TechSpot

Google redirect removal

By atan1
Dec 18, 2011
  1. Hi,
    I've been infected with the Google Redirect Malware/Virus/Spyware thing.
    I wasn't able to find a neat solution till I found this forum. I read the posts on this forum about the similar problems. I tried FixTDDS, MBRCheck, aswMBR, and comboFix. So far, none of them either found anything or they failed to remove the main cause.

    So here is my HJT log:



    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 2:52:05 PM, on 18/12/2011
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16421)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Skype\Phone\Skype.exe
    C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files (x86)\Internet Explorer\IELowutil.exe
    C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat.exe
    C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: Groove GFS Browser Helper - {148E13C6-531D-0366-6B11-78116A474C57} - C:\Windows\SysWow64\KBDRROPR.DLL
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Microsoft Web Test Recorder 10.0 Helper - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.kccsoft.com/authorware_web_files/awswaxd.cab
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathworksevents.webex.com/client/T27L10NSP21EP5/event/ieatgpc1.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    O23 - Service: AMD Reservation Manager - Advanced Micro Devices - C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 8616 bytes


    Attached is a screenshot of MS Security Essentials' history:


    Any suggestions on how to get rid of this bummer?
    I appreciate your help in advance.
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot. Regarding this:
    None of what you ran should have been done yourself without instruction from a helper. It appears that you did not read the sticky above the forum that cautions you about using help meant for someone else, about not using Combofix unless a helper instructs you to do so. You ran program that were not appropriate, then say they did not remove 'the main cause.' Do you know what the main cause is? What?

    You describe 'similar problems' but don't give us any description other that a 'redirect'. There is no one cause for this. And we do not use HijackThis to screen for malware..
    ---------------------------------------------
    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ======================================
    Please give me a description of your 'similar problems.'
    ======================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. atan1

    atan1 TS Rookie Topic Starter

    Thank you very much Bobbye for your quick response.
    Based on the search I've done so far, I came to this conclusion that the trojan Win32/Bamital is the "cause".
    It all started when I downloaded a file which was supposed to be a legit file. I was using Safari, but as soon as the download started MS Security Essentials warned me that the file is infected with Win32/Bamital, and removed it instantly. So the file download was aborted, too!
    Soon after that, I saw abnormal behavior in IE: whenever I searched. Most of the times when I searched something, either on Bing or Google, and clicked on the results, I was redirected to random bogus sites.
    I’ve only had this issue with IE, while Safari, my 2nd browser, is intact.
    Thanks again for your recommendations. I followed the 5-sptep Instructions and here are the results:
    GMER scanned the entire computer (internet was disconnected, AV was disabled) and did not find anything. I saved the log, but the log is empty, 0 bytes. Do I need to run it again in Safe Mode?

    MBAM Log:
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8393

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 9.0.8112.16421

    18/12/2011 5:09:36 PM
    mbam-log-2011-12-18 (17-09-36).txt

    Scan type: Quick scan
    Objects scanned: 192352
    Time elapsed: 5 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    DDS.txt Log:
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 9.0.8112.16421
    Run by Atan at 18:31:32 on 2011-12-18
    Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.3819.2348 [GMT -5:00]
    .
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    C:\PROGRAM FILES (X86)\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\svchost.exe -k SDRSVC
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Program Files (x86)\Safari\Safari.exe
    C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = about:blank
    uURLSearchHooks: H - No File
    BHO: Groove GFS Browser Helper: {148e13c6-531d-0366-6b11-78116a474c57} - C:\Windows\SysWow64\KBDRROPR.DLL
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: Microsoft Web Test Recorder 10.0 Helper: {dda57003-0068-4ed2-9d32-4d1ec707d94d} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRunOnce: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
    DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://www.kccsoft.com/authorware_web_files/awswaxd.cab
    DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://mathworksevents.webex.com/client/T27L10NSP21EP5/event/ieatgpc1.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{6D2CB2C0-6A17-4411-A2AC-F3F52A276781} : DhcpNameServer = 64.71.255.198 64.71.255.253
    TCP: Interfaces\{D604600F-0716-4BCD-A51E-00C7D536413C} : DhcpNameServer = 134.117.9.3 134.117.9.82
    TCP: Interfaces\{EF203C59-6C52-4694-89A5-FF1EB4B7B590} : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{EF203C59-6C52-4694-89A5-FF1EB4B7B590}\3455D275962756C6563737 : DhcpNameServer = 134.117.3.102 134.117.3.103 134.117.242.41
    TCP: Interfaces\{EF203C59-6C52-4694-89A5-FF1EB4B7B590}\3455D294E6475627E65647 : DhcpNameServer = 134.117.1.11 134.117.242.35 134.117.1.1
    TCP: Interfaces\{EF203C59-6C52-4694-89A5-FF1EB4B7B590}\65C43594F543132343 : DhcpNameServer = 134.117.38.14 134.117.38.50 134.117.9.42
    TCP: Interfaces\{EF203C59-6C52-4694-89A5-FF1EB4B7B590}\65C43594F543133353 : DhcpNameServer = 134.117.38.14 134.117.38.50 134.117.9.42
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO-X64: Groove GFS Browser Helper: {148E13C6-531D-0366-6B11-78116A474C57} - C:\Windows\SysWow64\KBDRROPR.DLL
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    BHO-X64: Increase performance and video formats for your HTML5 <video> - No File
    BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: Microsoft Web Test Recorder 10.0 Helper: {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
    BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    BHO-X64: SmartSelect - No File
    TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRunOnce-x64: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-1-26 354304]
    R2 AMD Reservation Manager;AMD Reservation Manager;C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-6-17 194496]
    R2 MSSQL$UPSWSDBSERVER;SQL Server (UPSWSDBSERVER);C:\Program Files (x86)\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
    R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
    R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;C:\Windows\system32\DRIVERS\L1C60x64.sys --> C:\Windows\system32\DRIVERS\L1C60x64.sys [?]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 Netaapl;Apple Mobile Device Ethernet Service;C:\Windows\system32\DRIVERS\netaapl64.sys --> C:\Windows\system32\DRIVERS\netaapl64.sys [?]
    S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
    S4 RsFx0105;RsFx0105 Driver;C:\Windows\system32\DRIVERS\RsFx0105.sys --> C:\Windows\system32\DRIVERS\RsFx0105.sys [?]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-9-22 431464]
    .
    =============== Created Last 30 ================
    .
    2011-12-18 23:25:26 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{31F7E750-5CF0-46CB-A336-A0ED5C2983F9}\offreg.dll
    2011-12-18 23:25:22 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{31F7E750-5CF0-46CB-A336-A0ED5C2983F9}\mpengine.dll
    2011-12-18 06:24:25 -------- d-----w- C:\Program Files\iPod
    2011-12-18 06:24:22 -------- d-----w- C:\Program Files\iTunes
    2011-12-16 06:32:54 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-12-15 06:47:15 -------- d-----w- C:\Users\Atan\AppData\Roaming\Malwarebytes
    2011-12-15 06:47:00 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-12-15 06:46:49 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-12-15 06:46:49 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-12-14 14:29:57 887296 ----a-w- C:\Program Files\Internet Explorer\iedvtool.dll
    2011-12-14 14:29:57 678912 ----a-w- C:\Program Files (x86)\Internet Explorer\iedvtool.dll
    2011-12-14 14:25:25 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
    2011-12-14 14:23:02 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2011-12-14 14:22:58 3145216 ----a-w- C:\Windows\System32\win32k.sys
    2011-12-14 14:22:21 723456 ----a-w- C:\Windows\System32\EncDec.dll
    2011-12-14 14:22:21 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
    2011-12-14 14:22:10 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2011-12-14 14:22:10 2048 ----a-w- C:\Windows\System32\tzres.dll
    2011-12-12 06:25:07 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
    2011-12-12 06:25:07 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
    2011-12-11 03:01:51 -------- d-----w- C:\Users\Atan\AppData\Local\DDMSettings
    2011-12-06 19:01:23 -------- d-----w- C:\ProgramData\Rockwell Automation
    2011-12-06 19:00:30 -------- d-----w- C:\Program Files (x86)\Rockwell Software
    2011-12-06 04:20:33 -------- d-----w- C:\Windows\SysWow64\3002
    2011-11-29 07:38:31 -------- d-----w- C:\Program Files\Common Files\Wolfram Research
    2011-11-29 07:38:29 -------- d-----w- C:\Program Files (x86)\Common Files\Wolfram Research
    2011-11-29 07:38:29 -------- d-----w- C:\Program Files (x86)\Common Files\ResearchSoft
    2011-11-29 07:20:47 -------- d-----w- C:\Program Files\Wolfram Research
    2011-11-29 05:52:18 -------- d-----w- C:\Windows\SysWow64\3037
    2011-11-29 05:23:57 -------- d-----w- C:\Users\Atan\AppData\Local\Mathematica
    2011-11-29 05:23:56 -------- d-----w- C:\Users\Atan\AppData\Roaming\Mathematica
    2011-11-28 23:50:28 -------- d-----w- C:\ProgramData\Mathematica
    2011-11-28 21:44:05 -------- d-----w- C:\Users\Atan\AppData\Roaming\Maple
    2011-11-28 21:33:17 -------- d-----w- C:\Users\Atan\.maplesoft
    2011-11-28 21:13:10 20480 ----a-w- C:\Windows\SysWow64\maplecompat.dll
    2011-11-28 21:13:09 31744 ----a-w- C:\Windows\SysWow64\maplec.dll
    2011-11-28 21:13:09 212992 ----a-w- C:\Windows\SysWow64\WMIMPLEX.dll
    2011-11-28 21:12:45 -------- d-----w- C:\watcom-1.3
    2011-11-28 20:57:17 -------- d--h--w- C:\Program Files (x86)\Zero G Registry
    2011-11-28 20:57:17 -------- d-----w- C:\Program Files (x86)\Maple 15
    2011-11-28 20:51:24 -------- d--h--w- C:\Users\Atan\InstallAnywhere
    .
    ==================== Find3M ====================
    .
    2011-12-10 07:29:54 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-04 01:53:39 2309120 ----a-w- C:\Windows\System32\jscript9.dll
    2011-11-04 01:44:47 1390080 ----a-w- C:\Windows\System32\wininet.dll
    2011-11-04 01:44:21 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
    2011-11-04 01:34:43 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-11-03 22:47:42 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
    2011-11-03 22:40:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2011-11-03 22:39:47 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-11-03 22:31:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-10-24 19:29:02 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
    2011-10-24 19:29:02 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
    2011-10-20 23:26:22 94208 ----a-w- C:\Windows\SysWow64\dpl100.dll
    2011-10-06 23:54:18 453648 ----a-w- C:\Windows\System32\mltcpip64.mlp
    2011-10-06 23:54:16 103440 ----a-w- C:\Windows\System32\mltcp64.mlp
    2011-10-06 23:54:14 99344 ----a-w- C:\Windows\System32\mlshm64.mlp
    2011-10-06 23:54:12 193040 ----a-w- C:\Windows\System32\mlmodule64.dll
    2011-10-06 23:54:10 436752 ----a-w- C:\Windows\System32\ml64i3.dll
    2011-10-06 23:54:08 302608 ----a-w- C:\Windows\System32\ml64i2.dll
    2011-10-06 23:27:48 334352 ----a-w- C:\Windows\SysWow64\mltcpip32.mlp
    2011-10-06 23:27:46 93712 ----a-w- C:\Windows\SysWow64\mltcp32.mlp
    2011-10-06 23:27:44 88080 ----a-w- C:\Windows\SysWow64\mlshm32.mlp
    2011-10-06 23:27:42 163344 ----a-w- C:\Windows\SysWow64\mlmodule32.dll
    2011-10-06 23:27:40 79376 ----a-w- C:\Windows\SysWow64\mlmap32.mlp
    2011-10-06 23:27:38 370704 ----a-w- C:\Windows\SysWow64\ml32i3.dll
    2011-10-06 23:27:36 260112 ----a-w- C:\Windows\SysWow64\ml32i2.dll
    2011-10-06 23:27:34 253968 ----a-w- C:\Windows\SysWow64\ml32i1.dll
    2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2011-09-23 01:07:34 105832 ----a-w- C:\Windows\System32\SQSRVRES.DLL
    2011-09-23 01:06:04 3171176 ----a-w- C:\Windows\System32\sqlncli10.dll
    2011-09-23 01:06:04 109416 ----a-w- C:\Windows\System32\perf-MSSQL$SQLEXPRESS-sqlctr10.3.5500.0.dll
    2011-09-23 01:01:54 312168 ----a-w- C:\Windows\System32\drivers\RsFx0104.sys
    2011-09-23 01:01:54 311144 ----a-w- C:\Windows\System32\drivers\RsFx0105.sys
    2011-09-23 00:09:36 42344 ----a-w- C:\Windows\System32\DTSPipelinePerf100.dll
    2011-09-22 21:18:58 73064 ----a-w- C:\Windows\SysWow64\perf-MSSQL$SQLEXPRESS-sqlctr10.3.5500.0.dll
    2011-09-22 21:18:58 2570088 ----a-w- C:\Windows\SysWow64\sqlncli10.dll
    .
    ============= FINISH: 18:32:56.26 ===============


    Attach.txt Log:

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 02/02/2011 11:13:05 AM
    System Uptime: 18/12/2011 4:47:27 PM (2 hours ago)
    .
    Motherboard: Acer | | Aspire One 522
    Processor: AMD C-50 Processor | Socket FT1 | 1000/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 120 GiB total, 54.025 GiB free.
    D: is FIXED (NTFS) - 99 GiB total, 83.418 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP208: 15/12/2011 2:50:28 PM - Removed RSLogix 500 English 8.10.00 (CPR 9).
    RP209: 15/12/2011 11:14:31 PM - Installed HiJackThis
    RP210: 17/12/2011 4:52:18 PM - Windows Update
    RP211: 18/12/2011 4:44:25 PM - Removed HiJackThis
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    Adobe Acrobat X Pro - English, Français, Deutsch
    Adobe AIR
    Adobe Flash Player 11 Plugin
    Apple Application Support
    Apple Software Update
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    CCC
    ccc-core-static
    CCC Help English
    Crystal Reports for Visual Studio
    Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    DivX Setup
    Dotfuscator Software Services - Community Edition
    FileZilla Client 3.5.2
    FormsComponent
    FOSS
    Freeciv 2.3.0 (GTK+ client)
    Google Calendar Sync
    Google Talk (remove only)
    Google Talk Plugin
    Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2522890)
    Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2529927)
    Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2548139)
    Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2549864)
    Hotfix for Microsoft Visual Studio 2010 Ultimate - ENU (KB2565057)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2280741)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2284668)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2295689)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2420513)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2452649)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2455033)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB2485545)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982517)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB982721)
    Hotfix for Visual C++ Standard 2010 Beta 1 - ENU (KB983233)
    ICCHelp
    Java Auto Updater
    Java(TM) 6 Update 26
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Maple 15 (32-bit)
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft ASP.NET MVC 2
    Microsoft ASP.NET MVC 2 - Visual Studio 2010 Tools
    Microsoft Expression Blend 3
    Microsoft Expression Blend 3 SDK
    Microsoft Expression Design 3
    Microsoft Expression Encoder 3
    Microsoft Expression Studio 3
    Microsoft Expression Web 3
    Microsoft Expression Web 3 SP1
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office 2010 Language Pack Service Pack 1 (SP1)
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access 2007
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote 2010
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Project MUI (English) 2010
    Microsoft Office Project Professional 2010
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing (English) 2010
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office SharePoint Designer 2010
    Microsoft Office SharePoint Designer MUI (English) 2010
    Microsoft Office Visio 2010
    Microsoft Office Visio MUI (English) 2010
    Microsoft Office Word MUI (English) 2007
    Microsoft OneNote 2010
    Microsoft Project 2010 Service Pack 1 (SP1)
    Microsoft Project Professional 2010
    Microsoft SharePoint Designer 2010
    Microsoft SharePoint Designer 2010 Service Pack 1 (SP1)
    Microsoft Silverlight
    Microsoft Silverlight 3 SDK
    Microsoft Silverlight 4 SDK
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (UPSWSDBSERVER)
    Microsoft SQL Server 2008 Browser
    Microsoft SQL Server 2008 R2 Data-Tier Application Framework
    Microsoft SQL Server 2008 R2 Data-Tier Application Project
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server 2008 R2 Transact-SQL Language Service
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server Database Publishing Wizard 1.4
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server System CLR Types
    Microsoft Sync Framework SDK v1.0 SP1
    Microsoft Visio 2010 Service Pack 1 (SP1)
    Microsoft Visio Professional 2010
    Microsoft Visual C++ Compilers 2010 Standard - enu - x86
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Runtime - 10.0.40219
    Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
    Microsoft Visual Studio 2010 Service Pack 1
    Microsoft Visual Studio 2010 SharePoint Developer Tools
    Microsoft Visual Studio 2010 Ultimate - ENU
    Microsoft Visual Studio Macro Tools
    MiKTeX 2.9
    MSIChecker
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NA1Messenger
    NRF
    Origin 6.1
    PolicyManager
    QuickTime
    Reconciler
    ReportServer
    Safari
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    Security Update for Microsoft Visio 2010 (KB2553374) 32-Bit Edition
    Skype™ 5.5
    SupportUtility
    System
    TexMakerX 2.1
    TweetDeck
    UnifiedPrinting
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553455) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft Office Access 2007 Help (KB963663)
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Infopath 2007 Help (KB963662)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Publisher 2007 Help (KB963667)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Outlook 2007 Junk Email Filter (KB2596560)
    UPS WorldShip
    UPSDB
    UPSICC
    UPSlinkHTTP
    UPSVC2008MM
    UPSVCMM
    VC80CRTRedist - 8.0.50727.6195
    Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
    VNC Free Edition 4.1.3
    WCF RIA Services V1.0 SP1
    WebEx
    WebHelp
    WinDjView 1.0.3
    Windows Live OneCare safety scanner
    WinSCP 4.3.5
    WorldShip
    WPF Toolkit June 2009 (Version 3.5.40619.1)
    Yahoo! Messenger
    .
    ==== Event Viewer Messages From Past Week ========
    .
    17/12/2011 4:05:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
    17/12/2011 3:51:01 PM, Error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.117.1215.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7903.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
    17/12/2011 3:51:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    17/12/2011 3:42:47 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    17/12/2011 3:41:19 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    17/12/2011 3:41:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    17/12/2011 3:41:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    17/12/2011 3:41:08 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    17/12/2011 3:41:08 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    17/12/2011 3:41:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    17/12/2011 3:40:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC DfsC discache MpFilter NetBIOS NetBT nsiproxy Psched rdbss spldr tdx vwififlt Wanarpv6 WfpLwf
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    17/12/2011 3:40:47 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    17/12/2011 3:40:47 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    16/12/2011 2:28:03 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    16/12/2011 12:59:26 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    16/12/2011 1:51:42 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    16/12/2011 1:47:53 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the AMD FUEL Service service to connect.
    16/12/2011 1:47:53 AM, Error: Service Control Manager [7000] - The AMD FUEL Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    16/12/2011 1:31:27 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    16/12/2011 1:29:58 AM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    16/12/2011 1:15:14 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service VSS with arguments "" in order to run the server: {E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
    15/12/2011 2:02:27 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    15/12/2011 11:09:37 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
    14/12/2011 9:38:06 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    14/12/2011 9:38:06 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    14/12/2011 3:23:54 PM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    14/12/2011 11:02:43 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    14/12/2011 10:59:42 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.
    14/12/2011 10:58:34 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
    14/12/2011 10:54:41 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AMD FUEL Service service.
    14/12/2011 10:31:42 AM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    .
    ==== End Of File ===========================


    Thank you very much again for your help.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm not seeing evidence of Win32/Bamital in these logs. It may have been removed. There are many causes of a redirect from search. Let's go ahead with the following and see if we can refine the cause:
    =================================
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop.
    • Double click combofix.exe and follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =====================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ==================================
    Please update Java >> Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    -------------------------
    There is malware in the Java cache due to the outdated Java version on the system:
    This should help with clearing the Java cache:
    1. Click Start, and then click Control Panel.
    [​IMG]
    2. Click Programs, and then click the Java icon.
    [​IMG]
    If you are using Windows 7 and your View by is set to either Large icons or Small icons, then click the Java icon.
    [​IMG]
    ------------------>[​IMG]
    3. Click the General tab> Temporary Internet Files section> click Settings.
    4. Click Delete Files.
    5. In the Delete Temporary Files window, select all the check boxes, and then click OK.
    6. Click OK to close the Temporary Files Settings window.
    7. Click OK to close the Java Control Panel window.
    Images courtesy AOL Help
    ===================================
    Please be sure none of the previous scans you ran before you came to TechSpot are running.

    Logs for Combofix and the Eset scan in next reply, please. There is no log for Java.
     
  5. atan1

    atan1 TS Rookie Topic Starter

    Thanks a lot Bobbye for the instructions.
    Here are the logs for CF and ETES:


    ComboFix 11-12-22.04 - Atan 22/12/2011 21:41:09.2.2 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.3819.2360 [GMT -5:00]
    Running from: c:\users\Atan\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-23 to 2011-12-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-23 02:54 . 2011-12-23 02:54 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0B98640-5357-47BE-9473-9D9C4419BED7}\offreg.dll
    2011-12-23 02:53 . 2011-12-23 02:53 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-23 02:29 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E0B98640-5357-47BE-9473-9D9C4419BED7}\mpengine.dll
    2011-12-18 21:06 . 2011-12-18 21:06 -------- d-----w- c:\windows\Sun
    2011-12-18 06:24 . 2011-12-18 06:24 -------- d-----w- c:\program files\iPod
    2011-12-18 06:24 . 2011-12-18 06:26 -------- d-----w- c:\program files\iTunes
    2011-12-15 06:47 . 2011-12-15 06:47 -------- d-----w- c:\users\Atan\AppData\Roaming\Malwarebytes
    2011-12-15 06:47 . 2011-12-15 06:47 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-15 06:46 . 2011-12-18 22:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-12-15 06:46 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-14 14:29 . 2011-11-04 01:48 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
    2011-12-14 14:29 . 2011-11-03 22:42 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
    2011-12-14 14:25 . 2011-12-14 14:25 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
    2011-12-14 14:23 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-14 14:22 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 14:22 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 14:22 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-14 14:22 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-14 14:22 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-12 06:25 . 2011-12-18 21:43 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2011-12-12 06:25 . 2011-12-18 21:43 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-11 03:01 . 2011-12-11 03:01 -------- d-----w- c:\users\Atan\AppData\Local\DDMSettings
    2011-12-06 19:01 . 2011-12-06 19:01 -------- d-----w- c:\programdata\Rockwell Automation
    2011-12-06 19:00 . 2011-12-15 19:52 -------- d-----w- c:\program files (x86)\Rockwell Software
    2011-12-06 04:20 . 2011-12-06 04:20 -------- d-----w- c:\windows\SysWow64\3002
    2011-11-29 07:38 . 2011-11-29 07:38 -------- d-----w- c:\program files\Common Files\Wolfram Research
    2011-11-29 07:38 . 2011-11-29 07:38 -------- d-----w- c:\program files (x86)\Common Files\Wolfram Research
    2011-11-29 07:38 . 2011-11-29 07:38 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft
    2011-11-29 07:20 . 2011-11-29 07:20 -------- d-----w- c:\program files\Wolfram Research
    2011-11-29 05:52 . 2011-12-06 04:20 -------- d-----w- c:\windows\SysWow64\3037
    2011-11-29 05:23 . 2011-11-29 05:53 -------- d-----w- c:\users\Atan\AppData\Local\Mathematica
    2011-11-29 05:23 . 2011-11-29 05:23 -------- d-----w- c:\users\Atan\AppData\Roaming\Mathematica
    2011-11-28 23:50 . 2011-11-29 07:41 -------- d-----w- c:\programdata\Mathematica
    2011-11-28 21:44 . 2011-11-28 21:44 -------- d-----w- c:\users\Atan\AppData\Roaming\Maple
    2011-11-28 21:33 . 2011-12-17 16:23 -------- d-----w- c:\users\Atan\.maplesoft
    2011-11-28 21:13 . 2011-11-28 21:13 20480 ----a-w- c:\windows\SysWow64\maplecompat.dll
    2011-11-28 21:13 . 2011-11-28 21:13 212992 ----a-w- c:\windows\SysWow64\WMIMPLEX.dll
    2011-11-28 21:13 . 2011-11-28 21:13 31744 ----a-w- c:\windows\SysWow64\maplec.dll
    2011-11-28 21:12 . 2011-11-28 21:13 -------- d-----w- C:\watcom-1.3
    2011-11-28 20:57 . 2011-11-28 21:13 -------- d-----w- c:\program files (x86)\Maple 15
    2011-11-28 20:57 . 2011-11-28 20:57 -------- d--h--w- c:\program files (x86)\Zero G Registry
    2011-11-28 20:51 . 2011-11-28 20:51 -------- d--h--w- c:\users\Atan\InstallAnywhere
    2011-11-25 18:25 . 2011-11-25 18:25 -------- d-----w- c:\windows\system32\Macromed
    2011-11-24 02:59 . 2011-11-24 02:59 -------- d-----w- c:\users\Mcx1-Atan-NETBOOK
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 07:29 . 2011-05-25 09:59 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-21 11:40 . 2011-02-02 06:29 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-10-27 17:39 . 2011-05-28 22:03 1898720 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
    2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\SysWow64\dpl100.dll
    2011-10-11 03:05 . 2011-10-11 03:06 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C5678E7E-37CA-4FBE-9AAE-DB97CA73BCD1}\gapaengine.dll
    2011-09-29 16:29 . 2011-11-09 04:38 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{148E13C6-531D-0366-6B11-78116A474C57}]
    2009-07-14 01:11 98304 ----a-w- c:\windows\SysWOW64\KBDRROPR.DLL
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-01-18 68440]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
    R4 RsFx0105;RsFx0105 Driver;c:\windows\system32\DRIVERS\RsFx0105.sys [x]
    R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-09-23 431464]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-26 354304]
    S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
    S2 MSSQL$UPSWSDBSERVER;SQL Server (UPSWSDBSERVER);c:\program files (x86)\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x64.sys [x]
    S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3050095744-1663821448-2816196953-1000Core.job
    - c:\users\Atan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
    .
    2011-12-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3050095744-1663821448-2816196953-1000UA.job
    - c:\users\Atan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.0.1
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-22 22:20:50 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-23 03:20
    .
    Pre-Run: 54,354,980,864 bytes free
    Post-Run: 53,818,216,448 bytes free
    .
    - - End Of File - - 9B2757B86E901EACEAF40746DC5B9AA5


    ----------------------------------------------------------------
    ETES LOG:

    C:\Windows\System32\ActioonCenter.dll Win32/BHO.ODP trojan
    C:\Windows\System32\ApppIdPolicyEngineApi.dll a variant of Win32/BHO.ODP trojan
    C:\Windows\System32\KBDRROPR.DLL a variant of Win32/BHO.ODP trojan
    C:\Windows\System32\NlsLexiicons0816.dll Win32/BHO.ODP trojan
    C:\Windows\SysWOW64\ActioonCenter.dll Win32/BHO.ODP trojan
    C:\Windows\SysWOW64\ApppIdPolicyEngineApi.dll a variant of Win32/BHO.ODP trojan
    C:\Windows\SysWOW64\KBDRROPR.DLL a variant of Win32/BHO.ODP trojan
    C:\Windows\SysWOW64\NlsLexiicons0816.dll Win32/BHO.ODP trojan
    Operating memory Win32/BHO.ODP trojan



    As instructed, I unchecked "Remove found threats", so none of these 9 threats were cleaned.

    ------------------------------------------------------
    As for Java, the option "Keep Temporary Internet Files on My Computer" was unchecked by default. So I guess when I tried to delete the files, there basically was nothing to delete. Is that all right?

    Thanks a lot for your help again.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Holiday Notice! I will not be working on the threads Sat. Dec. 24 or Sunday Dec. 25. I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
    -----------------------------------------
    I see you also have an open thread for the same problem here: http://www.bleepingcomputer.com/forums/topic432791.html
    Please decide where you want to continue getting help and let the other forum. We do not like to tie up multiple malware helpers for the same person/problem.
    ==============================
    For the Eset entries:
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Windows\System32\ActioonCenter.dll 
      C:\Windows\System32\ApppIdPolicyEngineApi.dll 
      C:\Windows\System32\KBDRROPR.DLL 
      C:\Windows\System32\NlsLexiicons0816.dll 
      C:\Windows\SysWOW64\ActioonCenter.dll 
      C:\Windows\SysWOW64\ApppIdPolicyEngineApi.dll 
      C:\Windows\SysWOW64\KBDRROPR.DLL 
      C:\Windows\SysWOW64\NlsLexiicons0816.dll 
      Operating memory Win32/BHO.ODP trojan
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ------------------------
    This Trojan, Win32/BHO.ODP trojan, which is what was on all of the Eset entries, is a Browser Helper Object component which penetrates the Internet browser in order to display advertising. The Trojan tracks user activity. It intercepts the addresses of open pages, and redirects them to a specific search portal.
    ===========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    FileLook::
    c:\windows\system32\csrsrv.dll
    DriLook::
    C:\Windows\SysWow64\3002
    C:\Windows\SysWow64\3037
    Folder::
    c:\windows\SysWow64\%APPDATA%
    ClearJavaCache::
    DDS::
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uStart Page = about:blank
    uURLSearchHooks: H - No File
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: SmartSelect - No File
    BHO-X64: Groove GFS Browser Helper: {148E13C6-531D-0366-6B11-78116A474C57} - C:\Windows\SysWow64\KBDRROPR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: SmartSelect - No File
    Registry::
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{148E13C6-531D-0366-6B11-78116A474C57}]
    
    Reboot::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    =============================
    I put 'clear cache' in the script just in case there are any files lurking there.
     
  7. atan1

    atan1 TS Rookie Topic Starter

    Thanks again Bobbye,
    First of all, happy holidays.

    Yes, I will notify them right away. I had forgotten that totally, thanks for reminding me.

    Here are the logs:

    OTM Log:


    All processes killed
    Error: Unable to interpret <Operating memory Win32/BHO.ODP trojan> in the current context!
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56466 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Atan
    ->Temp folder emptied: 17310278 bytes
    ->Temporary Internet Files folder emptied: 261937485 bytes
    ->Java cache emptied: 187701 bytes
    ->Apple Safari cache emptied: 160417792 bytes
    ->Flash cache emptied: 58589 bytes

    User: Mcx1-ATAN-NETBOOK
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56466 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 5604 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50333 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 420.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 12232011_214417

    Files moved on Reboot...
    C:\Users\Atan\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...




    -------------------------------------------------------------------------------
    CF Log:


    ComboFix 11-12-23.01 - Atan 23/12/2011 22:02:32.3.2 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.3819.2510 [GMT -5:00]
    Running from: c:\users\Atan\Desktop\ComboFix.exe
    Command switches used :: c:\users\Atan\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\SysWow64\%APPDATA%
    c:\windows\SysWow64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-24 to 2011-12-24 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-24 03:15 . 2011-12-24 03:15 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2EE5B709-76D4-4022-B5EB-BBA868BD55EB}\offreg.dll
    2011-12-24 03:14 . 2011-12-24 03:14 -------- d-----w- c:\users\Mcx1-Atan-NETBOOK\AppData\Local\temp
    2011-12-24 03:14 . 2011-12-24 03:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-24 02:56 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2EE5B709-76D4-4022-B5EB-BBA868BD55EB}\mpengine.dll
    2011-12-24 02:43 . 2011-12-24 02:43 -------- d-----w- C:\_OTM
    2011-12-23 16:18 . 2011-12-23 16:17 525544 ----a-w- c:\windows\system32\deployJava1.dll
    2011-12-23 16:17 . 2011-12-23 16:17 -------- d-----w- c:\program files\Java
    2011-12-23 03:31 . 2011-12-23 03:31 -------- d-----w- c:\program files (x86)\ESET
    2011-12-18 21:06 . 2011-12-18 21:06 -------- d-----w- c:\windows\Sun
    2011-12-18 06:24 . 2011-12-18 06:24 -------- d-----w- c:\program files\iPod
    2011-12-18 06:24 . 2011-12-18 06:26 -------- d-----w- c:\program files\iTunes
    2011-12-15 06:47 . 2011-12-15 06:47 -------- d-----w- c:\users\Atan\AppData\Roaming\Malwarebytes
    2011-12-15 06:47 . 2011-12-15 06:47 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-15 06:46 . 2011-12-18 22:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-12-15 06:46 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-14 14:29 . 2011-11-04 01:48 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
    2011-12-14 14:29 . 2011-11-03 22:42 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
    2011-12-14 14:23 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-14 14:22 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 14:22 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 14:22 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-14 14:22 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-14 14:22 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-12 06:25 . 2011-12-18 21:43 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2011-12-12 06:25 . 2011-12-18 21:43 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-11 03:01 . 2011-12-11 03:01 -------- d-----w- c:\users\Atan\AppData\Local\DDMSettings
    2011-12-06 19:01 . 2011-12-06 19:01 -------- d-----w- c:\programdata\Rockwell Automation
    2011-12-06 19:00 . 2011-12-15 19:52 -------- d-----w- c:\program files (x86)\Rockwell Software
    2011-12-06 04:20 . 2011-12-06 04:20 -------- d-----w- c:\windows\SysWow64\3002
    2011-11-29 07:38 . 2011-11-29 07:38 -------- d-----w- c:\program files\Common Files\Wolfram Research
    2011-11-29 07:38 . 2011-11-29 07:38 -------- d-----w- c:\program files (x86)\Common Files\Wolfram Research
    2011-11-29 07:38 . 2011-11-29 07:38 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft
    2011-11-29 07:20 . 2011-11-29 07:20 -------- d-----w- c:\program files\Wolfram Research
    2011-11-29 05:52 . 2011-12-06 04:20 -------- d-----w- c:\windows\SysWow64\3037
    2011-11-29 05:23 . 2011-11-29 05:53 -------- d-----w- c:\users\Atan\AppData\Local\Mathematica
    2011-11-29 05:23 . 2011-11-29 05:23 -------- d-----w- c:\users\Atan\AppData\Roaming\Mathematica
    2011-11-28 23:50 . 2011-11-29 07:41 -------- d-----w- c:\programdata\Mathematica
    2011-11-28 21:44 . 2011-11-28 21:44 -------- d-----w- c:\users\Atan\AppData\Roaming\Maple
    2011-11-28 21:33 . 2011-12-17 16:23 -------- d-----w- c:\users\Atan\.maplesoft
    2011-11-28 21:13 . 2011-11-28 21:13 20480 ----a-w- c:\windows\SysWow64\maplecompat.dll
    2011-11-28 21:13 . 2011-11-28 21:13 212992 ----a-w- c:\windows\SysWow64\WMIMPLEX.dll
    2011-11-28 21:13 . 2011-11-28 21:13 31744 ----a-w- c:\windows\SysWow64\maplec.dll
    2011-11-28 21:12 . 2011-11-28 21:13 -------- d-----w- C:\watcom-1.3
    2011-11-28 20:57 . 2011-11-28 21:13 -------- d-----w- c:\program files (x86)\Maple 15
    2011-11-28 20:57 . 2011-11-28 20:57 -------- d--h--w- c:\program files (x86)\Zero G Registry
    2011-11-28 20:51 . 2011-11-28 20:51 -------- d--h--w- c:\users\Atan\InstallAnywhere
    2011-11-25 18:25 . 2011-11-25 18:25 -------- d-----w- c:\windows\system32\Macromed
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 07:29 . 2011-05-25 09:59 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-21 11:40 . 2011-02-02 06:29 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-10-27 17:39 . 2011-05-28 22:03 1898720 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
    2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\SysWow64\dpl100.dll
    2011-10-11 03:05 . 2011-10-11 03:06 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C5678E7E-37CA-4FBE-9AAE-DB97CA73BCD1}\gapaengine.dll
    2011-09-29 16:29 . 2011-11-09 04:38 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\system32\csrsrv.dll ---
    Company: Microsoft Corporation
    File Description: Client Server Runtime Process
    File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
    Product Name: Microsoft® Windows® Operating System
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: CSRSrv.DLL.MUI
    File size: 43520
    Created time: 2011-12-14 14:23
    Modified time: 2011-10-26 05:21
    MD5: 96F587CA26A6AA894BD8CACE4540CFFC
    SHA1: E72476539EAC5FFFFDE1C5B450A8CA193C4CD1BC
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-23_03.11.51 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-02 17:11 . 2011-12-23 03:25 39114 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2009-07-14 05:10 . 2011-12-22 05:12 43256 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2011-12-24 02:48 43256 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-02-02 16:53 . 2011-12-24 02:48 14232 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3050095744-1663821448-2816196953-1000_UserData.bin
    - 2011-02-02 16:15 . 2011-12-22 05:58 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-02-02 16:15 . 2011-12-23 03:30 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-07-14 04:54 . 2011-12-22 05:58 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2011-12-23 03:30 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-12-23 02:54 . 2011-12-23 02:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-24 03:15 . 2011-12-24 03:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-12-23 02:54 . 2011-12-23 02:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-12-24 03:15 . 2011-12-24 03:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-02-09 12:06 . 2011-12-24 02:38 307698 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
    + 2011-12-23 16:18 . 2011-12-23 16:17 190752 c:\windows\system32\javaws.exe
    + 2011-12-23 16:18 . 2011-12-23 16:17 172320 c:\windows\system32\javaw.exe
    + 2011-12-23 16:18 . 2011-12-23 16:17 172320 c:\windows\system32\java.exe
    - 2009-07-14 05:12 . 2011-12-22 05:58 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2009-07-14 05:12 . 2011-12-23 03:30 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    - 2009-07-14 05:01 . 2011-12-23 02:53 364200 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2011-12-24 03:14 364200 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-12-23 16:16 . 2011-12-23 16:16 909312 c:\windows\Installer\2c52636.msi
    - 2011-02-02 17:05 . 2011-12-23 02:53 1626588 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3050095744-1663821448-2816196953-1000-8192.dat
    + 2011-02-02 17:05 . 2011-12-24 02:45 1626588 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3050095744-1663821448-2816196953-1000-8192.dat
    - 2011-02-02 17:05 . 2011-12-23 02:53 22464500 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3050095744-1663821448-2816196953-1000-4096.dat
    + 2011-02-02 17:05 . 2011-12-23 16:47 22464500 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3050095744-1663821448-2816196953-1000-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-01-18 68440]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
    R4 RsFx0105;RsFx0105 Driver;c:\windows\system32\DRIVERS\RsFx0105.sys [x]
    R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-09-23 431464]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-26 354304]
    S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
    S2 MSSQL$UPSWSDBSERVER;SQL Server (UPSWSDBSERVER);c:\program files (x86)\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x64.sys [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3050095744-1663821448-2816196953-1000Core.job
    - c:\users\Atan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
    .
    2011-12-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3050095744-1663821448-2816196953-1000UA.job
    - c:\users\Atan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = %SystemRoot%\system32\blank.htm
    mLocal Page = %SystemRoot%\system32\blank.htm
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 64.71.255.198
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{148E13C6-531D-0366-6B11-78116A474C57} - c:\windows\SysWow64\KBDRROPR.DLL
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-23 22:26:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-24 03:26
    ComboFix2.txt 2011-12-23 03:20
    .
    Pre-Run: 51,590,975,488 bytes free
    Post-Run: 51,039,735,808 bytes free
    .
    - - End Of File - - 07810FB1CFF015AF4F8DDE45E9EBA03E


    --------------------------------------------------

    I followed the instructions. I checked IE, and it seems it doesn't redirect any more. I see from the logs that the files have been removed. I don't understand the rest though. Do I need to run more scans to check?
    Seems like it was my Xmas gift. Thanks a lot!
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sounds like we're both having a nice holiday!

    Combofix looks good. I would like you to ask the owner if these pages have intentionally been set to display a blank page:
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = about:blank
    mLocal Page = c:\windows\SysWOW64\blank.htm

    If they have,no problem. But I suggest putting a link instead.

    Please also mention that this from OTM is a large amount: Total Files Cleaned = 420.00 mb
    Suggest more frequent maintenance to include deleting temporary internet files and Cookies, disc cleanup, defrag, check Add/Remove programs and uninstall programs not needed or not being used. Then use Windows Explorer to go to Programs and do q right click> delete on program folder.
    -----------------------------------
    Let's dp one mpore Eset scan, then HijackThis. If nothing new, I'll have you remove the cleaning tools.

    1. Update Eset and run a new scan.

    2. Rescan with HijackThis to make sure we got all bad entries.

    Leave both logs in next reply.
     
  9. atan1

    atan1 TS Rookie Topic Starter

    Thanks to your help, with the redirect problem gone, I can work with IE again.
    Glad to hear your holidays going well!

    If the blank pages refer to the IE home page, and new tab, yes, I intentionally set them to 0.

    I do run weekly cleanmgr, but since this problem started I haven't done a cleanup.

    Thank you very much for your suggestions.

    Here are the logs:

    -----------------------------------------------------
    ETES:

    C:\_OTM\MovedFiles\12232011_214355\C_Windows\System32\ActioonCenter.dll Win32/BHO.ODP trojan
    C:\_OTM\MovedFiles\12232011_214355\C_Windows\System32\ApppIdPolicyEngineApi.dll a variant of Win32/BHO.ODP trojan
    C:\_OTM\MovedFiles\12232011_214355\C_Windows\System32\KBDRROPR.DLL a variant of Win32/BHO.ODP trojan
    C:\_OTM\MovedFiles\12232011_214355\C_Windows\System32\NlsLexiicons0816.dll Win32/BHO.ODP trojan


    ----------------------------------------------------------
    HijackThis:


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:00:51 PM, on 26/12/2011
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v9.00 (9.00.8112.16421)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\SyncServer.exe
    C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
    C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
    C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
    C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
    C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Windows\SysWOW64\DllHost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - - (no file)
    O2 - BHO: Groove GFS Browser Helper - {148E13C6-531D-0366-6B11-78116A474C57} - C:\Windows\SysWow64\KBDRROPR.DLL (file missing)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Microsoft Web Test Recorder 10.0 Helper - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
    O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
    O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://www.kccsoft.com/authorware_web_files/awswaxd.cab
    O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mathworksevents.webex.com/client/T27L10NSP21EP5/event/ieatgpc1.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    O23 - Service: AMD Reservation Manager - Advanced Micro Devices - C:\Program Files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 8904 bytes




    ---------------------------------------------------
    I guess the 4 threats in ETES are for OTM's temporary files. Is that right?

    Just out of curiosity, what is the "URLRedirectionBHO" bho? Is it a normal process?

    Thanks again for all the help.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good- there are no new entries in the Eset log. All have been handled in OTM.

    I need to check a file out. We can do that with one line in CFFix:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    FileLook::
    C:\Windows\SysWOW64\DllHost.exe
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Yes, normal process. Part of Microsoft Office 2010 - responsible for "caching Office documents on client computer, with differential synchronization between Office client and SharePoint server"

    Full name is URLRedirectionBHO, Office Document Cache Handler.
    =========================
    HJT is okay unless the entry you're checking in Combofix comes back bad. I'll just check the FileLook and then hopefully we should be through,
     
  11. atan1

    atan1 TS Rookie Topic Starter

    Thanks for the clarification.
    Here's the CF log:


    ComboFix 11-12-23.01 - Atan 26/12/2011 20:44:23.4.2 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.2.1033.18.3819.2615 [GMT -5:00]
    Running from: c:\users\Atan\Desktop\ComboFix.exe
    Command switches used :: c:\users\Atan\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-27 to 2011-12-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-27 01:57 . 2011-12-27 01:57 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8FCE9265-40A1-413C-A535-A99CDCA9629E}\offreg.dll
    2011-12-27 01:55 . 2011-12-27 01:55 -------- d-----w- c:\users\Mcx1-ATAN-NETBOOK\AppData\Local\temp
    2011-12-27 01:55 . 2011-12-27 01:55 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-26 23:58 . 2011-12-26 23:59 388096 ----a-r- c:\users\Atan\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-12-26 23:58 . 2011-12-26 23:58 -------- d-----w- c:\program files (x86)\Trend Micro
    2011-12-26 16:40 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8FCE9265-40A1-413C-A535-A99CDCA9629E}\mpengine.dll
    2011-12-24 02:43 . 2011-12-24 02:43 -------- d-----w- C:\_OTM
    2011-12-23 16:18 . 2011-12-23 16:17 525544 ----a-w- c:\windows\system32\deployJava1.dll
    2011-12-23 16:17 . 2011-12-23 16:17 -------- d-----w- c:\program files\Java
    2011-12-23 03:31 . 2011-12-23 03:31 -------- d-----w- c:\program files (x86)\ESET
    2011-12-18 21:06 . 2011-12-18 21:06 -------- d-----w- c:\windows\Sun
    2011-12-18 06:24 . 2011-12-18 06:24 -------- d-----w- c:\program files\iPod
    2011-12-18 06:24 . 2011-12-18 06:26 -------- d-----w- c:\program files\iTunes
    2011-12-15 06:47 . 2011-12-15 06:47 -------- d-----w- c:\users\Atan\AppData\Roaming\Malwarebytes
    2011-12-15 06:47 . 2011-12-15 06:47 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-15 06:46 . 2011-12-18 22:02 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-12-15 06:46 . 2011-08-31 22:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-14 14:29 . 2011-11-04 01:48 887296 ----a-w- c:\program files\Internet Explorer\iedvtool.dll
    2011-12-14 14:29 . 2011-11-03 22:42 678912 ----a-w- c:\program files (x86)\Internet Explorer\iedvtool.dll
    2011-12-14 14:23 . 2011-10-26 05:21 43520 ----a-w- c:\windows\system32\csrsrv.dll
    2011-12-14 14:22 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
    2011-12-14 14:22 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
    2011-12-14 14:22 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
    2011-12-14 14:22 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-14 14:22 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-12 06:25 . 2011-12-18 21:43 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
    2011-12-12 06:25 . 2011-12-18 21:43 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2011-12-11 03:01 . 2011-12-11 03:01 -------- d-----w- c:\users\Atan\AppData\Local\DDMSettings
    2011-12-06 19:01 . 2011-12-06 19:01 -------- d-----w- c:\programdata\Rockwell Automation
    2011-12-06 19:00 . 2011-12-15 19:52 -------- d-----w- c:\program files (x86)\Rockwell Software
    2011-12-06 04:20 . 2011-12-06 04:20 -------- d-----w- c:\windows\SysWow64\3002
    2011-11-29 07:38 . 2011-11-29 07:38 -------- d-----w- c:\program files\Common Files\Wolfram Research
    2011-11-29 07:38 . 2011-11-29 07:38 -------- d-----w- c:\program files (x86)\Common Files\Wolfram Research
    2011-11-29 07:38 . 2011-11-29 07:38 -------- d-----w- c:\program files (x86)\Common Files\ResearchSoft
    2011-11-29 07:20 . 2011-11-29 07:20 -------- d-----w- c:\program files\Wolfram Research
    2011-11-29 05:52 . 2011-12-06 04:20 -------- d-----w- c:\windows\SysWow64\3037
    2011-11-29 05:23 . 2011-11-29 05:53 -------- d-----w- c:\users\Atan\AppData\Local\Mathematica
    2011-11-29 05:23 . 2011-11-29 05:23 -------- d-----w- c:\users\Atan\AppData\Roaming\Mathematica
    2011-11-28 23:50 . 2011-11-29 07:41 -------- d-----w- c:\programdata\Mathematica
    2011-11-28 21:44 . 2011-11-28 21:44 -------- d-----w- c:\users\Atan\AppData\Roaming\Maple
    2011-11-28 21:33 . 2011-12-17 16:23 -------- d-----w- c:\users\Atan\.maplesoft
    2011-11-28 21:13 . 2011-11-28 21:13 20480 ----a-w- c:\windows\SysWow64\maplecompat.dll
    2011-11-28 21:13 . 2011-11-28 21:13 212992 ----a-w- c:\windows\SysWow64\WMIMPLEX.dll
    2011-11-28 21:13 . 2011-11-28 21:13 31744 ----a-w- c:\windows\SysWow64\maplec.dll
    2011-11-28 21:12 . 2011-11-28 21:13 -------- d-----w- C:\watcom-1.3
    2011-11-28 20:57 . 2011-11-28 21:13 -------- d-----w- c:\program files (x86)\Maple 15
    2011-11-28 20:57 . 2011-11-28 20:57 -------- d--h--w- c:\program files (x86)\Zero G Registry
    2011-11-28 20:51 . 2011-11-28 20:51 -------- d--h--w- c:\users\Atan\InstallAnywhere
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-10 07:29 . 2011-05-25 09:59 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-11-21 11:40 . 2011-02-02 06:29 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-10-27 17:39 . 2011-05-28 22:03 1898720 ----a-w- c:\programdata\Microsoft\VisualStudio\10.0\1033\ResourceCache.dll
    2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
    2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
    2011-10-20 23:26 . 2011-10-20 23:26 94208 ----a-w- c:\windows\SysWow64\dpl100.dll
    2011-10-11 03:05 . 2011-10-11 03:06 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C5678E7E-37CA-4FBE-9AAE-DB97CA73BCD1}\gapaengine.dll
    2011-09-29 16:29 . 2011-11-09 04:38 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\SysWOW64\DllHost.exe ---
    Company: Microsoft Corporation
    File Description: COM Surrogate
    File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
    Product Name: Microsoft® Windows® Operating System
    Copyright: © Microsoft Corporation. All rights reserved.
    Original Filename: dllhost.exe
    File size: 7168
    Created time: 2009-07-13 23:43
    Modified time: 2009-07-14 01:14
    MD5: A63DC5C2EA944E6657203E0C8EDEAF61
    SHA1: ACE762C51DB1908C858C898D7E0F9B36F788D2D9
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-23_03.11.51 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-02 17:11 . 2011-12-27 01:59 39928 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
    - 2009-07-14 05:10 . 2011-12-22 05:12 43256 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2011-12-27 01:59 43256 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2011-02-02 16:53 . 2011-12-27 01:59 14374 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3050095744-1663821448-2816196953-1000_UserData.bin
    - 2011-02-02 16:15 . 2011-12-22 05:58 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-02-02 16:15 . 2011-12-25 20:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-02-02 16:15 . 2011-12-22 05:58 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2011-12-25 19:55 . 2011-12-25 20:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2011-12-25 20:23 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2011-12-22 05:58 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-12-26 00:14 . 2011-12-26 00:14 9560 c:\windows\system32\NetworkList\Icons\{89F6EB2A-8ED5-47DC-A3CE-94476DB2F073}_48.bin
    + 2011-12-26 00:14 . 2011-12-26 00:14 4280 c:\windows\system32\NetworkList\Icons\{89F6EB2A-8ED5-47DC-A3CE-94476DB2F073}_32.bin
    + 2011-12-26 00:14 . 2011-12-26 00:14 2456 c:\windows\system32\NetworkList\Icons\{89F6EB2A-8ED5-47DC-A3CE-94476DB2F073}_24.bin
    - 2011-12-23 02:54 . 2011-12-23 02:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-27 01:56 . 2011-12-27 01:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-12-27 01:56 . 2011-12-27 01:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-12-23 02:54 . 2011-12-23 02:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-02-09 12:06 . 2011-12-26 16:28 307866 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
    + 2011-02-02 15:32 . 2011-12-26 00:28 349528 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    + 2011-12-23 16:18 . 2011-12-23 16:17 190752 c:\windows\system32\javaws.exe
    + 2011-12-23 16:18 . 2011-12-23 16:17 172320 c:\windows\system32\javaw.exe
    + 2011-12-23 16:18 . 2011-12-23 16:17 172320 c:\windows\system32\java.exe
    + 2011-05-18 12:08 . 2011-05-18 12:08 465408 c:\windows\system32\ipcoin82.dll
    - 2009-07-14 05:12 . 2011-12-22 05:58 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2009-07-14 05:12 . 2011-12-23 03:30 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2011-12-27 01:56 . 2011-12-27 01:56 217144 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
    - 2009-07-14 05:01 . 2011-12-23 02:53 364200 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2011-12-27 01:56 364200 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2011-12-23 16:16 . 2011-12-23 16:16 909312 c:\windows\Installer\2c52636.msi
    + 2011-02-02 17:05 . 2011-12-27 01:56 1658520 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3050095744-1663821448-2816196953-1000-8192.dat
    + 2011-12-26 23:57 . 2011-12-26 23:57 1402880 c:\windows\Installer\eb33b3b.msi
    + 2011-02-02 17:05 . 2011-12-27 01:56 24455977 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3050095744-1663821448-2816196953-1000-4096.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{148E13C6-531D-0366-6B11-78116A474C57}]
    c:\windows\SysWow64\KBDRROPR.DLL [BU]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-12-08 421736]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-01-18 68440]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-22 61976]
    R4 RsFx0105;RsFx0105 Driver;c:\windows\system32\DRIVERS\RsFx0105.sys [x]
    R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2011-09-23 431464]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-01-26 354304]
    S2 AMD Reservation Manager;AMD Reservation Manager;c:\program files\ATI Technologies\ATI.ACE\Reservation Manager\AMD Reservation Manager.exe [2010-06-17 194496]
    S2 MSSQL$UPSWSDBSERVER;SQL Server (UPSWSDBSERVER);c:\program files (x86)\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C60x64.sys [x]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3050095744-1663821448-2816196953-1000Core.job
    - c:\users\Atan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
    .
    2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3050095744-1663821448-2816196953-1000UA.job
    - c:\users\Atan\AppData\Local\Google\Update\GoogleUpdate.exe [2011-02-02 04:39]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = %SystemRoot%\system32\blank.htm
    uStart Page = about:blank
    mLocal Page = %SystemRoot%\system32\blank.htm
    IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 64.71.255.198
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-26 21:08:12 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-27 02:08
    ComboFix2.txt 2011-12-24 03:26
    ComboFix3.txt 2011-12-23 03:20
    .
    Pre-Run: 53,941,297,152 bytes free
    Post-Run: 53,758,808,064 bytes free
    .
    - - End Of File - - 1D8D2907006794998FDDB212ABB766C1
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please advise the other forum that you have gotten help elsewhere- so they can close your thread:
    http://www.bleepingcomputer.com/forums/topic432791.html

    There is one entry I'd like you to remove in HJT- if it's there!

    Open HJT to 'do system scan only'. Check this entry if present
    O2 - BHO: Groove GFS Browser Helper - {148E13C6-531D-0366-6B11-78116A474C57} - C:\Windows\SysWow64\KBDRROPR.DLL (file missing)

    Close all Windows except HJT and click on "Fix Checked."
    ========================================
    The file I looked int o in Combofix is okay.
    =========================================
    Do any problem remain? If not, go ahead with this:
    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
      [o] Click START> then RUN
      [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
      [o] Double click OTCleanIt.exe.
      [o] Click the CleanUp! button.
      [o] If you are prompted to Reboot during the cleanup, select Yes.
      [o]The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • Set a new, clean Restore Point
      [o] Click on Start> right click on Computer> Properties
      [o] Select System Protection
      [o] Click on the Create button (near bottom)
      [o] Type a name for the Restore Point
      [o] Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
      [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
      [o] Click Disk Cleanup from there.
      [​IMG]
      [o] Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
      [o] Click the More Options tab
      [​IMG]
      [o] Click the Clean up under System Restore and Shadow Copies.
      [o] Click OK.
      [o] You will get a confirmation screen> Just click Delete.
      [o] Click OK on the Disk Cleanup Screen.
      [o] Click Delete Files on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin

    Let me know if you have any questions.
     
  13. atan1

    atan1 TS Rookie Topic Starter

    Hi Bobbye,
    The problem is all gone and everything is working smoothly.
    Thank you very much again for your help. Hope you have a happy new year coming.
    Cheers
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You' re very welcome!
    Have a Happy and Peaceful Holiday![​IMG]
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...