Babylon problem

zeroterry66 · June 14, 2012

Hi everyone. I recently downloaded a sketchy torrent, and along with that torrent came a file called, "Online Media File" Or something. Instead of what I wanted to downloaded, it downloaded something like "Free ride games" and "Fun moods" and "Giant savings". I really didn't want these files, but along came the browser called "babylon". This is the part I hate most. Everytime I access Google Chrome (My main browser), it goes up as babylon. I think I've deleted all the other malicious games, but babylon is still there. I'm not sure if System Restore, will do the trick, and I've tried almost EVERY tactic there is on forums. None worked. So I'm counting on the experts and geniuses of MalwareBytes to solve this problem to the best of their abilities. Also, I'm really not that good with Computer terms, so I need a patient guide who will bare with me. I really appreciate whoever can help me, especially those who've had this problem. Best of luck to both of us.

-Regards, Terry.

MrCharlie · June 14, 2012

Welcome to the forum,

Before we proceed further, please uninstall or disable any other peer-to-peer filesharing app.

Continued use of filesharing or ill-advised downloads will surely re-infect your system.

Risks of File-Sharing Technology.

P2P file sharing: Know the risks

It's also against our policy:

http://forums.malwar...showtopic=97700

------------------

please start at the link below:

http://forums.malwar...?showtopic=9573

Post back the 2 logs.....DDS.txt and Attach.txt

<====><====><====><====><====><====><====><====>

Next.......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!)

Post back the report.

MrC

zeroterry66 · June 14, 2012

Greatest apologies. I will not continue to be associated with any other illegal torrent, I promise you that. But I'm having difficulty deleting Free ride games, Fun mood web search, Giant savings, and Yontoo 1.10.02 completely from my system. And could you please clarify what you would want me to post back? The term "Logs" is new to me. Like I said before, I'm not that good with technology words. I'll follow your instructions by running a quick scan with the latest malwarebytes, but could you please advise me from there, as to what is the next step, and what it will do with my computer? The risks etc. Thanks in advance.

-Regards, Terry

zeroterry66 · June 14, 2012

I did the first step by running a quickscan on the latest version of malwarebytes. I'm not sure what I'm supposed to post, but here is the "log". What is in bold is my personal writing.

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.04.04.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Kevin :: VN-9A9013DE595E [administrator]

6/14/2012 4:15:49 PM

mbam-log-2012-06-14 (16-59-31) Babylon

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 193025

Time elapsed: 42 minute(s), 7 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 14

HKCR\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.

HKCR\funmoods.funmoodsHlpr.1 (PUP.FunMoods) -> No action taken.

HKCR\funmoods.funmoodsHlpr (PUP.FunMoods) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> No action taken.

HKCR\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> No action taken.

HKCR\gencrawler_gc.GenCrawler (Trojan.Downloader) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.BundleInstaller.VG) -> No action taken.

HKCU\Software\Cr_Installer\4479 (Adware.GamePlayLab) -> No action taken.

HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> No action taken.

Registry Values Detected: 1

HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: 8be59e17f119de109dc266fb1e1416df -> No action taken.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\Program Files\Funmoods\1.5.23.22\bh\escort.dll (PUP.FunMoods) -> No action taken.

C:\Documents and Settings\Kevin\Application Data\Media Finder\Extensions\gencrawler_gc.dll (Trojan.Downloader) -> No action taken.

C:\Documents and Settings\Kevin\My Documents\Downloads\setup (1).exe (PUP.BundleInstaller.VG) -> No action taken.

C:\Documents and Settings\Kevin\My Documents\Downloads\setup.exe (PUP.BundleInstaller.VG) -> No action taken.

(end)

The final quick scan showed 19 detected items. I'm not sure if I should close the scan or not, but I'll keep it open for future references. Also, there is the "Remove selected" button. I'm not so sure If I should select all the malicious software and click that, but I'll stay dormant for the moment. I won't proceed in any further actions until your response. Thanks.

- Regards, Terry.

MrCharlie · June 14, 2012

The final quick scan showed 19 detected items. I'm not sure if I should close the scan or not, but I'll keep it open for future references. Also, there is the "Remove selected" button. I'm not so sure If I should select all the malicious software and click that, but I'll stay dormant for the moment. I won't proceed in any further actions until your response. Thanks.

Yes that's the button you want to use after you scan

Make sure that everything is checked, and click Remove Selected.

Then post the new log from Malwarebytes just as before.

-----------------------------

Next scan the system with DDS and post the 2 logs that are created:

DDS.txt

and

Attach.txt

Post them back here.

-------------------------

Last the same with RogueKiller, run it and then post the log it creates.

MrC

zeroterry66 · June 15, 2012

This will surely get rid of the babylon web search infected on my google chrome, correct? I did what you said and clicked remove all. I made sure to check all the viruses. I do not know what DDS is, or matter of fact, if I have it or not. Is it a perk for malwarebytes? Well, anyways, I clicked remove all and it says I must restart my computer, and that I'll do. Also, when I clicked the remove all button, this popped up:

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.04.04.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Kevin :: VN-9A9013DE595E [administrator]

6/14/2012 4:15:49 PM

mbam-log-2012-06-14 (16-15-49).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 193025

Time elapsed: 42 minute(s), 7 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 14

HKCR\CLSID\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.

HKCR\funmoods.funmoodsHlpr.1 (PUP.FunMoods) -> Quarantined and deleted successfully.

HKCR\funmoods.funmoodsHlpr (PUP.FunMoods) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} (PUP.FunMoods) -> Quarantined and deleted successfully.

HKCR\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKCR\gencrawler_gc.GenCrawler (Trojan.Downloader) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA4520F3-AE13-4FB1-A513-58E23991C86D} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.BundleInstaller.VG) -> Quarantined and deleted successfully.

HKCU\Software\Cr_Installer\4479 (Adware.GamePlayLab) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\CROSSRIDER (Adware.GamePlayLab) -> Quarantined and deleted successfully.

Registry Values Detected: 1

HKCU\Software\Crossrider|215AppVerifier (Adware.GamePlayLab) -> Data: 8be59e17f119de109dc266fb1e1416df -> Quarantined and deleted successfully.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 4

C:\Program Files\Funmoods\1.5.23.22\bh\escort.dll (PUP.FunMoods) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kevin\Application Data\Media Finder\Extensions\gencrawler_gc.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kevin\My Documents\Downloads\setup (1).exe (PUP.BundleInstaller.VG) -> Quarantined and deleted successfully.

C:\Documents and Settings\Kevin\My Documents\Downloads\setup.exe (PUP.BundleInstaller.VG) -> Quarantined and deleted successfully.

(end)

Not sure if this is the new log, or just something else. It has the same date under it as yesterdays. If not, I'll scan again and get the new one for you. Restarting my computer now. Thanks!

- Regards, Terry

MrCharlie · June 15, 2012

This will surely get rid of the babylon web search infected on my google chrome, correct?

No it won't but we have to scan for malware first.

--------------------

You did everything correctly except ......you didn't update Malwarebytes before you ran it.

Database version: v2012.04.04.08 <---yours version

Database version: v2012.06.15.07 <---current version

So start Malwarebytes and click on the Update tab > then Check for updates

That will automatically download and install the latest updates.

Now do another quick scan as before.

Make sure that everything is checked, and click Remove Selected.

Post back the log, MrC

zeroterry66 · June 15, 2012

Alright, I updated malwarebytes. When I scanned it with the outdated version, it got rid of the "Fun Moods" icon on the bottom right hand side of my screen. The problem is, that their files are still there. Maybe if I run with the new version, it'll disappear. I'll post back the log in a bit. Thanks.

- Regards, Terry.

zeroterry66 · June 15, 2012

The results are in. This time, there are double the amounts of malware. 38 detected items. Here is the infected log before I remove.

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.15.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Kevin :: VN-9A9013DE595E [administrator]

6/15/2012 4:27:24 PM

mbam-log-2012-06-15 (17-07-45) Problem Babylon

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 203641

Time elapsed: 22 minute(s), 39 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 30

HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> No action taken.

HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> No action taken.

HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> No action taken.

HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> No action taken.

HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> No action taken.

HKCR\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> No action taken.

HKCR\funmoods.dskBnd.1 (PUP.Funmoods) -> No action taken.

HKCR\funmoods.dskBnd (PUP.Funmoods) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> No action taken.

HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> No action taken.

HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> No action taken.

HKCR\funmoodsApp.appCore (PUP.Funmoods) -> No action taken.

HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> No action taken.

HKCR\f (PUP.Funmoods) -> No action taken.

HKCR\CrossriderApp0004479.BHO (PUP.CrossFire.Gen) -> No action taken.

HKCR\CrossriderApp0004479.BHO.1 (PUP.CrossFire.Gen) -> No action taken.

HKCR\CrossriderApp0004479.FBApi (PUP.CrossFire.Gen) -> No action taken.

HKCR\CrossriderApp0004479.FBApi.1 (PUP.CrossFire.Gen) -> No action taken.

HKCR\CrossriderApp0004479.Sandbox (PUP.CrossFire.Gen) -> No action taken.

HKCR\CrossriderApp0004479.Sandbox.1 (PUP.CrossFire.Gen) -> No action taken.

HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> No action taken.

HKLM\SOFTWARE\Google\chrome\Extensions\fdloijijlkoblmigdofommgnheckmaki (PUP.Funmoods) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> No action taken.

HKCR\CLSID\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> No action taken.

HKCR\TypeLib\{44444444-4444-4444-4444-440044444479} (PUP.GamePlayLab) -> No action taken.

HKCR\Interface\{55555555-5555-5555-5555-550055445579} (PUP.GamePlayLab) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> No action taken.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> No action taken.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> No action taken.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011441179} (PUP.GamePlayLab) -> No action taken.

Registry Values Detected: 3

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: Funmoods Toolbar -> No action taken.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Data: -> No action taken.

HKCU\Software\InstalledBrowserExtensions\215 Apps|4479 (PUP.CrossFire.SA) -> Data: Giant Savings -> No action taken.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 5

C:\Program Files\Funmoods\1.5.23.22\funmoodssrv.exe (PUP.Funmoods) -> No action taken.

C:\Program Files\Funmoods\1.5.23.22\escorTlbr.dll (PUP.Funmoods) -> No action taken.

C:\Program Files\Funmoods\1.5.23.22\escortApp.dll (PUP.Funmoods) -> No action taken.

C:\Program Files\Funmoods\1.5.23.22\escortEng.dll (PUP.Funmoods) -> No action taken.

C:\Program Files\Giant Savings\Giant Savings.dll (PUP.GamePlayLab) -> No action taken.

(end)

I'll show you the remove selected log in a bit.

- Regards, Terry

zeroterry66 · June 15, 2012

Here is the other log. The one where I've removed the detected items.

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.15.08

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Kevin :: VN-9A9013DE595E [administrator]

6/15/2012 4:27:24 PM

mbam-log-2012-06-15 (16-27-24).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 203641

Time elapsed: 22 minute(s), 39 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 30

HKCR\CLSID\{75A4D144-506D-4BE5-81DB-EC7DA1E7F840} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\TypeLib\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\esrv.funmoodsESrvc.1 (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\esrv.funmoodsESrvc (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\CLSID\{965B9DBE-B104-44AC-950A-8A5F97AFF439} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\CLSID\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\funmoods.dskBnd.1 (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\funmoods.dskBnd (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\CLSID\{A9DB719C-7156-415E-B49D-BAD039DE4F13} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\funmoodsApp.appCore.1 (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\funmoodsApp.appCore (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\CLSID\{F03FD9D0-4F2B-497C-8A71-DD41D70B07D9} (PUP.Funmoods) -> Quarantined and deleted successfully.

HKCR\f (PUP.Funmoods) -> Quarantined and deleted successfully.

Restarting my computer now. Please send your feedback asap. Thanks.

- Regards, Terry

MrCharlie · June 15, 2012

OK, see if you can do this scan....

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

The scan will take about 10 minutes...depends on your hard drive size.

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

MrC

zeroterry66 · June 16, 2012

Alright well, I scanned with the malwarebytes latest version, and deleted the 38 detected items, but the babylon search engine is still there. I don't know if I should scan with malwarebytes anymore to see if there's another virus. I'll just follow your steps for now, but please tell me where we're going with this, it'd be greatly appreciated.

zeroterry66 · June 16, 2012

Here's the two reports. The first one is Extras.txt

OTL Extras logfile created on: 6/15/2012 9:48:29 PM - Run 1

OTL by OldTimer - Version 3.2.49.0 Folder = C:\Documents and Settings\Kevin\My Documents\Downloads

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 1.03 Gb Available Physical Memory | 53.19% Memory free

4.66 Gb Paging File | 3.69 Gb Available in Paging File | 79.13% Paging File free

Paging file location(s): C:\pagefile.sys 2949 2949 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 229.49 Gb Total Space | 176.72 Gb Free Space | 77.01% Space Free | Partition Type: NTFS

Drive E: | 3.39 Gb Total Space | 3.02 Gb Free Space | 88.94% Space Free | Partition Type: NTFS

Computer Name: VN-9A9013DE595E | User Name: Kevin | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Quick Scan

Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1715567821-1637723038-682003330-1005\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1"

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

exefile [open] -- "%1" %*

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]

"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]

"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"58095:TCP" = 58095:TCP:*:Enabled:Pando Media Booster

"58095:UDP" = 58095:UDP:*:Enabled:Pando Media Booster

"58068:TCP" = 58068:TCP:*:Enabled:Pando Media Booster

"58068:UDP" = 58068:UDP:*:Enabled:Pando Media Booster

"56778:TCP" = 56778:TCP:*:Enabled:Pando Media Booster

"56778:UDP" = 56778:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"58095:TCP" = 58095:TCP:*:Enabled:Pando Media Booster

"58095:UDP" = 58095:UDP:*:Enabled:Pando Media Booster

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"58068:TCP" = 58068:TCP:*:Enabled:Pando Media Booster

"58068:UDP" = 58068:UDP:*:Enabled:Pando Media Booster

"56778:TCP" = 56778:TCP:*:Enabled:Pando Media Booster

"56778:UDP" = 56778:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe" = C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0 -- (CyberLink Corp.)

"C:\Nexon\Combat Arms\CombatArms.exe" = C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe

"C:\Nexon\Combat Arms\Engine.exe" = C:\Nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe

"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe" = C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe:*:Disabled:CyberLink PowerDVD 8.0 -- (CyberLink Corp.)

"C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe" = C:\Documents and Settings\All Users\Application Data\NexonUS\NGM\NGM.exe:*:Enabled:Nexon Game Manager -- (Nexon)

"C:\Program Files\ijji\ijji REACTOR\REACTOR.exe" = C:\Program Files\ijji\ijji REACTOR\REACTOR.exe:*:Disabled:Reactor Application

"C:\Program Files\ijji\ijji REACTOR\ijjiOptimizer.exe" = C:\Program Files\ijji\ijji REACTOR\ijjiOptimizer.exe:*:Enabled:ijjiOptimizer.exe -- ()

"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire

"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe" = C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager -- (iAnywhere Solutions, Inc.)

"C:\Nexon\Combat Arms\CombatArms.exe" = C:\Nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe

"C:\Nexon\Combat Arms\NMService.exe" = C:\Nexon\Combat Arms\NMService.exe:*:Enabled:Nexon Messenger Core

"C:\Nexon\Combat Arms\Engine.exe" = C:\Nexon\Combat Arms\Engine.exe:*:Enabled:Combat Arms

"C:\Nexon\DFO\DFO.exe" = C:\Nexon\DFO\DFO.exe:*:Enabled:Dungeon & Fighter

"C:\Documents and Settings\vn\Local Settings\Temp\RarSFX0\haloce.exe" = C:\Documents and Settings\vn\Local Settings\Temp\RarSFX0\haloce.exe:*:Enabled:Halo

"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager

"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour

"{111EBC34-C369-4d78-AD0A-FB04B62E89D3}" = QuickBooks Premier: Accountant Edition 2009

"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer

"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java 6 Update 26

"{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8

"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform

"{33A783E8-DC11-427F-A56C-8ED43EEC0695}" = RPS CRT

"{345112D9-0930-4A68-AB71-A831BA5DE7AA}" = Microsoft IntelliType Pro 6.2

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{35AE9CC9-10A3-4A24-87DF-A6A99BDC1969}" = Rogers Online Protection

"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime

"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go

"{43FFE159-3199-4188-A1CD-629166AD1033}" = Nero 7 Premium

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials

"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater

"{548B7B4A-B4F6-4074-A2D2-40154DC906B5}" = RPS PerfectDiskStub

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware

"{779C01A3-8466-499D-88FC-EB820EB3AC51}" = RPS RpsCore

"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client

"{7B738CD9-D107-48C7-8E65-2E6639A39C8D}" = PerfectDisk 10 Professional

"{7CAC6A44-C3DE-4153-ACA6-7524602C789E}" = Facebook Video Calling 1.2.0.159

"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support

"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar

"{889DF117-14D1-44EE-9F31-C5FB5D47F68B}" = Yontoo 1.10.02

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8C5FAD77-F678-4758-A296-C12F08D179E0}" = Microsoft IntelliPoint 6.2

"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003

"{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow!

"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = USB2.0 Card Reader Software

"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver

"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender

"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A77255C4-AFCB-44A3-BF0F-2091A71FFD9E}" = Video Web Camera

"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper

"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)

"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support

"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call

"{EA2DB6E0-72C5-4ef9-A3A0-E6705F4A6A9E}" = Nexon Game Manager

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Graphics Media Accelerator Driver

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"CCleaner" = CCleaner

"CNXT_AUDIO_HDA" = Conexant HD Audio

"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP

"Giant Savings" = Giant Savings

"Google Desktop" = Google Desktop

"HDMI" = Intel® Graphics Media Accelerator Driver

"HP-Color LaserJet 1600" = Color LaserJet 1600

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"ie8" = Windows Internet Explorer 8

"InstallShield_{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8

"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go

"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400

"MapleStory" = MapleStory

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"Microsoft Security Client" = Microsoft Security Essentials

"Mozilla Firefox 8.0.1 (x86 en-US)" = Mozilla Firefox 8.0.1 (x86 en-US)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"MSNINST" = MSN

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"PC Wizard 2010_is1" = PC Wizard 2010.1.93

"RadialpointClientGateway_is1" = Rogers Servicepoint Agent 3.7.44

"SmartSuite V99.0" = Lotus SmartSuite Release 9.5

"Steam App 31280" = Poker Night at the Inventory

"Steam App 440" = Team Fortress 2

"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinLiveSuite_Wave3" = Windows Live Essentials

"WinRAR archiver" = WinRAR 4.10 (32-bit)

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1715567821-1637723038-682003330-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Funmoods Web Search" = Funmoods Web Search

"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]

Error - 6/10/2012 11:11:03 PM | Computer Name = VN-9A9013DE595E | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: Continuously busy for more than a second

Error - 6/10/2012 11:11:03 PM | Computer Name = VN-9A9013DE595E | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledEvent 15610

Error - 6/10/2012 11:11:03 PM | Computer Name = VN-9A9013DE595E | Source = Bonjour Service | ID = 100

Description = Task Scheduling Error: m->NextScheduledSPRetry 15610

Error - 6/11/2012 3:43:03 PM | Computer Name = VN-9A9013DE595E | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: A connection with the server could not be established

Error - 6/11/2012 3:43:04 PM | Computer Name = VN-9A9013DE595E | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 6/11/2012 3:43:04 PM | Computer Name = VN-9A9013DE595E | Source = crypt32 | ID = 131080

Description = Failed auto update retrieval of third-party root list sequence number

from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

with error: This network connection does not exist.

Error - 6/12/2012 3:44:13 PM | Computer Name = VN-9A9013DE595E | Source = MPSampleSubmission | ID = 5000

Description = EventType mptelemetry, P1 80070424, P2 beginsearch, P3 search, P4

3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),

P8 NIL, P9 NIL, P10 NIL.

Error - 6/13/2012 4:18:34 PM | Computer Name = VN-9A9013DE595E | Source = MPSampleSubmission | ID = 5000

Description = EventType mptelemetry, P1 80070424, P2 beginsearch, P3 search, P4

3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),

P8 NIL, P9 NIL, P10 NIL.

Error - 6/13/2012 4:59:44 PM | Computer Name = VN-9A9013DE595E | Source = Application Error | ID = 1000

Description = Faulting application rundll32.exe, version 5.1.2600.5512, faulting

module busolution.dll, version 2.0.0.2, fault address 0x0002dd4b.

Error - 6/15/2012 3:45:32 PM | Computer Name = VN-9A9013DE595E | Source = MPSampleSubmission | ID = 5000

Description = EventType mptelemetry, P1 80070424, P2 beginsearch, P3 search, P4

3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),

P8 NIL, P9 NIL, P10 NIL.

[ System Events ]

Error - 6/15/2012 4:01:25 PM | Computer Name = VN-9A9013DE595E | Source = Disk | ID = 262151

Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 6/15/2012 4:01:41 PM | Computer Name = VN-9A9013DE595E | Source = Service Control Manager | ID = 7023

Description = The HID Input Service service terminated with the following error:

%%2

Error - 6/15/2012 5:14:34 PM | Computer Name = VN-9A9013DE595E | Source = Disk | ID = 262151

Description = The device, \Device\Harddisk0\D, has a bad block.

Error - 6/15/2012 5:14:53 PM | Computer Name = VN-9A9013DE595E | Source = Service Control Manager | ID = 7023

Description = The HID Input Service service terminated with the following error:

%%2

Error - 6/15/2012 9:22:24 PM | Computer Name = VN-9A9013DE595E | Source = Service Control Manager | ID = 7023

Description = The HID Input Service service terminated with the following error:

%%2

Error - 6/15/2012 9:37:50 PM | Computer Name = VN-9A9013DE595E | Source = DCOM | ID = 10010

Description = The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register

with DCOM within the required timeout.

Error - 6/15/2012 9:38:13 PM | Computer Name = VN-9A9013DE595E | Source = Service Control Manager | ID = 7023

Description = The HID Input Service service terminated with the following error:

%%2

< End of report >

Here is the OTL.txt one.

OTL logfile created on: 6/15/2012 9:48:29 PM - Run 1