Jump to content

Aartemis


Recommended Posts

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

  • First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 

 

Please post up the log of Malwarebytes Anti rootkit and tell me what symptoms you currently have.

Link to post
Share on other sites

Currently the only symptoms I am aware of are infected browsers. Here is the Malwarebytes Anti rootkit log:

 

 

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 8.0.6001.18702
 
Java version: 1.6.0_30
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 3.214000 GHz
Memory total: 3488002048, free: 2607083520
 
Downloaded database version: v2013.11.28.06
Downloaded database version: v2013.10.11.02
Initializing...
======================
------------ Kernel report ------------
     11/28/2013 09:56:38
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\System32\DRIVERS\WMILIB.SYS
pci.sys
ohci1394.sys
\WINDOWS\System32\DRIVERS\1394BUS.SYS
isapnp.sys
pciide.sys
\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
fltmgr.sys
sr.sys
PxHelp20.sys
KSecDD.sys
WudfPf.sys
Ntfs.sys
NDIS.sys
Mup.sys
avgrkx86.sys
avglogx.sys
avgmfx86.sys
avgidshx.sys
\SystemRoot\System32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\AmdK8.sys
\SystemRoot\System32\DRIVERS\wmiacpi.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\HDAudBus.sys
\SystemRoot\System32\DRIVERS\Rtenicxp.sys
\SystemRoot\System32\DRIVERS\usbohci.sys
\SystemRoot\System32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\System32\DRIVERS\cdrom.sys
\SystemRoot\System32\DRIVERS\redbook.sys
\SystemRoot\System32\DRIVERS\ks.sys
\SystemRoot\System32\Drivers\GEARAspiWDM.sys
\SystemRoot\system32\drivers\delta.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\System32\DRIVERS\fdc.sys
\SystemRoot\System32\DRIVERS\serial.sys
\SystemRoot\System32\DRIVERS\serenum.sys
\SystemRoot\System32\DRIVERS\parport.sys
\SystemRoot\System32\DRIVERS\i8042prt.sys
\SystemRoot\System32\DRIVERS\mouclass.sys
\SystemRoot\System32\DRIVERS\kbdclass.sys
\SystemRoot\System32\DRIVERS\audstub.sys
\SystemRoot\System32\DRIVERS\bridge.sys
\SystemRoot\System32\DRIVERS\TDI.SYS
\SystemRoot\System32\DRIVERS\rasl2tp.sys
\SystemRoot\System32\DRIVERS\ndistapi.sys
\SystemRoot\System32\DRIVERS\ndiswan.sys
\SystemRoot\System32\DRIVERS\raspppoe.sys
\SystemRoot\System32\DRIVERS\raspptp.sys
\SystemRoot\System32\DRIVERS\psched.sys
\SystemRoot\System32\DRIVERS\msgpc.sys
\SystemRoot\System32\DRIVERS\ptilink.sys
\SystemRoot\System32\DRIVERS\raspti.sys
\SystemRoot\System32\DRIVERS\rdpdr.sys
\SystemRoot\System32\DRIVERS\termdd.sys
\SystemRoot\System32\DRIVERS\swenum.sys
\SystemRoot\System32\DRIVERS\update.sys
\SystemRoot\System32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\AtihdXP3.sys
\SystemRoot\System32\DRIVERS\usbhub.sys
\SystemRoot\System32\DRIVERS\USBD.SYS
\SystemRoot\system32\drivers\RtkHDAud.sys
\SystemRoot\System32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\??\C:\WINDOWS\system32\drivers\avgtpx86.sys
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\System32\DRIVERS\rasacd.sys
\SystemRoot\System32\DRIVERS\ipsec.sys
\SystemRoot\System32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\avgtdix.sys
\SystemRoot\System32\DRIVERS\ipnat.sys
\SystemRoot\System32\DRIVERS\arp1394.sys
\SystemRoot\System32\DRIVERS\wanarp.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbios.sys
\SystemRoot\System32\DRIVERS\rdbss.sys
\SystemRoot\System32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\avgldx86.sys
\SystemRoot\system32\DRIVERS\avgidsshimx.sys
\SystemRoot\system32\DRIVERS\avgidsdriverx.sys
\SystemRoot\system32\DRIVERS\avgdiskx.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\Fastfat.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\atiok3x2.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\DRIVERS\nwlnkipx.sys
\SystemRoot\system32\DRIVERS\nwlnknb.sys
\SystemRoot\System32\DRIVERS\ndisuio.sys
\SystemRoot\System32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\nwlnkspx.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
\WINDOWS\system32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk2\DR2
Upper Device Object: 0xffffffff8b0c7ab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP1T0L0-17\
Lower Device Object: 0xffffffff8b0cc940
Lower Device Driver Name: \Driver\atapi\
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xffffffff8b0ffab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T1L0-c\
Lower Device Object: 0xffffffff8b124d98
Lower Device Driver Name: \Driver\atapi\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8b11eab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-4\
Lower Device Object: 0xffffffff8b125d98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8b11eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b126168, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b11eab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b113f18, DeviceName: \Device\0000006c\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b125d98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-4\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C640C63
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 268413957
    Partition file system is NTFS
    Partition is bootable
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 250058268160 bytes
Sector size: 512 bytes
 
Scanning physical sectors of unpartitioned space on drive 0 (1-62-488375055-488395055)...
Done!
Physical Sector Size: 512
Drive: 1, DevicePointer: 0xffffffff8b0ffab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b19cb70, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b0ffab8, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b1103b8, DeviceName: \Device\0000006d\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b124d98, DeviceName: \Device\Ide\IdeDeviceP0T1L0-c\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 44A91B35
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 312560577
    Partition file system is NTFS
    Partition is not bootable
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 160040803840 bytes
Sector size: 512 bytes
 
Done!
Physical Sector Size: 512
Drive: 2, DevicePointer: 0xffffffff8b0c7ab8, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8b19c958, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8b0c7ab8, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8b1a29e8, DeviceName: \Device\0000006e\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8b0cc940, DeviceName: \Device\Ide\IdeDeviceP1T0L0-17\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
Drive 2
Scanning MBR on drive 2...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 7393CE69
 
Partition information:
 
    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63  Numsec = 312560577
 
    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0
 
Disk Size: 160040803840 bytes
Sector size: 512 bytes
 
Done!
Infected: HKLM\SOFTWARE\CLASSES\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D} --> [Trojan.Downloader]
Infected: C:\Documents and Settings\Will\Application Data\Media Finder\Extensions\gencrawler_gc.dll --> [Trojan.Downloader]
Infected: HKLM\SOFTWARE\CLASSES\CLSID\{CA4520F3-AE13-4FB1-A513-58E23991C86D}\INPROCSERVER32 --> [Trojan.Downloader]
Infected: HKLM\SOFTWARE\CLASSES\gencrawler_gc.GenCrawler --> [Trojan.Downloader]
Infected: HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{CA4520F3-AE13-4FB1-A513-58E23991C86D} --> [Trojan.Downloader]
Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{CA4520F3-AE13-4FB1-A513-58E23991C86D} --> [Trojan.Downloader]
Infected: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{CA4520F3-AE13-4FB1-A513-58E23991C86D} --> [Trojan.Downloader]
Read File:  File "c:\documents and settings\all users\application data\avg2014\chjw\4cb0d599b0d58a3a.dat:5df2cd06-e1ab-4721-9a76-de6905e9e001" is sparse (flags = 32768)
Infected file C:\Documents and Settings\Will\Local Settings\Temp\is1914646434\5877403_stp\wajam_validate.exe could not be remediated because backup file is not available
Read File: File "c:\windows\system32\config\systemprofile\local settings\application data\avg2014\log\avg-9a0edf74-476d-450c-840a-7243c9b4f438.tmp" is compressed (flags = 1)
Scan finished
Creating System Restore point...
Cleaning up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================
 
 
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1007
 
© Malwarebytes Corporation 2011-2012
 
OS version: 5.1.2600 Windows XP Service Pack 3 x86
 
Account is Administrative
 
Internet Explorer version: 8.0.6001.18702
 
Java version: 1.6.0_30
 
File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 3.214000 GHz
Memory total: 3488002048, free: 2777862144
 
=======================================
Link to post
Share on other sites

Combofix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic How to disable your security applications


====================================================


Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC_update.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


cfRC_screen_2.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

I attempted to disable my AVG 2014, and followed the instructions in the sticky topic on disabling security applications. ComboFix still detected an AVG update module running, and I have been unable to find and disable it. All the update options, schedule options, and protection options have been disabled. Should I still run ComboFix despite the warning?

Link to post
Share on other sites

Ok, I have uninstalled AVG and run ComboFix. Here is the log.

 

 

 

ComboFix 13-12-01.01 - Will 12/02/2013  17:14:54.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2905 [GMT -5:00]
Running from: c:\documents and settings\Will\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\Will\WINDOWS
c:\windows\system32\Cache
c:\windows\system32\Cache\019c6c0ef11c676a.fb
c:\windows\system32\Cache\17418173961a6250.fb
c:\windows\system32\Cache\1b4723a175d96669.fb
c:\windows\system32\Cache\26c630d098e22dd5.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\31a0997e9a5b5eb3.fb
c:\windows\system32\Cache\32c84fe32bb74d60.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\5a1f1741a9e6a299.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6aa78d57b69983e0.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\6d03dad1035885d3.fb
c:\windows\system32\Cache\71c5ff90c8a09a05.fb
c:\windows\system32\Cache\737c9794d9df79a2.fb
c:\windows\system32\Cache\76e71a78f429d89a.fb
c:\windows\system32\Cache\83afa52ca9fed0a3.fb
c:\windows\system32\Cache\88a946ac46b79b73.fb
c:\windows\system32\Cache\95f567698be8a182.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\aa3619c824ee53cd.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\b9545674517d401c.fb
c:\windows\system32\Cache\c1fa887b03019701.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e988c50b3c6874d5.fb
c:\windows\system32\Cache\f998975c9cc711ee.fb
c:\windows\system32\Cache\fb0a3c319fb3dd3f.fb
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\FlashPlayerApp.exe
c:\windows\system32\SET428.tmp
c:\windows\system32\SET42C.tmp
c:\windows\system32\SET434.tmp
c:\windows\system32\win.ini
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-02 to 2013-12-02  )))))))))))))))))))))))))))))))
.
.
2013-11-28 14:56 . 2013-11-28 14:56 47064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-11-26 20:21 . 2013-11-26 20:24 -------- d-----w- c:\documents and settings\Will\Application Data\FreeFileViewer
2013-11-26 00:22 . 2013-11-26 00:22 -------- d-----w- c:\documents and settings\Will\Local Settings\Application Data\FreeFileViewer
2013-11-26 00:22 . 2013-11-26 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Overwolf
2013-11-26 00:21 . 2013-11-26 00:21 -------- d-----w- c:\program files\FreeFileViewer
2013-11-26 00:21 . 2013-11-26 20:31 -------- d-----w- c:\documents and settings\Will\Local Settings\Application Data\Overwolf
2013-11-26 00:21 . 2013-11-26 00:21 -------- d-----w- c:\documents and settings\Will\Application Data\aartemis
2013-11-26 00:20 . 2013-11-26 21:58 -------- d-----w- c:\program files\BuzzSearch
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-28 14:56 . 2009-07-17 02:13 105176 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-10-19 19:13 . 2012-02-14 15:21 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-13 07:25 . 2001-08-23 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 07:25 . 2001-08-23 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-10-13 07:25 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-13 07:24 . 2001-08-23 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 06:57 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2013-10-12 15:56 . 2001-08-23 12:00 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2001-08-23 12:00 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2001-08-23 12:00 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2009-04-20 23:10 7168 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 22:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-10-12 02:56 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltTray]
2002-12-06 16:19 56320 ----a-r- c:\windows\system32\delttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2013-01-30 03:34 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2013-02-13 02:37 1263952 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-11-06 01:38 138096 ----atw- c:\documents and settings\Will\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 01:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:31 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-04-17 16:41 196608 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-04-13 10:07 69632 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 04:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 19:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 05:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2013-03-15 02:57 15668512 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2013-03-15 02:57 223008 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2013-03-11 20:24 3093624 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 05:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 05:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-12-20 20:47 16860672 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 11:32 253816 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Warcraft 3\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft 3\\Warcraft III.exe"=
"c:\\Program Files\\Warcraft 3\\War3.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Will\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\skyrim\\SkyrimLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\chivalrymedievalwarfare\\Binaries\\Win32\\UDK.exe"=
"c:\\Program Files\\FreeFileViewer\\FFVCheckForUpdates.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8371:TCP"= 8371:TCP:League of Legends Launcher
"8371:UDP"= 8371:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"8373:TCP"= 8373:TCP:League of Legends Launcher
"8373:UDP"= 8373:UDP:League of Legends Launcher
"8374:TCP"= 8374:TCP:League of Legends Launcher
"8374:UDP"= 8374:UDP:League of Legends Launcher
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"58748:TCP"= 58748:TCP:Pando Media Booster
"58748:UDP"= 58748:UDP:Pando Media Booster
"6905:TCP"= 6905:TCP:League of Legends Launcher
"6905:UDP"= 6905:UDP:League of Legends Launcher
"6886:TCP"= 6886:TCP:League of Legends Launcher
"6886:UDP"= 6886:UDP:League of Legends Launcher
"6906:TCP"= 6906:TCP:League of Legends Launcher
"6906:UDP"= 6906:UDP:League of Legends Launcher
"6921:TCP"= 6921:TCP:League of Legends Launcher
"6921:UDP"= 6921:UDP:League of Legends Launcher
"6891:TCP"= 6891:TCP:League of Legends Launcher
"6891:UDP"= 6891:UDP:League of Legends Launcher
"6978:TCP"= 6978:TCP:League of Legends Launcher
"6978:UDP"= 6978:UDP:League of Legends Launcher
"6960:TCP"= 6960:TCP:League of Legends Launcher
"6960:UDP"= 6960:UDP:League of Legends Launcher
"6982:TCP"= 6982:TCP:League of Legends Launcher
"6982:UDP"= 6982:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"6940:TCP"= 6940:TCP:League of Legends Launcher
"6940:UDP"= 6940:UDP:League of Legends Launcher
"6923:TCP"= 6923:TCP:League of Legends Launcher
"6923:UDP"= 6923:UDP:League of Legends Launcher
"6898:TCP"= 6898:TCP:League of Legends Launcher
"6898:UDP"= 6898:UDP:League of Legends Launcher
"6959:TCP"= 6959:TCP:League of Legends Launcher
"6959:UDP"= 6959:UDP:League of Legends Launcher
"6919:TCP"= 6919:TCP:League of Legends Launcher
"6919:UDP"= 6919:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6909:TCP"= 6909:TCP:League of Legends Launcher
"6909:UDP"= 6909:UDP:League of Legends Launcher
"58651:TCP"= 58651:TCP:Pando Media Booster
"58651:UDP"= 58651:UDP:Pando Media Booster
.
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [5/10/2013 5:57 PM 103040]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/28/2013 5:45 PM 161384]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [7/7/2009 6:33 PM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [7/7/2009 6:33 PM 18432]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [7/8/2010 3:09 PM 606056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-18 02:56 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-12 19:13]
.
2012-11-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-12-02 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2000478354-1123561945-839522115-1004Core.job
- c:\documents and settings\Will\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-11-06 01:38]
.
2013-12-02 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2000478354-1123561945-839522115-1004UA.job
- c:\documents and settings\Will\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-11-06 01:38]
.
2013-12-02 c:\windows\Tasks\FreeFileViewerUpdateChecker.job
- c:\program files\FreeFileViewer\FFVCheckForUpdates.exe [2013-11-26 23:24]
.
2013-12-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-08 02:43]
.
2013-12-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-08 02:43]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Will\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-AVG_UI - c:\program files\AVG\AVG2014\avgui.exe
MSConfigStartUp-Media Finder - c:\program files\Media Finder\MF.exe
MSConfigStartUp-Overwolf - c:\program files\Overwolf\Overwolf.exe
MSConfigStartUp-vProt - c:\program files\AVG Secure Search\vprot.exe
AddRemove-HijackThis - c:\documents and settings\Will\Desktop\HiJackThis\HijackThis.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-02 17:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2000478354-1123561945-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3a,af,22,bd,98,30,27,0d,15,fc,72,99,2f,f0,56,38,98,ab,c2,29,90,fc,4a,
   ff,42,e1,c4,e9,c3,dc,e1,d7,2e,bb,be,3b,1f,69,f5,16,a2,7d,96,9b,1b,95,8d,18,\
"??"=hex:98,c2,01,c2,f0,40,35,57,dd,be,35,30,0d,3c,cb,7a
.
[HKEY_USERS\S-1-5-21-2000478354-1123561945-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:a9,4b,0a,c4,03,34,06,b6,1c,e3,85,23,d3,ed,f9,6e,59,44,dc,c7,5b,
   1e,bd,c6,6e,88,a9,fe,3b,03,10,e1,6a,d0,5f,a8,b2,93,bd,49,97,ba,14,0a,b0,70,\
"rkeysecu"=hex:fa,ec,28,b2,05,23,b7,a4,93,95,54,34,e9,bc,9d,5b
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.7"
"DeviceInstanceIds"=multi:"c:\\documents and settings\\administrator\\desktop\\wills drivers\\ma790chipset\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2013-12-02  17:19:28
ComboFix-quarantined-files.txt  2013-12-02 22:19
.
Pre-Run: 63,130,071,040 bytes free
Post-Run: 64,492,154,880 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /usepmtimer
.
- - End Of File - - 939D63C5A00F719F48E703C35B3B4320
8F558EB6672622401DA993E1E865C861
Link to post
Share on other sites

Combofix scripting

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Download the attached CFScript.txt and save it to the location where Combofix is.


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

 

 

Full System Scan with Malwarebytes Antimalware
 

  • If not existing, please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Post that log back here.

 

CFScript.txt

Link to post
Share on other sites

Here is the ComboFix.txt log:

 

ComboFix 13-12-01.01 - Will 12/03/2013  19:04:44.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3326.2900 [GMT -5:00]
Running from: c:\documents and settings\Will\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Will\Desktop\CFScript.txt
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Overwolf
c:\documents and settings\All Users\Application Data\Overwolf\Setup\180\OverwolfSetup.msi
c:\documents and settings\Will\Application Data\aartemis
c:\documents and settings\Will\Application Data\aartemis\aartemis.exe
c:\documents and settings\Will\Application Data\aartemis\cor_aartemis.json
c:\documents and settings\Will\Application Data\aartemis\DataBase
c:\documents and settings\Will\Application Data\aartemis\QQBrowserFrame.dll
c:\documents and settings\Will\Application Data\FreeFileViewer
c:\documents and settings\Will\Application Data\FreeFileViewer\updcheck.cfg
c:\documents and settings\Will\Local Settings\Application Data\FreeFileViewer
c:\documents and settings\Will\Local Settings\Application Data\FreeFileViewer\FreeFileViewer.dat
c:\documents and settings\Will\Local Settings\Application Data\Overwolf
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Apps\AddIns\AddIns.store
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Apps\AddInSideAdapters\ODK.AddIns.V1.AddInSideAdapter.dll
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Apps\AddInSideAdapters\ODK.AddIns.V2.AddInSideAdapter.dll
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Apps\AddInViews\ODK.AddIns.V1.AddInView.dll
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Apps\AddInViews\ODK.AddIns.V2.AddInView.dll
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Apps\Contracts\ODK.AddIns.V1.Contract.dll
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Apps\Contracts\ODK.AddIns.V2.Contract.dll
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Apps\HostSideAdapters\ODK.AddIns.V2.HostSideAdapter.dll
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Apps\HostSideAdapters\ODK.AddIns.V2.HostSideAdapterV1.dll
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Apps\PipelineSegments.store
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\GamesList.4627103.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\InstallerCache\OWResources.dll
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Log\InstallerTrace.log
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Log\MSI_2013_11_25_19_21.log.gz
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Log\Overwolf_11-25-13_19-22-10.Game.html
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Log\Overwolf_11-26-13_15-31-25.Game.html
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Log\OWLog.cfg
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Log\Trace.log
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_Capture.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_Capture.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_ChatNVoice.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_ChatNVoice.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_Entertainment.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_Entertainment.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_ForGames.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_ForGames.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_ForTablets.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_ForTablets.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_FTW.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_FTW.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_Social.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_Social.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_Utilities.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_Categories_Utilities.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_LoLTimers_Tile.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_LoLTimers_Tile.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_MusicPlayer_Tile.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_MusicPlayer_Tile.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_ScreenCapture_Tile.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_ScreenCapture_Tile.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_TeamSpeak_WideTile.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_TeamSpeak_WideTile.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_VideoCapture_WideTile.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\AppStore_VideoCapture_WideTile.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_Action.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_Action.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_MMORPG.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_MMORPG.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_Other.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_Other.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_Shooters.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_Shooters.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_Sports.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_Sports.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_Strategy.png
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\MarketplaceCache\GamesSubCategory_Strategy.png.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_1327.swf
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_1327.swf.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_EndGame.html
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_EndGame.html.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_MusicPlayerPromo.html
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_MusicPlayerPromo.html.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_Promo300on250.html
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_Promo300on250.html.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_RunesOfMagic.html
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_RunesOfMagic.html.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_StarWarsTOR.html
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_StarWarsTOR.html.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_WorldOfTanks.html
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\PromoCache\OWCache_WorldOfTanks.html.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Settings\SettingsPageAccounts.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Settings\SettingsPageBasic.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Settings\SettingsPageCache.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Settings\SettingsPageGeneral.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Settings\SettingsPageGuidanceLayer.xml
c:\documents and settings\Will\Local Settings\Application Data\Overwolf\Settings\SettingsPageStats.xml
c:\program files\BuzzSearch
c:\program files\FreeFileViewer
c:\program files\FreeFileViewer\cmaps\83PV-R_1
c:\program files\FreeFileViewer\cmaps\90MS-R_1
c:\program files\FreeFileViewer\cmaps\90MS-R_2
c:\program files\FreeFileViewer\cmaps\90MS-R_3
c:\program files\FreeFileViewer\cmaps\90MSP-_1
c:\program files\FreeFileViewer\cmaps\90MSP-_2
c:\program files\FreeFileViewer\cmaps\90PV-R_1
c:\program files\FreeFileViewer\cmaps\90PV-R_2
c:\program files\FreeFileViewer\cmaps\90PV-R_3
c:\program files\FreeFileViewer\cmaps\AD2D42_1
c:\program files\FreeFileViewer\cmaps\AD4844_1
c:\program files\FreeFileViewer\cmaps\AD5AE7_1
c:\program files\FreeFileViewer\cmaps\ADB53F_1
c:\program files\FreeFileViewer\cmaps\ADD-RK_1
c:\program files\FreeFileViewer\cmaps\ADD-RK_2
c:\program files\FreeFileViewer\cmaps\ADOBE-_1
c:\program files\FreeFileViewer\cmaps\ADOBE-_2
c:\program files\FreeFileViewer\cmaps\ADOBE-_3
c:\program files\FreeFileViewer\cmaps\ADOBE-_4
c:\program files\FreeFileViewer\cmaps\B5pc-H
c:\program files\FreeFileViewer\cmaps\B5PC-U_1
c:\program files\FreeFileViewer\cmaps\B5PC-U_2
c:\program files\FreeFileViewer\cmaps\B5pc-V
c:\program files\FreeFileViewer\cmaps\CNS-EU_1
c:\program files\FreeFileViewer\cmaps\CNS-EU_2
c:\program files\FreeFileViewer\cmaps\ETEN-B_1
c:\program files\FreeFileViewer\cmaps\ETEN-B_2
c:\program files\FreeFileViewer\cmaps\ETEN-B_3
c:\program files\FreeFileViewer\cmaps\ETENMS_1
c:\program files\FreeFileViewer\cmaps\ETENMS_2
c:\program files\FreeFileViewer\cmaps\EUC-H
c:\program files\FreeFileViewer\cmaps\EUC-V
c:\program files\FreeFileViewer\cmaps\EXT-RK_1
c:\program files\FreeFileViewer\cmaps\EXT-RK_2
c:\program files\FreeFileViewer\cmaps\GB-EUC-H
c:\program files\FreeFileViewer\cmaps\GB-EUC-V
c:\program files\FreeFileViewer\cmaps\GBK-EU_1
c:\program files\FreeFileViewer\cmaps\GBK-EU_2
c:\program files\FreeFileViewer\cmaps\GBK-EU_3
c:\program files\FreeFileViewer\cmaps\GBK2K-H
c:\program files\FreeFileViewer\cmaps\GBK2K-V
c:\program files\FreeFileViewer\cmaps\GBKP-E_1
c:\program files\FreeFileViewer\cmaps\GBKP-E_2
c:\program files\FreeFileViewer\cmaps\GBPC-E_1
c:\program files\FreeFileViewer\cmaps\GBPC-E_2
c:\program files\FreeFileViewer\cmaps\GBPC-E_3
c:\program files\FreeFileViewer\cmaps\GBPC-E_4
c:\program files\FreeFileViewer\cmaps\GBT-EU_1
c:\program files\FreeFileViewer\cmaps\GBT-EU_2
c:\program files\FreeFileViewer\cmaps\H
c:\program files\FreeFileViewer\cmaps\HKSCS-_1
c:\program files\FreeFileViewer\cmaps\HKSCS-_2
c:\program files\FreeFileViewer\cmaps\IDENTI_1
c:\program files\FreeFileViewer\cmaps\IDENTI_2
c:\program files\FreeFileViewer\cmaps\KSC-EU_1
c:\program files\FreeFileViewer\cmaps\KSC-EU_2
c:\program files\FreeFileViewer\cmaps\KSCMS-_1
c:\program files\FreeFileViewer\cmaps\KSCMS-_2
c:\program files\FreeFileViewer\cmaps\KSCMS-_3
c:\program files\FreeFileViewer\cmaps\KSCMS-_4
c:\program files\FreeFileViewer\cmaps\KSCPC-_1
c:\program files\FreeFileViewer\cmaps\KSCPC-_2
c:\program files\FreeFileViewer\cmaps\KSCPC-_3
c:\program files\FreeFileViewer\cmaps\KSCPC-_4
c:\program files\FreeFileViewer\cmaps\KSFD92_1
c:\program files\FreeFileViewer\cmaps\UNICNS_1
c:\program files\FreeFileViewer\cmaps\UNICNS_2
c:\program files\FreeFileViewer\cmaps\UNIGB-_1
c:\program files\FreeFileViewer\cmaps\UNIGB-_2
c:\program files\FreeFileViewer\cmaps\UNIJIS_1
c:\program files\FreeFileViewer\cmaps\UNIJIS_2
c:\program files\FreeFileViewer\cmaps\UNIJIS_3
c:\program files\FreeFileViewer\cmaps\UNIJIS_4
c:\program files\FreeFileViewer\cmaps\UNIKS-_1
c:\program files\FreeFileViewer\cmaps\UNIKS-_2
c:\program files\FreeFileViewer\cmaps\V
c:\program files\FreeFileViewer\ffmpeg\avcodec-53.dll
c:\program files\FreeFileViewer\ffmpeg\avdevice-53.dll
c:\program files\FreeFileViewer\ffmpeg\avfilter-2.dll
c:\program files\FreeFileViewer\ffmpeg\avformat-53.dll
c:\program files\FreeFileViewer\ffmpeg\avutil-51.dll
c:\program files\FreeFileViewer\ffmpeg\license_ffmpeg.txt
c:\program files\FreeFileViewer\ffmpeg\license_libgsm.txt
c:\program files\FreeFileViewer\ffmpeg\license_libogg.txt
c:\program files\FreeFileViewer\ffmpeg\license_libspeex.txt
c:\program files\FreeFileViewer\ffmpeg\license_libtheora.txt
c:\program files\FreeFileViewer\ffmpeg\license_libvorbis.txt
c:\program files\FreeFileViewer\ffmpeg\license_opencore_amr.txt
c:\program files\FreeFileViewer\ffmpeg\license_sdl.txt
c:\program files\FreeFileViewer\ffmpeg\myutil.dll
c:\program files\FreeFileViewer\ffmpeg\SDL.dll
c:\program files\FreeFileViewer\ffmpeg\source.txt
c:\program files\FreeFileViewer\ffmpeg\swresample-0.dll
c:\program files\FreeFileViewer\ffmpeg\swscale-2.dll
c:\program files\FreeFileViewer\FFVCFG.exe
c:\program files\FreeFileViewer\FFVCheckForUpdates.exe
c:\program files\FreeFileViewer\FreeFileViewer.exe
c:\program files\FreeFileViewer\js32.dll
c:\program files\FreeFileViewer\tx18.dll
c:\program files\FreeFileViewer\tx18_bmp.flt
c:\program files\FreeFileViewer\tx18_css.dll
c:\program files\FreeFileViewer\tx18_doc.dll
c:\program files\FreeFileViewer\tx18_dox.dll
c:\program files\FreeFileViewer\tx18_gif.flt
c:\program files\FreeFileViewer\tx18_htm.dll
c:\program files\FreeFileViewer\tx18_ic.dll
c:\program files\FreeFileViewer\tx18_ic.ini
c:\program files\FreeFileViewer\tx18_jpg.flt
c:\program files\FreeFileViewer\tx18_obj.dll
c:\program files\FreeFileViewer\tx18_png.flt
c:\program files\FreeFileViewer\tx18_rtf.dll
c:\program files\FreeFileViewer\tx18_tif.flt
c:\program files\FreeFileViewer\tx18_tls.dll
c:\program files\FreeFileViewer\tx18_wnd.dll
c:\program files\FreeFileViewer\tx18_xml.dll
c:\program files\FreeFileViewer\tx4ole18.ocx
c:\program files\FreeFileViewer\unins000.dat
c:\program files\FreeFileViewer\unins000.exe
c:\program files\FreeFileViewer\unins000.msg
c:\program files\FreeFileViewer\updates.cfg
c:\program files\FreeFileViewer\vsgdi.dll
c:\program files\FreeFileViewer\VSPDFViewerX.ocx
c:\program files\FreeFileViewer\welcome.docx
.
.
(((((((((((((((((((((((((   Files Created from 2013-11-04 to 2013-12-04  )))))))))))))))))))))))))))))))
.
.
2013-11-28 14:56 . 2013-11-28 14:56 47064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-11-28 14:56 . 2009-07-17 02:13 105176 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-10-19 19:13 . 2012-02-14 15:21 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-13 07:25 . 2001-08-23 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-10-13 07:25 . 2001-08-23 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-10-13 07:25 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-10-13 07:24 . 2001-08-23 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-10-13 06:57 . 2004-08-04 05:59 385024 ------w- c:\windows\system32\html.iec
2013-10-12 15:56 . 2001-08-23 12:00 278528 ----a-w- c:\windows\system32\oakley.dll
2013-10-09 13:12 . 2001-08-23 12:00 287744 ----a-w- c:\windows\system32\gdi32.dll
2013-10-07 10:59 . 2001-08-23 12:00 603136 ----a-w- c:\windows\system32\crypt32.dll
2013-10-05 01:14 . 2009-04-20 23:10 7168 ----a-w- c:\windows\system32\xpsp4res.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 22:43 69632 ----a-w- c:\windows\Alcmtr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-10-12 02:56 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeltTray]
2002-12-06 16:19 56320 ----a-r- c:\windows\system32\delttray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2013-01-30 03:34 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2013-02-13 02:37 1263952 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-11-06 01:38 138096 ----atw- c:\documents and settings\Will\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 01:17 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2001-08-23 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:31 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-04-17 16:41 196608 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-04-13 10:07 69632 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 04:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2009-09-10 19:53 1312080 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 05:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2013-03-15 02:57 15668512 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2013-03-15 02:57 223008 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster]
2013-03-11 20:24 3093624 ----a-w- c:\program files\Pando Networks\Media Booster\PMB.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 05:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 05:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-12-20 20:47 16860672 ----a-w- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 11:32 253816 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Warcraft 3\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft 3\\Warcraft III.exe"=
"c:\\Program Files\\Warcraft 3\\War3.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Will\\Local Settings\\Application Data\\Facebook\\Video\\Skype\\FacebookVideoCalling.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\skyrim\\SkyrimLauncher.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\chivalrymedievalwarfare\\Binaries\\Win32\\UDK.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8371:TCP"= 8371:TCP:League of Legends Launcher
"8371:UDP"= 8371:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"8373:TCP"= 8373:TCP:League of Legends Launcher
"8373:UDP"= 8373:UDP:League of Legends Launcher
"8374:TCP"= 8374:TCP:League of Legends Launcher
"8374:UDP"= 8374:UDP:League of Legends Launcher
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"58748:TCP"= 58748:TCP:Pando Media Booster
"58748:UDP"= 58748:UDP:Pando Media Booster
"6905:TCP"= 6905:TCP:League of Legends Launcher
"6905:UDP"= 6905:UDP:League of Legends Launcher
"6886:TCP"= 6886:TCP:League of Legends Launcher
"6886:UDP"= 6886:UDP:League of Legends Launcher
"6906:TCP"= 6906:TCP:League of Legends Launcher
"6906:UDP"= 6906:UDP:League of Legends Launcher
"6921:TCP"= 6921:TCP:League of Legends Launcher
"6921:UDP"= 6921:UDP:League of Legends Launcher
"6891:TCP"= 6891:TCP:League of Legends Launcher
"6891:UDP"= 6891:UDP:League of Legends Launcher
"6978:TCP"= 6978:TCP:League of Legends Launcher
"6978:UDP"= 6978:UDP:League of Legends Launcher
"6960:TCP"= 6960:TCP:League of Legends Launcher
"6960:UDP"= 6960:UDP:League of Legends Launcher
"6982:TCP"= 6982:TCP:League of Legends Launcher
"6982:UDP"= 6982:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"6940:TCP"= 6940:TCP:League of Legends Launcher
"6940:UDP"= 6940:UDP:League of Legends Launcher
"6923:TCP"= 6923:TCP:League of Legends Launcher
"6923:UDP"= 6923:UDP:League of Legends Launcher
"6898:TCP"= 6898:TCP:League of Legends Launcher
"6898:UDP"= 6898:UDP:League of Legends Launcher
"6959:TCP"= 6959:TCP:League of Legends Launcher
"6959:UDP"= 6959:UDP:League of Legends Launcher
"6919:TCP"= 6919:TCP:League of Legends Launcher
"6919:UDP"= 6919:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6909:TCP"= 6909:TCP:League of Legends Launcher
"6909:UDP"= 6909:UDP:League of Legends Launcher
"58651:TCP"= 58651:TCP:Pando Media Booster
"58651:UDP"= 58651:UDP:Pando Media Booster
.
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [5/10/2013 5:57 PM 103040]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2/28/2013 5:45 PM 161384]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [7/7/2009 6:33 PM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [7/7/2009 6:33 PM 18432]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [7/8/2010 3:09 PM 606056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-11-18 02:56 1210320 ----a-w- c:\program files\Google\Chrome\Application\31.0.1650.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-12 19:13]
.
2012-11-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-12-03 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2000478354-1123561945-839522115-1004Core.job
- c:\documents and settings\Will\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-11-06 01:38]
.
2013-12-03 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2000478354-1123561945-839522115-1004UA.job
- c:\documents and settings\Will\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-11-06 01:38]
.
2013-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-08 02:43]
.
2013-12-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-07-08 02:43]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Download with &Media Finder - c:\program files\Media Finder\hook.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Will\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-FreeFileViewer_is1 - c:\program files\FreeFileViewer\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-12-03 19:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2000478354-1123561945-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3a,af,22,bd,98,30,27,0d,15,fc,72,99,2f,f0,56,38,98,ab,c2,29,90,fc,4a,
   ff,42,e1,c4,e9,c3,dc,e1,d7,2e,bb,be,3b,1f,69,f5,16,a2,7d,96,9b,1b,95,8d,18,\
"??"=hex:98,c2,01,c2,f0,40,35,57,dd,be,35,30,0d,3c,cb,7a
.
[HKEY_USERS\S-1-5-21-2000478354-1123561945-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:a9,4b,0a,c4,03,34,06,b6,1c,e3,85,23,d3,ed,f9,6e,59,44,dc,c7,5b,
   1e,bd,c6,6e,88,a9,fe,3b,03,10,e1,6a,d0,5f,a8,b2,93,bd,49,97,ba,14,0a,b0,70,\
"rkeysecu"=hex:fa,ec,28,b2,05,23,b7,a4,93,95,54,34,e9,bc,9d,5b
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\æHõwæ*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.7"
"DeviceInstanceIds"=multi:"c:\\documents and settings\\administrator\\desktop\\wills drivers\\ma790chipset\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2013-12-03  19:11:08
ComboFix-quarantined-files.txt  2013-12-04 00:11
ComboFix2.txt  2013-12-02 22:19
.
Pre-Run: 64,507,699,200 bytes free
Post-Run: 64,419,651,584 bytes free
.
- - End Of File - - 1250AD9272BDEB070678DF39C138DD8D
8F558EB6672622401DA993E1E865C861
 
 
 
 
 
 
Here is the MBAM log:
 
 
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
 
12/3/2013 7:52:25 PM
mbam-log-2013-12-03 (19-52-25).txt
 
Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 245712
Time elapsed: 36 minute(s), 0 second(s)
 
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
 
Memory Processes Infected:
(No malicious items detected)
 
Memory Modules Infected:
(No malicious items detected)
 
Registry Keys Infected:
(No malicious items detected)
 
Registry Values Infected:
(No malicious items detected)
 
Registry Data Items Infected:
(No malicious items detected)
 
Folders Infected:
(No malicious items detected)
 
Files Infected:
(No malicious items detected)
 
Link to post
Share on other sites

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Link to post
Share on other sites

Here is the ESET log file:

 

C:\Documents and Settings\Will\Local Settings\Application Data\Babylon\Setup\Setup.exe Win32/Toolbar.Babylon application
C:\Documents and Settings\Will\My Documents\Downloads\FreeFileViewerSetup.exe a variant of Win32/InstallCore.CU application
C:\System Volume Information\_restore{FFDDB48A-6216-4AAB-A1EE-01AFD0A1008E}\RP751\A0185508.dll a variant of Win32/BrowseFox.F application
C:\System Volume Information\_restore{FFDDB48A-6216-4AAB-A1EE-01AFD0A1008E}\RP751\A0185509.exe a variant of Win32/BrowseFox.G application
C:\System Volume Information\_restore{FFDDB48A-6216-4AAB-A1EE-01AFD0A1008E}\RP752\A0185670.exe a variant of Win32/BrowseFox.G application
C:\System Volume Information\_restore{FFDDB48A-6216-4AAB-A1EE-01AFD0A1008E}\RP754\A0186164.exe a variant of Win32/Toolbar.Conduit.B application
 
Link to post
Share on other sites

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[s1].txt also


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.

Link to post
Share on other sites

# AdwCleaner v3.015 - Report created 10/12/2013 at 17:31:28

# Updated 10/12/2013 by Xplode

# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

# Username : Will - HOMESLICE

# Running from : C:\Documents and Settings\Will\My Documents\Downloads\adwcleaner.exe

# Option : Clean

 

***** [ Services ] *****

 

 

***** [ Files / Folders ] *****

 

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Babylon

Folder Deleted : C:\Program Files\Iminent

Folder Deleted : C:\Documents and Settings\Will\Local Settings\Application Data\Babylon

Folder Deleted : C:\Documents and Settings\Will\Application Data\Babylon

Folder Deleted : C:\Documents and Settings\Will\Application Data\Media Finder

Folder Deleted : C:\Documents and Settings\Will\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@some.com

[!] Folder Deleted : C:\Documents and Settings\Will\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cekcjpgehmohobmdiikfnopibipmgnml

File Deleted : C:\Documents and Settings\Will\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\newtab.crx

 

***** [ Shortcuts ] *****

 

Shortcut Disinfected : C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome\Google Chrome.lnk

Shortcut Disinfected : C:\Documents and Settings\Will\Start Menu\Programs\Internet Explorer.lnk

Shortcut Disinfected : C:\Documents and Settings\Will\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

Shortcut Disinfected : C:\Documents and Settings\Will\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk

 

***** [ Registry ] *****

 

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dednnpigldgdbpgcdpfppmlcnnbjciel

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ifohbjbgfchkkfhphahclmkpgejiplfo

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lpmkgpnbiojfaoklbkpfneikocaobfai

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\Download with &Media Finder

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL

Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr

Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1

Key Deleted : HKLM\SOFTWARE\Classes\MF

Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02054E11-5113-4BE3-8153-AA8DFB5D3761}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{021B4049-F57D-4565-A693-FD3B04786BFA}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0362AA09-808D-48E9-B360-FB51A8CBCE09}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{06844020-CD0B-3D3D-A7FE-371153013E49}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0ADC01BB-303B-3F8E-93DA-12C140E85460}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{10D3722F-23E6-3901-B6C1-FF6567121920}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1675E62B-F911-3B7B-A046-EB57261212F3}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{192929F2-9273-3894-91B0-F54671C4C861}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2932897E-3036-43D9-8A64-B06447992065}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DE92D29-A042-3C37-BFF8-07C7D8893EFA}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{32B80AD6-1214-45F4-994E-78A5D482C000}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3A8E103F-B2B7-3BEF-B3B0-88E29B2420E4}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{478CE5D3-D38E-3FFE-8DBE-8C4A0F1C4D8D}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{48B7DA4E-69ED-39E3-BAD5-3E3EFF22CFB0}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5982F405-44E4-3BBB-BAC4-CF8141CBBC5C}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5D8C3CC3-3C05-38A1-B244-924A23115FE9}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{641593AF-D9FD-30F7-B783-36E16F7A2E08}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{711FC48A-1356-3932-94D8-A8B733DBC7E4}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{72227B7F-1F02-3560-95F5-592E68BACC0C}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7B5E8CE3-4722-4C0E-A236-A6FF731BEF37}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{890D4F59-5ED0-3CB4-8E0E-74A5A86E7ED0}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8C68913C-AC3C-4494-8B9C-984D87C85003}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8D019513-083F-4AA5-933F-7D43A6DA82C4}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{923F6FB8-A390-370E-A0D2-DD505432481D}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9BBB26EF-B178-35D6-9D3D-B485F4279FE5}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A62DDBE0-8D2A-339A-B089-8CBCC5CD322A}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A82AD04D-0B8E-3A49-947B-6A69A8A9C96D}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ADEB3CC9-A05D-4FCC-BD09-9025456AA3EA}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B06D4521-D09C-3F41-8E39-9D784CCA2A75}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C06DAD42-6F39-4CE1-83CC-9A8B9105E556}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2E799D0-43A5-3477-8A98-FC5F3677F35C}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D16107CD-2AD5-46A8-BA59-303B7C32C500}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D25B101F-8188-3B43-9D85-201F372BC205}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2BA7595-5E44-3F1E-880F-03B3139FA5ED}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D35F5C81-17D9-3E1C-A1FC-4472542E1D25}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8FA96CA-B250-312C-AF34-4FF1DD72589D}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DAFC1E63-3359-416D-9BC2-E7DCA6F7B0F3}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DC5E5C44-80FD-3697-9E65-9F286D92F3E7}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E1B4C9DE-D741-385F-981E-6745FACE6F01}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7B623F5-9715-3F9F-A671-D1485A39F8A2}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ED916A7B-7C68-3198-B87D-2DABC30A5587}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EFA1BDB2-BB3D-3D9A-8EB5-D0D22E0F64F4}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F4CBF4DD-F8FE-35BA-BB7E-68304DAAB70B}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC32005D-E27C-32E0-ADFA-152F598B75E7}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2BF2028E-3F3C-4C05-AB45-B2F1DCFE0759}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB538320-D3C5-433C-BCA9-C4081A054FCF}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B81CCD-A80C-4060-8947-5AE69ED01199}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48D2-9061-8BBD4899EB08}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4D79-A620-CCE0C0A66CC9}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}

Key Deleted : HKCU\Software\APN PIP

Key Deleted : HKCU\Software\IGearSettings

Key Deleted : HKCU\Software\Iminent

Key Deleted : HKCU\Software\InstallCore

Key Deleted : HKCU\Software\MediaFinder

Key Deleted : HKCU\Software\OCS

Key Deleted : HKCU\Software\YahooPartnerToolbar

Key Deleted : HKLM\Software\Babylon

Key Deleted : HKLM\Software\Iminent

Key Deleted : HKLM\Software\PIP

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchTheWebARP

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\IMBoosterARP

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0238BBE24EA3A70408B81E4BB89C15E5

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\29799DE249E7DBC459FC6C8F07EB8375

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\43C098337DB065A49B665D4EA7F16D1C

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A71991503412AEB42838B02C5ED9F9CD

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F7652513C62FF63448CFF05163719DB7

 

***** [ Browsers ] *****

 

-\\ Internet Explorer v8.0.6001.18702

 

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs]

 

-\\ Google Chrome v31.0.1650.63

 

[ File : C:\Documents and Settings\Will\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

 

 

*************************

 

AdwCleaner[R0].txt - [10977 octets] - [10/12/2013 17:30:25]

AdwCleaner[s0].txt - [10689 octets] - [10/12/2013 17:31:28]

 

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [10750 octets] ##########
Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.77  

 Windows XP Service Pack 3 x86   

 Internet Explorer 8  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

 WMI entry may not exist for antivirus; attempting automatic update. 

`````````Anti-malware/Other Utilities Check:````````` 

 Java 6 Update 30  

 Java 7 Update 21  

 Java version out of Date! 

 Adobe Flash Player 11.9.900.117  

 Google Chrome 31.0.1650.57  

 Google Chrome 31.0.1650.63  

````````Process Check: objlist.exe by Laurent````````  

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C:: 15% Defragment your hard drive soon! (Do NOT defrag if SSD!)

````````````````````End of Log`````````````````````` 
Link to post
Share on other sites

Your system is clean now! :)

 

 

Java runtime Environment out of date

Your Java runtime environment is outdated. We will fix this.

  • Get the actual JRE from here
  • Save jxpiinstall.exe to your desktop
  • Close all running programs, especially your browser(s)
  • Run jxpiinstall.exe. This will download the newest JRE installer and install the software
  • when finished, go to
    Start-->control panel-->add/remove programs and remove all older Java versions. (if existing)
  • When finished, reboot your computer.


After the reboot

  • Open control panel again and click the java symbol.
  • Click Settings under Temporary Internet Files.
    The Temporary Files Settings dialog box appears.
  • Click Delete Files.
    The Delete Temporary Files dialog box appears
  • Click OK on Delete Temporary Files window.
  • Click OK again.

 

 

 

Uninstall our tools using delfix

Please follow these steps in order:

  1. In the case we used Defogger to turn off your CD emulation software. You can start it again and use the Enable button.
  2. In the case we used Combofix. Deactivate your antivirus software once more, then rename the combofix.exe to uninstall.exe and run it one last time. You shall be noted that Combofix has been removed.
  3. In any case please download delfix to your desktop.
    • Close all other programms and start delfix.
    • Please check all the boxes and run the tool.
    • delfix will now delete all found traces of our removal process

[*] If there is still something left please delete it manualy.

 

 

 

Recommendations: How to protect yourself

  • System Updates
    Please ensure to have automatic updates activated in your control panel.
    For further information and a tutorial, see this Microsoft Support article.
  • Protection
    What you need is one (not more) virus scanner with background protection. Additionally I recommend a special malware scanner to run on demand weekly.
    Personally I am using avast! Antivirus Free Edition and Malwarebytes Anti-Malware. They offer good protection for free.
    • To keep your browser free of advertising, you may install the Adblock Plus browser extension.
      It will filter unwanted advertising out of the website´s content.
    • To protect yourself from accidentally visiting malicious web sites, install the Web of Trust (WOT) browser extension.
      It will display a green (safe), yellow (unknown) or red (potentially dangerous) icon for a visited website within your browser.
      In addition, before accessing a dangerous classified web site, a warning screen is displayed.


    [*]Up to date Software
    Keep your Windows and your third party software up to date. The easiest way to get infected is an outdated windows, followed by: browser(s) (including add-ons and plug-ins), Adobe Flash Player and Adobe Reader, Java Runtime Environment, your antivirus program and so on. These links may help you to check:

    [*]Backup
    Hardware issues, malware, fire, lightning strike: There is a long list of different ways to loose all your data. Back up your files regularly. Use the windows internal backup function or a third party tool and save your data onto an external hard drive, cloud storage, optical media like CDs or DVDs or (if available) a professional network backup system. [*]Behaviour
    The commonest error when using a computer is "error 80" - what means that the error is located about 80cm in front of the monitor. This is a common joke between IT support technicians but it shows that all the safety mechanisms won´t help if you aren´t careful enough.

    • While surfing the internet, don´t click on anything you don´t know. In the worst case, it infects your system with malware.
    • Watch your step in social networks! Many cyber criminals use them to spread malware, mine personal pata (to be sold to advertising companies, for example) or simply do damage to other users. Even if a received hyperlink within a message seems to be coming from one of your friends, have a closer look. In addition, don´t click everything.
    • When installing software, have a look to each of the setup windows and uncheck any additional toolbars or free programs that may be offered additionally. Most of today´s setup procedures contain potentially unwanted programs so keep them off your system.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
      They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.



Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.