O' Food 2
Start Menu XP version 4.0
Stickies 7.1e
Stone Age Cafe
Super Bounce Out
Sweet Home 3D
swMSM
Tasty Planet (remove only)
Teddy Factory
The Legend of Sleepy Hollow: Jar of Marbles III - Free to Play
The Rise of Atlantis
The Treasures of Montezuma 2
The Walls of Jericho
TrueCrypt
Tumblebugs 2
Tumblebugs 2 Version 1.0
TweakNow PowerPack 2011 SP1a
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update Installer for WildTangent Games App
VC 9.0 Runtime
Venice Mystery (remove only)
Viking Brothers
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VIVA MEDIA GAME CENTER
Weather Lord
Web Games Player Plugin
Wedding Salon
Westward (remove only)
What's Running 2.2
WIDCOMM Bluetooth Software 6.0.1.4300
WildTangent Games
WildTangent Games App
WinDirStat 1.1.2
Windows 7 Upgrade Advisor
Windows Live ID Sign-in Assistant
Windows Mobile Device Center
Windows Mobile Device Center Driver Update
WinPatrol
Word Slinger
Works Upgrade
World of Warcraft FREE Trial
World Voyage
XPS MiniView Gadget
Yahoo! Software Update
Yahoo! Toolbar
ZoneAlarm Antivirus
ZoneAlarm Firewall
ZoneAlarm Free Firewall
ZoneAlarm LTD Toolbar
ZoneAlarm Security
ZoneAlarm Security Toolbar 
Zuma Deluxe
Zylom Games Player Plugin
.
==== Event Viewer Messages From Past Week ========
.
4/15/2013 7:54:09 AM, Error: Service Control Manager [7038]  - The DHTRACE service was unable to log on as .\IUSR_NMPR with the currently configured password due to the following error:  Logon failure: unknown user name or bad password. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).
4/15/2013 7:54:09 AM, Error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  Lbd SBRE
4/15/2013 7:54:09 AM, Error: Service Control Manager [7000]  - The Intel® DHTrace Controller service failed to start due to the following error:  The service did not start due to a logon failure.
.
==== End Of File ===========================
 


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:37 PM

Posted 15 April 2013 - 10:10 PM


Hello barbless


These are the programs I would like you to run next, if you have any problems with these just skip it and move on to the next one.


-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
  • Gringo





I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:37 PM

Posted 19 April 2013 - 09:55 PM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:37 PM

Posted 21 April 2013 - 11:27 PM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 barbless

barbless
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 22 April 2013 - 08:53 AM

Hi Gringo, 

 

I am sorry for not answering in a more timely manner. I lost my internet connection for almost 2 days but I am finally back online. I got as far as running the ADWCleaner before I lost the internet.

 

The unwanted extension is gone! Thanks very much. 

 

I am wondering if I am talking to an actual person or some very capable software since I never got an answer to my original question. I do truly thank you for helping me get rid of the unwanted extension.

 

What do I need to do next?



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:37 PM

Posted 22 April 2013 - 12:47 PM

Hello


reading thru your posts I didn't see the question per se


I need you to run all the tools so I can make sure thee is nothing else on here, this peace of software altho may not do something real bad is still bad as it is real hard to remove and can even bring friends to the party


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:37 PM

Posted 25 April 2013 - 12:40 AM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:37 PM

Posted 28 April 2013 - 12:50 AM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 barbless

barbless
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 28 April 2013 - 09:16 AM

Hi Gringo,

 

Thank you again for your expertise and attention. I'm sorry I appear to be taking a long time between posts. My real life is somewhat hectic right now. 

 

My question was is there some safe place or some technique to open a suspect attachment/program/whatever? Somewhere safe like the real world does with old ammunition or WWII grenades (a big open field where it is safe to blow the thing up). It is something the old computer nerd in me is curious about. In the old days it was assumed that there is a way to do every single thing a computer nerd wanted to do, it was just a question of finding the person who built it or getting your fellow nerds together to build it yourself. 

 

The last program you instructed me to run - Results of RogueKiller:

 

 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : barbless [Admin rights]
Mode : Remove -- Date : 04/28/2013 10:06:19
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 12 ¤¤¤
[TASK][SUSP PATH] BFGLaunch_bfgprocess : "C:\Program Files\bfgclient\bfgprocess.exe" "C:\Users\barbless\AppData\Local\Temp\nscB921.tmp" [x] -> DELETED
[TASK][SUSP PATH] BFGLaunch_great-wall-of-words_s1_l1_gF2321T1L1_d156529813[1] : "C:\Users\barbless\AppData\Local\Temp\great-wall-of-words_s1_l1_gF2321T1L1_d156529813[1].exe" /STUBPATH "C:\Users\barbless\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z3ESDP1M\great-wall-of-words_s1_l1_gF2321T1L1_d156529813[1].exe" [x] -> DELETED
[TASK][SUSP PATH] BFGLaunch_reactivate_p7317095[1] : "C:\Users\barbless\AppData\Local\Temp\reactivate_p7317095[1].exe"  [x] -> DELETED
[TASK][SUSP PATH] IHUninstallTrackingTASK : CMD /C DEL C:\Users\barbless\AppData\Local\Temp\IHU9607.tmp.exe [x] -> DELETED
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ Extern Hives: ¤¤¤
-> D:\windows\system32\config\SOFTWARE
-> D:\windows\system32\config\SYSTEM
-> D:\Users\Default\NTUSER.DAT
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts
 
127.0.0.1       localhost
::1             localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: WDC WD3200AAKS-75VYA0 ATA Device +++++
--- User ---
[MBR] b5b93b6bf125e297dea1eb0131ffb6e9
[BSP] bdf99326810b3ea5b3c85f61013cb3ba : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 15360 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31569920 | Size: 289829 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[2]_D_04282013_02d1006.txt >>
RKreport[1]_S_04282013_02d1004.txt ; RKreport[2]_D_04282013_02d1006.txt

Edited by barbless, 28 April 2013 - 09:36 AM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:37 PM

Posted 28 April 2013 - 02:42 PM

Hello

My question was is there some safe place or some technique to open a suspect attachment/program/whatever? there is what is called a VM (virtual Machine) - http://en.wikipedia.org/wiki/Virtual_machine


I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 barbless

barbless
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 01 May 2013 - 01:25 PM

Hi Gringo,

 

My computer seems to be running fine.

The original malware, YRJIE, is gone.

Combofix seemed to stall at preparing the report after Combofix restarted the computer. I clicked on Combofix (after restarting the computer because everything I clicked on had an "illegal operation" message, per your instructions), hoping the first report did get generated and saved, but ended up running Combofix again so I am not sure if this report is for both runs or just the second:

 

 

 

ComboFix 13-05-01.03 - barbless 05/01/2013  13:36:49.2.4 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3069.1483 [GMT -4:00]
Running from: c:\users\barbless\Downloads\ComboFix.exe
AV: ZoneAlarm Free Firewall Antivirus *Disabled/Updated* {DE038A5B-9EDD-18A9-2361-FF7D98D43730}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Free Firewall Anti-Spyware *Disabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\barbless\AppData\Local\Temp\_MEI42042\_ctypes.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\_elementtree.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\_hashlib.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\_multiprocessing.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\_socket.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\_ssl.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\pyexpat.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\pysqlite2._sqlite.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\python27.dll
c:\users\barbless\AppData\Local\Temp\_MEI42042\pythoncom27.dll
c:\users\barbless\AppData\Local\Temp\_MEI42042\PyWinTypes27.dll
c:\users\barbless\AppData\Local\Temp\_MEI42042\select.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\unicodedata.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\win32api.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\win32com.shell.shell.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\win32crypt.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\win32event.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\win32file.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\win32inet.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\win32pdh.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\win32process.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\win32profile.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\win32security.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\win32ts.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\windows._cacheinvalidation.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\wx._controls_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\wx._core_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\wx._gdi_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\wx._html2.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\wx._misc_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\wx._windows_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\wx._wizard.pyd
c:\users\barbless\AppData\Local\Temp\_MEI42042\wxbase294u_net_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI42042\wxbase294u_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI42042\wxmsw294u_adv_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI42042\wxmsw294u_core_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI42042\wxmsw294u_html_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI42042\wxmsw294u_webview_vc90.dll
.
---- Previous Run -------
.
C:\Install.exe
c:\program files\iWin Games\iWinGamesHookIE.dll
c:\users\barbless\AppData\Local\BcsKtYcHW.dll
c:\users\barbless\AppData\Local\Temp\_MEI54042\_ctypes.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\_elementtree.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\_hashlib.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\_multiprocessing.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\_socket.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\_ssl.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\pyexpat.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\pysqlite2._sqlite.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\python27.dll
c:\users\barbless\AppData\Local\Temp\_MEI54042\pythoncom27.dll
c:\users\barbless\AppData\Local\Temp\_MEI54042\PyWinTypes27.dll
c:\users\barbless\AppData\Local\Temp\_MEI54042\select.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\unicodedata.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\win32api.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\win32com.shell.shell.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\win32crypt.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\win32event.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\win32file.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\win32inet.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\win32pdh.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\win32process.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\win32profile.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\win32security.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\win32ts.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\windows._cacheinvalidation.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\wx._controls_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\wx._core_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\wx._gdi_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\wx._html2.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\wx._misc_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\wx._windows_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\wx._wizard.pyd
c:\users\barbless\AppData\Local\Temp\_MEI54042\wxbase294u_net_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI54042\wxbase294u_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI54042\wxmsw294u_adv_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI54042\wxmsw294u_core_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI54042\wxmsw294u_html_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI54042\wxmsw294u_webview_vc90.dll
c:\users\barbless\AppData\Local\Temp\tmpw11xcy\googledrivesync.exe
c:\users\barbless\AppData\Roaming\.#\MBX@2134@1FF72F8.###
c:\users\barbless\AppData\Roaming\.#\MBX@2134@1FF7358.###
c:\users\barbless\AppData\Roaming\log.txt
c:\users\barbless\Desktop\Internet Explorer.lnk
c:\windows\struct~.ini
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\setup.ini
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Boonty Games
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-01 to 2013-05-01  )))))))))))))))))))))))))))))))
.
.
2013-05-01 17:49 . 2013-05-01 17:49 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2013-05-01 04:39 . 2013-04-10 03:08 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{ECC97C40-AD33-416F-B405-EF35EF632D03}\mpengine.dll ERROR(0x00000005)
2013-04-30 14:49 . 2013-04-30 14:50 -------- d-----w- c:\program files\TV Farm 2
2013-04-24 16:14 . 2013-04-24 16:14 -------- d-----w- c:\program files\Lunch Rush HD
2013-04-22 14:53 . 2013-04-22 14:54 -------- d-----w- c:\program files\Fitness Bustle - Energy Boost
2013-04-21 14:44 . 2013-04-21 14:44 -------- d-----w- c:\users\barbless\AppData\Roaming\Check Point Software Technologies LTD
2013-04-19 18:54 . 2013-04-19 18:54 -------- d-----w- c:\users\barbless\AppData\Roaming\Anino Games
2013-04-19 18:45 . 2013-04-19 18:45 -------- d-----w- c:\users\barbless\AppData\Roaming\NevoSoft
2013-04-18 02:32 . 2013-04-18 02:32 -------- d-----w- c:\users\barbless\AppData\Roaming\casualArts
2013-04-16 16:51 . 2013-04-16 17:00 -------- d-----w- c:\users\barbless\AppData\Roaming\Kutawaves Games
2013-04-10 18:08 . 2013-03-03 19:07 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 18:08 . 2013-03-11 13:25 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 18:08 . 2013-03-11 13:25 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 18:08 . 2013-03-09 01:28 64000 ----a-w- c:\windows\system32\smss.exe
2013-04-10 18:08 . 2013-03-09 03:45 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-10 18:04 . 2013-03-08 03:52 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-04-10 18:04 . 2013-03-08 03:53 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-04-10 18:04 . 2013-03-05 01:40 2049024 ----a-w- c:\windows\system32\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-27 14:24 . 2012-07-08 19:04 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-27 14:24 . 2011-07-13 13:58 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-10 03:08 . 2009-04-25 03:55 6906960 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll ERROR(0x00000005)
2013-04-10 03:08 . 2007-12-11 03:12 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll ERROR(0x00000005)
2013-03-20 14:36 . 2013-03-20 14:36 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-20 14:36 . 2012-06-18 14:09 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-20 14:36 . 2010-04-19 15:55 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-12 05:10 . 2009-10-04 02:54 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-03-07 19:49 . 2013-03-07 19:49 45056 ----a-r- c:\users\barbless\AppData\Roaming\Microsoft\Installer\{4956ACE3-F537-4418-BB45-FD52395275A7}\UNINST_Uninstall_C_EBD1846850A64C858760A659B987DCFF.exe
2013-03-07 19:49 . 2013-03-07 19:49 45056 ----a-r- c:\users\barbless\AppData\Roaming\Microsoft\Installer\{4956ACE3-F537-4418-BB45-FD52395275A7}\ARPPRODUCTICON.exe
2013-03-05 15:56 . 2013-03-05 15:56 589 ----a-w- c:\windows\uninstallstickies.bat
2013-02-12 01:57 . 2013-03-21 18:40 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2012-10-15 15:33 . 2012-11-09 19:01 85504 ---ha-w- c:\program files\IeAdsBlocker.dll
2010-07-28 16:12 . 2010-07-28 16:12 461 ----a-w- c:\program files\0728201012120866.bat
2007-12-25 02:24 . 2007-12-25 02:24 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-04-16 20:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-04-16 20:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-04-16 20:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-04-16 20:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2013-04-16 19662744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-06-27 439512]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2007-06-27 215256]
"ECenter"="c:\dell\E-Center\EULALAUNCHER.EXE" [2007-05-25 17920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-01-02 73984]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-07-13 384232]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\Stickies\stickies.exe [2008-1-16 1134592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 14:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
"ROC_ROC_NT"="c:\program files\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ   BthServ
WindowsMobile REG_MULTI_SZ   wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ   WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ   getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
nosGetPlusHelper REG_MULTI_SZ   nosGetPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-11 00:13 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-08 14:24]
.
2013-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-27 21:44]
.
2013-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-27 21:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071204
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071204
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
Trusted Zone: akamai.net\a248.e
Trusted Zone: bfgclient.exe
Trusted Zone: bfggamesservices.exe
Trusted Zone: bfgprocess.exe
Trusted Zone: bitdefender.com
Trusted Zone: bitdefender.com\kb
Trusted Zone: bitdefender.com\www
Trusted Zone: custhelp.com\bigfishgames
Trusted Zone: irs.gov\www
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
Trusted Zone: netflame.cc\ssl-hints
Trusted Zone: netzero.com
Trusted Zone: netzero.net
TCP: DhcpNameServer = 192.168.1.254
DPF: {2D0280B1-DC42-4DFA-9525-09BD48838539} - hxxp://www.fenomen-games.com/ashley-jones-heart-egypt/osakitpro.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://www.gamehouse.com/games/gamehouse/ghplayer.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-ISW - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-GamesBar - c:\program files\GamesBar\uninst.exe
AddRemove-{A62F9CD0-B2E0-4F2A-88F2-79254A3C8539} - c:\progra~2\INSTAL~2\{A62F9~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-01 13:53
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
   89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{03FEE850-0101-4E9E-B6D4-6FC74D3DB360}"=hex:51,66,7a,6c,4c,1d,38,12,3e,eb,ed,
   07,33,4f,f0,0b,c9,c2,2c,87,48,63,f7,74
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
   91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"=hex:51,66,7a,6c,4c,1d,38,12,8b,c7,39,
   ea,82,fe,a8,0b,f7,bf,ff,e1,a6,74,f5,13
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
   27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
   06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
   38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}"=hex:51,66,7a,6c,4c,1d,38,12,ac,35,59,
   8e,07,4b,42,08,c2,2b,0a,2c,b2,b0,92,f7
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
   ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{CA6319C0-31B7-401E-A518-A07C3DB8F777}"=hex:51,66,7a,6c,4c,1d,38,12,ae,1a,70,
   ce,85,7f,70,05,da,0e,e3,3c,38,e6,b3,63
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
   d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
   f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{1FB7AC1E-06DA-4423-9A6A-DF32D385F8FE}"=hex:51,66,7a,6c,4c,1d,38,12,70,af,a4,
   1b,e8,48,4d,01,e5,7c,9c,72,d6,db,bc,ea
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:10,9e,d0,09,4b,26,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f6,f5,c6,3b,18,6b,5e,4a,87,3e,d5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f6,f5,c6,3b,18,6b,5e,4a,87,3e,d5,\
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.URL"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4524)
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\System32\WUDFHost.exe
c:\windows\system32\atieclxx.exe
c:\program files\CheckPoint\ZAForceField\IswSvc.exe
c:\program files\Google\Update\1.3.21.135\GoogleCrashHandler.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\zonealarmbackup\ZABackup Service.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
c:\windows\System32\WUDFHost.exe
c:\program files\XPSMiniViewGadget\XPSMiniViewGadget.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\RAINLENDAR2\RAINLENDAR2.EXE
.
**************************************************************************
.
Completion time: 2013-05-01  14:01:57 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-01 18:01
.
Pre-Run: 178,335,571,968 bytes free
Post-Run: 178,159,374,336 bytes free
.
- - End Of File - - 585DF9F6B5564559DCCB378BFF91CE45


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:37 PM

Posted 01 May 2013 - 04:39 PM


Hello barbless

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 barbless

barbless
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:37 PM

Posted 01 May 2013 - 11:27 PM

Hi Gringo,

 

No problems as far as I can tell.  

Computer running fine.

Combofix report:

 

 

 

ComboFix 13-05-01.03 - barbless 05/01/2013  23:45:34.3.4 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3069.1509 [GMT -4:00]
Running from: c:\users\barbless\Downloads\ComboFix.exe
Command switches used :: c:\users\barbless\Desktop\CFScript.txt
AV: ZoneAlarm Free Firewall Antivirus *Disabled/Updated* {DE038A5B-9EDD-18A9-2361-FF7D98D43730}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {E6380B7E-D4B2-19F1-083E-56486607704B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ZoneAlarm Free Firewall Anti-Spyware *Disabled/Updated* {65626BBF-B8E7-1727-19D1-C40FE3537D8D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\barbless\AppData\Local\Temp\_MEI21522\_ctypes.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\_elementtree.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\_hashlib.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\_multiprocessing.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\_socket.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\_ssl.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\pyexpat.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\pysqlite2._sqlite.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\python27.dll
c:\users\barbless\AppData\Local\Temp\_MEI21522\pythoncom27.dll
c:\users\barbless\AppData\Local\Temp\_MEI21522\PyWinTypes27.dll
c:\users\barbless\AppData\Local\Temp\_MEI21522\select.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\unicodedata.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\win32api.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\win32com.shell.shell.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\win32crypt.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\win32event.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\win32file.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\win32inet.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\win32pdh.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\win32process.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\win32profile.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\win32security.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\win32ts.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\windows._cacheinvalidation.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\wx._controls_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\wx._core_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\wx._gdi_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\wx._html2.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\wx._misc_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\wx._windows_.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\wx._wizard.pyd
c:\users\barbless\AppData\Local\Temp\_MEI21522\wxbase294u_net_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI21522\wxbase294u_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI21522\wxmsw294u_adv_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI21522\wxmsw294u_core_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI21522\wxmsw294u_html_vc90.dll
c:\users\barbless\AppData\Local\Temp\_MEI21522\wxmsw294u_webview_vc90.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-02 to 2013-05-02  )))))))))))))))))))))))))))))))
.
.
2013-05-02 04:01 . 2013-05-02 04:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-05-01 18:02 . 2013-05-01 18:13 -------- d-----w- c:\users\IUSR_NMPR\AppData\Local\temp
2013-05-01 04:39 . 2013-04-10 03:08 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{ECC97C40-AD33-416F-B405-EF35EF632D03}\mpengine.dll ERROR(0x00000005)
2013-04-30 14:49 . 2013-04-30 14:50 -------- d-----w- c:\program files\TV Farm 2
2013-04-24 16:14 . 2013-04-24 16:14 -------- d-----w- c:\program files\Lunch Rush HD
2013-04-22 14:53 . 2013-04-22 14:54 -------- d-----w- c:\program files\Fitness Bustle - Energy Boost
2013-04-21 14:44 . 2013-04-21 14:44 -------- d-----w- c:\users\barbless\AppData\Roaming\Check Point Software Technologies LTD
2013-04-19 18:54 . 2013-04-19 18:54 -------- d-----w- c:\users\barbless\AppData\Roaming\Anino Games
2013-04-19 18:45 . 2013-04-19 18:45 -------- d-----w- c:\users\barbless\AppData\Roaming\NevoSoft
2013-04-18 02:32 . 2013-04-18 02:32 -------- d-----w- c:\users\barbless\AppData\Roaming\casualArts
2013-04-16 16:51 . 2013-04-16 17:00 -------- d-----w- c:\users\barbless\AppData\Roaming\Kutawaves Games
2013-04-10 18:08 . 2013-03-03 19:07 1082232 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-10 18:08 . 2013-03-11 13:25 3603816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-10 18:08 . 2013-03-11 13:25 3551080 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-10 18:08 . 2013-03-09 01:28 64000 ----a-w- c:\windows\system32\smss.exe
2013-04-10 18:08 . 2013-03-09 03:45 49152 ----a-w- c:\windows\system32\csrsrv.dll
2013-04-10 18:04 . 2013-03-08 03:52 2067968 ----a-w- c:\windows\system32\mstscax.dll
2013-04-10 18:04 . 2013-03-08 03:53 376320 ----a-w- c:\windows\system32\winsrv.dll
2013-04-10 18:04 . 2013-03-05 01:40 2049024 ----a-w- c:\windows\system32\win32k.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-27 14:24 . 2012-07-08 19:04 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-27 14:24 . 2011-07-13 13:58 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-10 03:08 . 2009-04-25 03:55 6906960 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll ERROR(0x00000005)
2013-04-10 03:08 . 2007-12-11 03:12 6906960 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll ERROR(0x00000005)
2013-03-20 14:36 . 2013-03-20 14:36 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-20 14:36 . 2012-06-18 14:09 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-20 14:36 . 2010-04-19 15:55 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-12 05:10 . 2009-10-04 02:54 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-03-07 19:49 . 2013-03-07 19:49 45056 ----a-r- c:\users\barbless\AppData\Roaming\Microsoft\Installer\{4956ACE3-F537-4418-BB45-FD52395275A7}\UNINST_Uninstall_C_EBD1846850A64C858760A659B987DCFF.exe
2013-03-07 19:49 . 2013-03-07 19:49 45056 ----a-r- c:\users\barbless\AppData\Roaming\Microsoft\Installer\{4956ACE3-F537-4418-BB45-FD52395275A7}\ARPPRODUCTICON.exe
2013-03-05 15:56 . 2013-03-05 15:56 589 ----a-w- c:\windows\uninstallstickies.bat
2013-02-12 01:57 . 2013-03-21 18:40 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2012-10-15 15:33 . 2012-11-09 19:01 85504 ---ha-w- c:\program files\IeAdsBlocker.dll
2010-07-28 16:12 . 2010-07-28 16:12 461 ----a-w- c:\program files\0728201012120866.bat
2007-12-25 02:24 . 2007-12-25 02:24 774144 ----a-w- c:\program files\RngInterstitial.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-04-16 20:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-04-16 20:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-04-16 20:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-04-16 20:10 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2013-04-16 19662744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NMSSupport"="c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" [2007-06-27 439512]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2007-06-27 215256]
"ECenter"="c:\dell\E-Center\EULALAUNCHER.EXE" [2007-05-25 17920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-01-02 73984]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-07-13 384232]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-11-22 738984]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Stickies.lnk - c:\program files\Stickies\stickies.exe [2008-1-16 1134592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 14:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe"
"ROC_ROC_NT"="c:\program files\AVG Secure Search\ROC_ROC_NT.exe" / /PROMPT /CMPID=ROC_NT
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ   BthServ
WindowsMobile REG_MULTI_SZ   wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ   WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ   getPlusHelper
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
nosGetPlusHelper REG_MULTI_SZ   nosGetPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-11 00:13 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-08 14:24]
.
2013-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-27 21:44]
.
2013-05-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-27 21:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071204
mStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0071204
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
Trusted Zone: akamai.net\a248.e
Trusted Zone: bfgclient.exe
Trusted Zone: bfggamesservices.exe
Trusted Zone: bfgprocess.exe
Trusted Zone: bitdefender.com
Trusted Zone: bitdefender.com\kb
Trusted Zone: bitdefender.com\www
Trusted Zone: custhelp.com\bigfishgames
Trusted Zone: irs.gov\www
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
Trusted Zone: netflame.cc\ssl-hints
Trusted Zone: netzero.com
Trusted Zone: netzero.net
TCP: DhcpNameServer = 192.168.1.254
DPF: {2D0280B1-DC42-4DFA-9525-09BD48838539} - hxxp://www.fenomen-games.com/ashley-jones-heart-egypt/osakitpro.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://www.gamehouse.com/games/gamehouse/ghplayer.cab
DPF: {A084A130-28AE-4B32-B51A-1C8CE164BC88} - hxxp://www.convergysworkathome.com/AppHardT.CAB
DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} - hxxp://download-games.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-02 00:05
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{8DCB7100-DF86-4384-8842-8FA844297B3F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,72,d8,
   89,b4,91,ea,06,f7,54,cc,e8,41,77,3f,2b
"{03FEE850-0101-4E9E-B6D4-6FC74D3DB360}"=hex:51,66,7a,6c,4c,1d,38,12,3e,eb,ed,
   07,33,4f,f0,0b,c9,c2,2c,87,48,63,f7,74
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
   91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107}"=hex:51,66,7a,6c,4c,1d,38,12,8b,c7,39,
   ea,82,fe,a8,0b,f7,bf,ff,e1,a6,74,f5,13
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"=hex:51,66,7a,6c,4c,1d,38,12,df,c1,0b,
   27,57,07,ba,54,e4,0e,43,d0,22,fb,89,5b
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"=hex:51,66,7a,6c,4c,1d,38,12,56,8e,54,
   06,cb,8d,95,0b,e4,47,35,d5,e9,fe,12,64
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
   38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
   72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3}"=hex:51,66,7a,6c,4c,1d,38,12,ac,35,59,
   8e,07,4b,42,08,c2,2b,0a,2c,b2,b0,92,f7
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
   94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{AA58ED58-01DD-4D91-8333-CF10577473F7}"=hex:51,66,7a,6c,4c,1d,38,12,36,ee,4b,
   ae,ef,4f,ff,08,fc,25,8c,50,52,2a,37,e3
"{CA6319C0-31B7-401E-A518-A07C3DB8F777}"=hex:51,66,7a,6c,4c,1d,38,12,ae,1a,70,
   ce,85,7f,70,05,da,0e,e3,3c,38,e6,b3,63
"{D2CE3E00-F94A-4740-988E-03DC2F38C34F}"=hex:51,66,7a,6c,4c,1d,38,12,6e,3d,dd,
   d6,78,b7,2e,02,e7,98,40,9c,2a,66,87,5b
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
   df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}"=hex:51,66,7a,6c,4c,1d,38,12,cf,4e,be,
   f9,90,2f,b6,0a,e3,01,c5,b7,a9,7a,14,95
"{1FB7AC1E-06DA-4423-9A6A-DF32D385F8FE}"=hex:51,66,7a,6c,4c,1d,38,12,70,af,a4,
   1b,e8,48,4d,01,e5,7c,9c,72,d6,db,bc,ea
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
   b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:10,9e,d0,09,4b,26,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f6,f5,c6,3b,18,6b,5e,4a,87,3e,d5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f6,f5,c6,3b,18,6b,5e,4a,87,3e,d5,\
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.HTM"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.MHT"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.URL"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(736)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'Explorer.exe'(4436)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\windows\System32\WUDFHost.exe
c:\program files\CheckPoint\ZAForceField\IswSvc.exe
c:\program files\Google\Update\1.3.21.135\GoogleCrashHandler.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Intel\IntelDH\NMS\NMSCore\NMSCore.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\qualitymanager.exe
c:\program files\Microsoft\BingBar\SeaPort.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\DRIVERS\xaudio.exe
c:\zonealarmbackup\ZABackup Service.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
c:\windows\System32\WUDFHost.exe
c:\program files\XPSMiniViewGadget\XPSMiniViewGadget.exe
c:\program files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
c:\program files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\msiexec.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe
c:\program files\RAINLENDAR2\RAINLENDAR2.EXE
.
**************************************************************************
.
Completion time: 2013-05-02  00:15:00 - machine was rebooted
ComboFix-quarantined-files.txt  2013-05-02 04:14
ComboFix2.txt  2013-05-01 18:01
.
Pre-Run: 175,360,172,032 bytes free
Post-Run: 175,517,212,672 bytes free
.
- - End Of File - - FBABB9A135DEA09E2C60FE68C54EABE8





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users