# Computer keeps deleting certain .exe files



## craig brian (Feb 12, 2008)

OK FIRST THING you all need to know is i'm not computer noob, I designed a flash game when I was 14 all by myself besides watching videos that taught me about flash CS3 I have done a bit of scripting I learned how to put movies and videos on to Mp3 players and iPods when I was 14

when I was 16 I learned how to put movie's on my PS3 and on to Xbox's

I worked in a computer store for two weeks learned some stuff there not much mostly learned how to do an external scan

but I know what msconfig is I know what the task manger is I know what explorer.exe is defragmentation, Deivce Manger, the BIOS, I know what hosts files are , hjackthis, I know how computers work I have been using them since I was in grade one and always was fond of them when I was in grade 6 I saved some computers in our class because this bad virus was launched on that day and it infected a few of the school computers but I fixed ut by updating the virus security

I'm grade 9 I brought a CD to school with Ubuntu on it and I loaded the school computers up on it and deleted Deep Freeze so I could install things

I have blue screened almost every computer in this house except the Windows 7 64bit I even have a program called Bluescreen view that tells me whats wrong and why it blue screened

I know what torrents are so please don't hold back with helping me with tihs I ahve gone over and over this agani and again I have Googled all the programs that are running in the task manager

but anyway lets get on with this

I formatted my moms harddrive last month and re-installed windows because Windows Update wouldn't work and drivers were missing and failing

she has a Gateway NV58 Notebook with Windows Vista Home Premium 64 bit

I installed League of Legends on 04-09-2012, at 3:00 PM

I played it for about an hour or two then left the computer on.
I went on it about 4 hours later. and it said the shortcut is missing. I located were it is installed and it was gone.

now this has happened before with programs I have installed, like Skype, YourTube Downloader, iTunes, Flash Decompiler
but Skype isn't missing.

so whats causing it. IT CAN'T be virus security because I have Windows Defender disabled and I don't ave virus security i'm going to put some on here now. I know lots about computer I know all about the program DeepFreeze and it is NOT on this computer

I don't visit any bad sites I don't even use facebook and the only things I have installed in the last month are

I formatted her hardrrive a REINSTALLED Windows on her COMPUTER AGAIN!!!! about a week ago and this is STILL happening

about two hours after repairing it and once again it deleted it

the file it deleted is called "lol.launcher.exe" but it didn't delete "lol.launcher.admin.exe"

SpeedFan (29/03/2012)
SimpleOCR 3.1 (29/03/2012)
Gimp 2.6.11 (29/03/2012)
VLC player 2.0.1 (30/03/2012)
Microsoft Visual C++ 2008 Redistributable - 86x 9.0.30729.17 ( 02/04/2012)
Hi-Rez studios Authenticate and Update Service (02/04/2012)
Team Viewer 7 (3/04/2012)
iTunes (3/04/2012)
HyperCam2 (3/04/2012)
Bonjour (3/04/2012)
BlueSoleil 6.2.277.11 (3/04/2012)
Apple Software update (3/04/2012)
Apple Mobile Device Support (3/04/2012)
Adobe CS5.1 Trial (3/04/2012)
Adobe Air (3/04/2012)
Xfire (4/04/2012)
Adobe Media Player (4/04/2012)
Adobe Flash CS5 Trial (4/04/2012)
Adobe Flash Player 10 plugin (4/04/2012)
Adobe Flash Player 10 ActiveX (4/04/2012)
Skype 5.8 (7/04/2012)
Pando Media Booster (7/04/2012)
Microsoft Silverlight (7/04/2012)
Free MP3 Recorder 1.0 (7/04/2012)
Nexon Game Manager (8/04/2012)
Combat Arms (8/04/2012)
League of Legends (9/04/2012)

here's a log file of me scanning with HijackThis this

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:07:06 AM, on 23/04/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Users\GATEWAY\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Program Files (x86)\Adobe\Adobe Help\Adobe Help.exe
C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\GATEWAY\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&s=2&o=vp64&d=0412&m=nv58_series
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&s=2&o=vp64&d=0412&m=nv58_series
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O2 - BHO: (no name) - {F385C231-605B-4d8f-ACA9-DBFF765BBE17} - (no file)
O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files (x86)\Launch Manager\LManager.exe"
O4 - HKLM\..\Run: [RemoteControl8] "c:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe"
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "c:\Program Files (x86)\CyberLink\PowerDVD8\Language\Language.exe"
O4 - HKLM\..\Run: [CLMLServer] "c:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [AVG] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SwitchBoard] "C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Sweetpacks Communicator] C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Google Update] "C:\Users\GATEWAY\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Block This Image (ABP) - C:\Program Files\Adblock Pro\blockimg.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AVG Firewall (avgfws) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgfws.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Gateway\Gateway PowerSave Solution\ePowerSvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: NTI IScheduleSvc - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TeamViewer 7 (TeamViewer7) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: vToolbarUpdater10.2.0 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11965 bytes

going over this again this Hjackthis log MORE FILES HAVE BEEN deleted. which is probably why my webcam is not working right. I even went in to the backup "Winsys"of the computer and restored some of them like Windoes Media player\wmpnetwk.exe I rememberer fixing that one a week ago its been deleted it again

After I installed virus security this happened

OK!!!!!! this is VERY bad I found the source of the problem I must have manged to get a virus because after I installed my virus secuirty and restarted the computer which hasnt been restarted in about a day or two this popped up

I took a picture with my camera

but I had to go into safe mode to make the computer to be able to boot because it just kept logging off and not even let me see my desktop.

I have read online with this issue and it says that a virus or an instillation of virus security can do this

after I restarted it agian it loaded windows and I tried to uninstall my virus security but it wouldn't even even open the control panel

but it seems SOMETHING changed my product key. so now I have to change it back

I ether will do it manually or once again............. re install windows. man this sucks

I am no computer beginner I made a flash game when I was 14 years old and I worked in a computer shop I KNOW HOW to fix this...

but what caused this?

it has to be a JavaScript leak because the Windows activation.vbs file seems to have been modified.

I have gone threw the download history only pictures that my friends have sent me. and the list of programs that I showed you on my very first post.

or it was a hacker. there has been no virus security on this computer for over a month. but that seems a bit far fetched since we have TWO internet providers and our internet is broadcasting wireless RADIO WAVES across the lake it has its own server.

OK I HAVE FOUND the problem
after I formatted the hard-drive and reinstalled windows I installed Avast and ALL TIHS HAPPENED again.

AFTER ALL that and it was Avast.

after I uninstalled avast and rebooted the computer everything started working again.
I don't understand tho I have Avast installed on three other computers, my mom's computer my laptop when I had one, my ex girlfriend computer and her mom's computer had it installed and this never happened?

only on this Gateway NV58 with Windows Vista 64bit

I will be installing a different anti virus. I no longer can trust avast on this computer. and I LOVE avast.

oh well.

all I can say is that files better not start deleting again even after I have antivirus installed.

so after all that I thought it was over I installed AVG 2012 Internet Security full version it updates everyday I cheek the virus vault and it hasn't deleted ANY .exe files but something on the computer is I have also ran certain programs in DEP because I have had files that would crash and this would fix it

so what I think it is that something by Microsoft like a security program on Windows Vista is doing this I have two other computes in this house and none of them have done this ones a Windows 7 64bit and the others Windows XP Media Center Edition IT ANT be a virus? I have all ready formatted the harddrive TWO time,s and reinstalled windows, it can't be a worm because we have three firewalls and none of the other computers are missing files

im going to run Combofix and Smitfraud and see what happens 

*After running ComboFix computer restarted on it's own and this notification popped up after I saved and closed the log file:
C:\Windows\System32\GfxUI.exe
A device attached to the system is not functioning.

HERE's a combo fix log*


ComboFix 12-04-22.02 - GATEWAY 23/04/2012 1:59.1.2 - x64
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.2.1033.18.4024.2395 [GMT -7:00]
Running from: c:\users\GATEWAY\Downloads\ComboFix.exe
AV: AVG Internet Security 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
SP: AVG Internet Security 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Temp\log.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-03-23 to 2012-04-23 )))))))))))))))))))))))))))))))
.
.
2012-04-23 09:07 . 2012-04-23 09:07	--------	d-----w-	c:\users\Default\AppData\Local\temp
2012-04-22 10:48 . 2012-04-22 10:48	--------	d-----w-	c:\programdata\SweetIM
2012-04-22 10:48 . 2012-04-22 10:48	--------	d-----w-	c:\program files (x86)\SweetIM
2012-04-22 10:46 . 2012-04-22 10:46	--------	d-----w-	c:\program files (x86)\1ClickDownload
2012-04-22 10:42 . 2012-04-22 10:44	--------	d-----w-	c:\programdata\WinZip
2012-04-21 23:51 . 2012-04-21 23:51	159744	----a-w-	c:\program files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2012-04-21 23:51 . 2012-04-21 23:51	159744	----a-w-	c:\program files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2012-04-21 23:51 . 2012-04-21 23:51	159744	----a-w-	c:\program files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2012-04-21 23:51 . 2012-04-21 23:51	159744	----a-w-	c:\program files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2012-04-21 23:51 . 2012-04-21 23:51	159744	----a-w-	c:\program files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2012-04-21 23:51 . 2012-04-21 23:51	159744	----a-w-	c:\program files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2012-04-21 23:51 . 2012-04-21 23:51	159744	----a-w-	c:\program files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2012-04-21 23:50 . 2012-04-21 23:51	--------	d-----w-	c:\program files (x86)\QuickTime
2012-04-21 23:50 . 2012-04-21 23:58	--------	d-----w-	c:\programdata\Apple Computer
2012-04-21 23:48 . 2012-04-21 23:48	--------	d-----w-	c:\program files (x86)\Common Files\Apple
2012-04-21 23:48 . 2012-04-21 23:48	--------	d-----w-	c:\program files (x86)\Apple Software Update
2012-04-21 23:48 . 2012-04-21 23:48	--------	d-----w-	c:\programdata\Apple
2012-04-21 23:26 . 2012-04-21 23:26	--------	d-----w-	c:\program files (x86)\Yontoo
2012-04-21 23:26 . 2012-04-21 23:26	--------	d-----w-	c:\programdata\Tarma Installer
2012-04-21 23:26 . 2012-04-22 10:38	--------	d-----w-	c:\program files (x86)\uTorrent
2012-04-21 22:08 . 2012-04-22 00:42	--------	d-----w-	c:\program files (x86)\Common Files\Spigot
2012-04-21 22:08 . 2012-04-21 22:08	--------	d-----w-	c:\programdata\YTD YouTube Downloader & Converter
2012-04-21 22:08 . 2012-04-23 09:01	--------	d-----w-	c:\program files (x86)\YTD YouTube Downloader & Converter
2012-04-20 07:34 . 1994-09-20 21:00	12800	----a-w-	c:\windows\SysWow64\WING32.DLL
2012-04-20 07:34 . 2012-04-20 07:34	--------	d-----w-	C:\KA
2012-04-20 07:34 . 1997-05-13 00:53	314368	----a-w-	c:\windows\IsUninst.exe
2012-04-20 07:30 . 2012-04-20 07:30	254528	----a-w-	c:\windows\system32\drivers\dtsoftbus01.sys
2012-04-20 07:29 . 2012-04-20 07:29	--------	d-----w-	c:\program files (x86)\DAEMON Tools Toolbar
2012-04-20 07:29 . 2012-04-22 07:14	--------	d-----w-	c:\programdata\DAEMON Tools Lite
2012-04-20 07:29 . 2012-04-20 07:31	--------	d-----w-	c:\program files (x86)\DAEMON Tools Lite
2012-04-20 00:44 . 2012-04-20 00:44	--------	d-----w-	c:\windows\system32\Macromed
2012-04-20 00:44 . 2012-04-20 00:44	8741536	----a-w-	c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-19 10:21 . 2012-04-20 03:37	418464	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-19 10:17 . 2012-04-19 10:17	--------	d-----w-	c:\program files\Adblock Pro
2012-04-18 08:12 . 2012-04-18 08:12	--------	d-----w-	c:\programdata\AutoUpdate
2012-04-18 08:12 . 2012-04-18 08:12	--------	d-----w-	c:\program files (x86)\Eltima Software
2012-04-18 08:07 . 2012-04-18 08:07	--------	d-----w-	c:\program files\MotioninJoy
2012-04-18 08:07 . 2010-05-03 23:12	328712	----a-w-	c:\windows\system32\MijFrc.dll
2012-04-18 06:32 . 2012-04-18 06:32	--------	d-----w-	c:\windows\system32\drivers\etc\adobe hosts
2012-04-18 06:21 . 2009-11-08 17:55	99176	----a-w-	c:\windows\SysWow64\PresentationHostProxy.dll
2012-04-18 06:21 . 2009-11-08 17:55	49472	----a-w-	c:\windows\SysWow64\netfxperf.dll
2012-04-18 06:21 . 2009-11-08 17:55	48960	----a-w-	c:\windows\system32\netfxperf.dll
2012-04-18 06:21 . 2009-11-08 17:55	444752	----a-w-	c:\windows\system32\mscoree.dll
2012-04-18 06:21 . 2009-11-08 17:55	320352	----a-w-	c:\windows\system32\PresentationHost.exe
2012-04-18 06:21 . 2009-11-08 17:55	297808	----a-w-	c:\windows\SysWow64\mscoree.dll
2012-04-18 06:21 . 2009-11-08 17:55	295264	----a-w-	c:\windows\SysWow64\PresentationHost.exe
2012-04-18 06:21 . 2009-11-08 17:55	1942856	----a-w-	c:\windows\system32\dfshim.dll
2012-04-18 06:21 . 2009-11-08 17:55	1130824	----a-w-	c:\windows\SysWow64\dfshim.dll
2012-04-18 06:21 . 2009-11-08 17:55	109912	----a-w-	c:\windows\system32\PresentationHostProxy.dll
2012-04-18 04:55 . 2012-04-18 04:55	--------	d-----w-	c:\program files (x86)\SystemRequirementsLab
2012-04-18 04:55 . 2012-04-18 04:55	--------	d-----w-	c:\windows\Sun
2012-04-18 04:54 . 2012-04-18 04:54	--------	d-----w-	c:\program files (x86)\Common Files\Java
2012-04-18 04:53 . 2012-04-18 04:53	472808	----a-w-	c:\windows\SysWow64\deployJava1.dll
2012-04-18 04:53 . 2012-04-18 04:53	--------	d-----w-	c:\program files (x86)\Java
2012-04-17 14:59 . 2012-04-20 03:38	--------	d-----w-	c:\programdata\regid.1986-12.com.adobe
2012-04-17 14:38 . 2012-04-20 03:16	--------	d-----w-	c:\program files\Common Files\Adobe
2012-04-17 14:38 . 2012-04-17 14:38	--------	d-----w-	c:\program files (x86)\Adobe Media Player
2012-04-17 14:36 . 2012-04-20 03:01	--------	d-----w-	c:\program files (x86)\Common Files\Adobe AIR
2012-04-17 14:29 . 2012-04-17 14:29	--------	d-----w-	c:\windows\system32\drivers\etc\backup
2012-04-16 04:13 . 2009-09-05 00:29	1974616	----a-w-	c:\windows\SysWow64\D3DCompiler_42.dll
2012-04-16 04:12 . 2007-04-05 01:55	403304	----a-w-	c:\windows\system32\xactengine2_7.dll
2012-04-16 02:25 . 2008-06-20 01:16	49160	----a-w-	c:\windows\system32\infocardcpl.cpl
2012-04-16 02:25 . 2008-06-20 01:14	37384	----a-w-	c:\windows\SysWow64\infocardcpl.cpl
2012-04-16 02:25 . 2008-06-20 01:16	11264	----a-w-	c:\windows\system32\icardres.dll
2012-04-16 02:25 . 2008-06-20 01:14	11264	----a-w-	c:\windows\SysWow64\icardres.dll
2012-04-16 02:25 . 2008-06-20 01:17	1168928	----a-w-	c:\windows\system32\PresentationNative_v0300.dll
2012-04-16 02:25 . 2008-06-20 01:16	167432	----a-w-	c:\windows\system32\infocardapi.dll
2012-04-16 02:25 . 2008-06-20 01:14	781344	----a-w-	c:\windows\SysWow64\PresentationNative_v0300.dll
2012-04-16 02:25 . 2008-06-20 01:14	97800	----a-w-	c:\windows\SysWow64\infocardapi.dll
2012-04-16 02:25 . 2008-06-20 01:16	1383936	----a-w-	c:\windows\system32\icardagt.exe
2012-04-16 02:25 . 2008-06-20 01:14	622080	----a-w-	c:\windows\SysWow64\icardagt.exe
2012-04-16 02:25 . 2008-06-20 01:17	126520	----a-w-	c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2012-04-16 02:25 . 2008-06-20 01:14	105016	----a-w-	c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2012-04-16 02:12 . 2008-07-27 18:03	158720	----a-w-	c:\windows\SysWow64\mscorier.dll
2012-04-16 02:12 . 2008-07-27 18:01	158208	----a-w-	c:\windows\system32\mscorier.dll
2012-04-16 02:12 . 2008-07-27 18:01	76288	----a-w-	c:\windows\system32\mscories.dll
2012-04-16 02:12 . 2008-07-27 18:03	83968	----a-w-	c:\windows\SysWow64\mscories.dll
2012-04-16 01:58 . 2009-10-09 21:36	53760	----a-w-	c:\windows\system32\pwrshplugin.dll
2012-04-16 01:47 . 2012-04-16 04:11	--------	d--h--w-	c:\windows\msdownld.tmp
2012-04-14 20:27 . 2011-09-16 23:05	11137024	----a-w-	c:\windows\SysWow64\libmfxsw32.dll
2012-04-14 20:27 . 2012-04-14 20:28	--------	d-----w-	c:\program files (x86)\Common Files\AVSMedia
2012-04-14 20:27 . 2011-08-22 23:33	1700352	----a-w-	c:\windows\SysWow64\GdiPlus.dll
2012-04-14 20:27 . 2012-04-14 20:32	--------	d-----w-	c:\programdata\AVS4YOU
2012-04-14 20:27 . 2012-04-14 20:28	--------	d-----w-	c:\program files (x86)\AVS4YOU
2012-04-14 10:07 . 2012-04-14 10:07	--------	d-----w-	c:\users\Default\AppData\Local\Microsoft Help
2012-04-13 16:39 . 2012-04-13 16:39	--------	d-----w-	c:\program files (x86)\NirSoft
2012-04-13 09:57 . 2012-04-13 09:57	--------	d-----w-	c:\programdata\Ask
2012-04-13 07:27 . 2012-04-13 07:27	--------	d-----w-	c:\program files (x86)\ooVoo
2012-04-13 03:41 . 2012-04-13 16:35	--------	d-----w-	c:\program files (x86)\Spybot - Search & Destroy
2012-04-13 03:41 . 2012-04-13 04:07	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2012-04-13 01:15 . 2012-04-13 01:15	--------	d-----w-	c:\programdata\Nexon
2012-04-12 11:19 . 2012-04-19 10:10	--------	d-----w-	c:\program files (x86)\Ultrasurf
2012-04-12 10:54 . 2012-04-20 07:30	--------	d-----w-	c:\users\Public\CyberLink
2012-04-12 10:53 . 2012-04-12 10:53	--------	d---a-w-	c:\program files (x86)\dolphin-2.0.win32
2012-04-12 06:01 . 2009-07-14 18:31	2560	----a-w-	c:\windows\system32\drivers\en-US\wdf01000.sys.mui
2012-04-12 06:01 . 2009-07-14 18:18	654928	----a-w-	c:\windows\system32\drivers\Wdf01000.sys
2012-04-12 06:01 . 2009-07-14 18:18	42064	----a-w-	c:\windows\system32\drivers\WdfLdr.sys
2012-04-12 05:58 . 2011-11-11 01:32	115272	----a-w-	c:\windows\system32\drivers\MijXfilt.sys
2012-04-12 05:58 . 2010-08-20 02:24	74960	----a-w-	c:\windows\system32\drivers\xusb21.sys
2012-04-12 05:58 . 2010-08-20 02:24	1721576	----a-w-	c:\windows\system32\WdfCoInstaller01009.dll
2012-04-12 04:25 . 2008-07-31 17:41	68616	----a-w-	c:\windows\SysWow64\XAPOFX1_1.dll
2012-04-12 04:25 . 2008-07-31 17:40	509448	----a-w-	c:\windows\SysWow64\XAudio2_2.dll
2012-04-12 04:25 . 2008-07-12 15:18	467984	----a-w-	c:\windows\SysWow64\d3dx10_39.dll
2012-04-12 04:25 . 2008-07-12 15:18	1493528	----a-w-	c:\windows\SysWow64\D3DCompiler_39.dll
2012-04-12 04:25 . 2008-07-12 15:18	3851784	----a-w-	c:\windows\SysWow64\D3DX9_39.dll
2012-04-12 04:16 . 2012-04-12 04:16	--------	d-----w-	C:\Riot Games
2012-04-12 04:04 . 2010-02-20 23:44	32768	----a-w-	c:\windows\system32\nshhttp.dll
2012-04-12 04:04 . 2010-02-20 23:39	24064	----a-w-	c:\windows\SysWow64\nshhttp.dll
2012-04-12 04:04 . 2010-02-20 23:42	33792	----a-w-	c:\windows\system32\httpapi.dll
2012-04-12 04:04 . 2010-02-20 23:37	31232	----a-w-	c:\windows\SysWow64\httpapi.dll
2012-04-12 04:04 . 2010-02-20 21:40	610304	----a-w-	c:\windows\system32\drivers\http.sys
2012-04-12 04:02 . 2010-04-14 18:33	101376	----a-w-	c:\windows\system32\MSNP.ax
2012-04-12 04:02 . 2010-04-14 17:46	80896	----a-w-	c:\windows\SysWow64\MSNP.ax
2012-04-12 04:02 . 2010-04-14 18:35	375808	----a-w-	c:\windows\system32\psisdecd.dll
2012-04-12 04:02 . 2010-04-14 17:47	293376	----a-w-	c:\windows\SysWow64\psisdecd.dll
2012-04-12 04:02 . 2010-04-14 17:47	217088	----a-w-	c:\windows\SysWow64\psisrndr.ax
2012-04-12 04:02 . 2010-04-14 18:35	289792	----a-w-	c:\windows\system32\psisrndr.ax
2012-04-12 03:07 . 2012-04-12 03:07	--------	d-----w-	c:\program files (x86)\Sol Edit
2012-04-12 02:22 . 2010-09-06 16:24	9728	----a-w-	c:\windows\SysWow64\sscore.dll
2012-04-12 02:22 . 2010-09-06 15:59	179712	----a-w-	c:\windows\system32\srvsvc.dll
2012-04-12 02:22 . 2010-09-06 15:59	12288	----a-w-	c:\windows\system32\sscore.dll
2012-04-12 02:22 . 2010-09-06 15:57	17920	----a-w-	c:\windows\system32\netevent.dll
2012-04-12 02:22 . 2010-09-06 16:23	17920	----a-w-	c:\windows\SysWow64\netevent.dll
2012-04-12 01:47 . 2009-11-03 22:42	28160	----a-w-	c:\windows\system32\drivers\en-US\http.sys.mui
2012-04-12 01:28 . 2009-08-24 12:24	442368	----a-w-	c:\windows\system32\winhttp.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-22 10:34 . 2012-02-22 10:34	28160	----a-w-	c:\windows\system32\drivers\mcaudrv_x64.sys
2012-02-07 18:02 . 2012-02-07 18:02	1070352	----a-w-	c:\windows\SysWow64\MSCOMCTL.OCX
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-04-12 07:22	1869152	----a-w-	c:\program files (x86)\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2012-02-19 21:46	1337648	----a-r-	c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-04-12 1869152]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-21 2153472]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-29 17148552]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-01-05 1305408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2009-02-19 866824]
"RemoteControl8"="c:\program files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-10-17 91432]
"PDVD8LanguageShortcut"="c:\program files (x86)\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2008-07-19 104936]
"vProt"="c:\program files (x86)\AVG Secure Search\vprot.exe" [2012-04-12 982880]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"AdobeCS5.5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 1523360]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-06 421888]
"Sweetpacks Communicator"="c:\program files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe" [2012-02-26 295728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute	REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-20 253088]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58abe96c-8a99-11e1-9a89-001f169b632d}]
\shell\AutoRun\command - f:\support\autorun\autorun.exe
\shell\help\command - winhelp kg98.hlp
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-19 03:37]
.
2012-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1901032071-31100457-1324806887-1000Core.job
- c:\users\GATEWAY\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-11 05:09]
.
2012-04-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1901032071-31100457-1324806887-1000UA.job
- c:\users\GATEWAY\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-11 05:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cAudioFilterAgent"="c:\program files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe" [2008-11-06 492600]
"Acer ePower Management"="c:\program files\Gateway\Gateway PowerSave Solution\ePowerTrayLauncher.exe" [2009-04-07 437280]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-16 499608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-10-13 162584]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-10-13 386840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-10-13 417560]
"adblock pro"="c:\program files\Adblock Pro\abpmain.exe" [2010-06-30 602112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://home.sweetim.com
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = local
IE: &Block This Image (ABP) - c:\program files\Adblock Pro\blockimg.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 64.114.86.1
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\GATEWAY\AppData\Roaming\Mozilla\Firefox\Profiles\0qo1mwzy.default\
FF - prefs.js: browser.search.selectedEngine - SweetIM Search
FF - prefs.js: browser.startup.homepage - hxxp://home.sweetim.com
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bdb09d4f6-a775-468d-98fa-9b6102ed31e3%7D&mid=1ea5b1dab5a347d0b465d156507f8ade-bfd3de42040c21aeb6b508187ba0dd48f6bf07ed&ds=AVG&v=10.2.0.3&lang=en&pr=pr&d=2012-04-11%2016%3A03%3A48&sap=ku&q=
FF - prefs.js: browser.search.defaulturl - 
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Yontoo: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files (x86)\AVG\AVG2012\Firefox4
FF - Ext: AVG Security Toolbar: [email protected] - c:\programdata\AVG Secure Search\10.2.0.3
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: extentions.y2layers.installId - 57085eaa-8c4d-45b0-8d2d-dfacb62bce89
FF - user.js: extentions.y2layers.defaultEnableAppsList - bestvideodownloader,ezLooker,pagerage,buzzdock,toprelatedtopics,twittube
FF - user.js: extensions.autoDisableScopes - 14
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Notify-igfxcui - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-PLFSetI - c:\program files (x86)\PLFSetI.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\AVG\AVG2012\avgfws.exe
c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
c:\program files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
c:\program files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe
c:\users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
c:\users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
c:\users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
c:\users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
c:\users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
c:\users\GATEWAY\AppData\Local\Google\Chrome\Application\chrome.exe
.
**************************************************************************
.
Completion time: 2012-04-23 02:19:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-23 09:19
.
Pre-Run: 206,790,619,136 bytes free
Post-Run: 207,532,257,280 bytes free
.
- - End Of File - - E75459618AE9515DEA598F6E6A542FEA

*and heres a list of the SmitfraudFix
*

SmitFraudFix v2.424

Scan done at 2:50:43.95, 23/04/2012
Run from C:\Users\GATEWAY\Downloads\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\AVG\AVG2012\avgfws.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Gateway\Gateway PowerSave Solution\ePowerSvc.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe
C:\Program Files\Gateway\Gateway PowerSave Solution\ePowerTray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Gateway\Gateway PowerSave Solution\ePowerEvent.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Windows\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\GATEWAY

»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\GATEWAY\AppData\Local\Temp

»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\GATEWAY\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\Users\GATEWAY\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"RequireSignedAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

»»»»»»»»»»»»»»»»»»»»»»»» RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) WiFi Link 5100 AGN
DNS Server Search Order: 64.114.86.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3737B8BC-79A9-4675-8134-36166EC51DB9}: DhcpNameServer=64.114.86.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3737B8BC-79A9-4675-8134-36166EC51DB9}: DhcpNameServer=64.114.86.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=64.114.86.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=64.114.86.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## craig brian (Feb 12, 2008)

bump


----------



## craig brian (Feb 12, 2008)

Bump


----------



## craig brian (Feb 12, 2008)

I ran Combofix on 
-------- 2012-04-23 - 01:56:50 -------------


-------- 2012-04-25 - 00:06:16 -------------

and the second time I ran it, It found userinit.exe is infected

I have attached the screenshot and the log below


----------



## craig brian (Feb 12, 2008)

BUMP, somebody please help me


----------



## craig brian (Feb 12, 2008)

Now the Intel(R) 4 Series Chipset Graphics Card is malfunctioning

videos aren't loading and I KNOW ITS NOT the codecs

I have tried un-installing it and reinstalling it twice now. the computer is fully updated.

and it was working fine about a week ago.


This is becoming a VERY big pain.


----------



## craig brian (Feb 12, 2008)

I posted this on April 23, 2012

*474 PEOPLE have viewed it* but none of admins have answered it.


----------



## craig brian (Feb 12, 2008)

AM I REALLY the only one having these problems?

After running Combofix a second time it seem the computer is acting normal but I want to make sure this posts stays open for other people that might have this happen to them.


----------



## craig brian (Feb 12, 2008)

OK this is STILL HAPPENING!!!! and I don't have AVG installed any more I have "Microsoft Security Essentials"

I dont understand, I reformatted the computer AGAIN!!! and it still is happening 

Why does it do this? I'm no noob I know how computers work. but I cant figure out what's causing this
I started to think it was the DEP "Data Execution Prevention" in the computer but I ruled that out.

and NO ONE IS helping me with this.


NOTE: one thing I notice is that it seems only the NEW programs I install the EXE files get deleted. but IF I reinstall or repair it the file doesn't get deleted again

but its only certain files. like files that are APPROVED my Microsoft don't get deleted.


----------



## craig brian (Feb 12, 2008)

Bump


----------



## craig brian (Feb 12, 2008)

Bump


----------



## craig brian (Feb 12, 2008)

OK NOW a program I use EVERYDAY WAS DELETED. After I shut of the Gateway NV58 Laptop when I booted it four hours later Google Chrome was gone

chrome.exe was deleted I checked the virus vault I even used a restoration program to find it and it didn't appear.

SOMETHING on this computer is deleting certain.exe files.

Someone please help, I need some imput


----------



## craig brian (Feb 12, 2008)

B . U. M. P


----------



## craig brian (Feb 12, 2008)

B.u.m.p


----------



## craig brian (Feb 12, 2008)

B . U . M . P


----------



## craig brian (Feb 12, 2008)

bump


----------



## craig brian (Feb 12, 2008)

It deleted "C:\Program Files (x86)\Course Vector\minerva\minerva.exe" TWICE then stopped


I'm starting to think this Windows Vista is FAULTY, it is Service Pack 1 even tho I update it to service pack 2 Iv'e been thinking this since I formatted the hard drive FOUR TIMES


anyone have any pointers BESIDES of getting Windows 7? I'm all ready working on that.


----------

