TechSpot

Google redirect virus

By lthebmanl
Aug 20, 2011
  1. Hi,

    I have a virus that redirects me when I click on a Google link. I have performed routine virus searches using Avast, Microsoft security essentials and ad-aware; however, to no avail. I have seen other threads that suggest performing tasks that I am unfamiliar with and uncomfortable performing without instruction.

    Any help would be greatly appreciated.

    Thanks,

    b
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll be glad to help you. I need to get some information first:

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ====================================

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
     
  3. lthebmanl

    lthebmanl TS Rookie Topic Starter Posts: 24

    Thanks

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-08-20 19:43:04
    Windows 6.1.7600
    Running: pr0fjowp.exe


    ---- Registry - GMER 1.0.15 ----

    Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\brandon\Downloads\WinZip\xae 15 Pro\winzip150.exe 1

    ---- EOF - GMER 1.0.15 ----


    Malwarebytes' Anti-Malware 1.51.1.1800
    www.malwarebytes.org

    Database version: 7521

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    8/20/2011 4:33:58 PM
    mbam-log-2011-08-20 (16-33-58).txt

    Scan type: Quick scan
    Objects scanned: 174073
    Time elapsed: 5 minute(s), 25 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 37
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 35
    Files Infected: 121

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\{11C27351-716B-4052-9361-E3B0A3F8221C} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{1602F07D-8BF3-4c08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{C55CA95C-324B-451c-B2D2-6E895AA75FEC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\ClickPotatoLiteAX.Info.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\ClickPotatoLiteAX.Info (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1602F07D-8BF3-4C08-BDD6-DDDB1C48AEDC} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{AC6D819E-AA8F-4418-A3BB-D165C1B18BB5} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\ClickPotatoLiteAX.UserProfiles (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{AC6D819E-AA8F-4418-A3BB-D165C1B18BB5} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256A51-B582-467e-B8D4-7786EDA79AE0} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B58926D6-CFB0-45D2-9C28-4B5A0F0368AE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-CD68-4f36-8D02-8C43722EE5DA} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\MenuButtonIE.ButtonIE.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\ClickPotatoLite@ClickPotatoLite.com (Adware.ClickPotato) -> Value: ClickPotatoLite@ClickPotatoLite.com -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\programdata\2aca5cc3-0f83-453d-a079-1076fe1a8b65 (Adware.Seekmo) -> Quarantined and deleted successfully.
    c:\programdata\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\Users\brandon\AppData\Roaming\clickpotatolite (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\programdata\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\1 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\2 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\CPDA (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\CPDM (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\program files (x86)\clickpotatolite (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\program files (x86)\clickpotatolite\bin (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\program files (x86)\clickpotatolite\bin\10.0.530.0 (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\program files (x86)\clickpotatolite\bin\10.0.530.0\firefox (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\program files (x86)\clickpotatolite\bin\10.0.530.0\firefox\extensions (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\program files (x86)\clickpotatolite\bin\10.0.530.0\firefox\extensions\plugins (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\program files (x86)\funwebproducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files (x86)\funwebproducts\Installr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files (x86)\funwebproducts\Installr\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files (x86)\funwebproducts\Installr\setups (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files (x86)\funwebproducts\screensaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files (x86)\funwebproducts\screensaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files (x86)\mywebsearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files (x86)\mywebsearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files (x86)\mywebsearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files (x86)\mywebsearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\programdata\microsoft\Windows\start menu\Programs\clickpotato (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Images (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Images (Refog.Keylogger) -> Quarantined and deleted successfully.

    Files Infected:
    c:\programdata\clickpotatolitesa\clickpotatolitesa.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\programdata\clickpotatolitesa\clickpotatolitesaau.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\programdata\clickpotatolitesa\clickpotatolitesa_kyf_update.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\programdata\MPK\M0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\1\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\1\i40450_4350062268 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\1\i40450_4362243981 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\1\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\1\t40450_3994104745 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\1\t40450_4057453704 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\1\t40450_4070375116 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\1\t40450_4105269444 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\1\t40450_4240456366 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\2\D0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\2\S0000 (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\programdata\MPK\CPDM\cpfm.bin (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\program files (x86)\clickpotatolite\bin\10.0.530.0\firefox\extensions\chrome.manifest (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\program files (x86)\clickpotatolite\bin\10.0.530.0\firefox\extensions\install.rdf (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\program files (x86)\funwebproducts\Installr\1.bin\F3EZSETP.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files (x86)\funwebproducts\Installr\1.bin\F3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\program files (x86)\mywebsearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\About Us.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\clickpotato customer support.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\programdata\microsoft\Windows\start menu\Programs\clickpotato\clickpotato uninstall instructions.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\French.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\German.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\icon_1.ico (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\MPK64.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Romanian.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Spanish.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\sqlite3.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\unins000.dat (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\unins000.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\file.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\imhelp.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\need_update_net.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\update.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\English\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Help\Spanish\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Images\english.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Images\german.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Images\russian.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Images\vista_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\System32\MPK\Images\xp_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\French.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\German.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\icon_1.ico (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\MPK64.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Romanian.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Spanish.lng (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\sqlite3.dll (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\unins000.dat (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\unins000.exe (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\file.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\imhelp.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\need_update_net.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\update.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\English\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\alarms.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\clipboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\computer.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\delivery.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\filters.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\internet.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\invisible.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\keyboard.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\logging.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\log_size.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\password.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\programs.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\screenshot.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\settings_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Help\Spanish\users_node.htm (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Images\english.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Images\german.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Images\russian.gif (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Images\vista_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\MPK\Images\xp_hide.bmp (Refog.Keylogger) -> Quarantined and deleted successfully.






    .
    DDS (Ver_2011-06-23.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
    Run by brandon at 19:45:36 on 2011-08-20
    Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3062.1375 [GMT -4:00]
    .
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    AV: avast! antivirus *Disabled/Outdated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    SP: avast! antivirus *Disabled/Outdated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Users\brandon\Local Settings\Apps\F.lux\flux.exe
    C:\Program Files (x86)\GmoteServer\GmoteServer.exe
    C:\Program Files (x86)\Java\jre6\bin\javaw.exe
    C:\Program Files (x86)\Webshots\3.1.5.7617\webshots.scr
    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\taskmgr.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Users\brandon\Desktop\pr0fjowp.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
    C:\Windows\SysWOW64\NOTEPAD.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    mWinlogon: Userinit=userinit.exe,
    BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    uRun: [AdobeBridge]
    uRun: [F.lux] "C:\Users\brandon\Local Settings\Apps\F.lux\flux.exe" /noshow
    mRun: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    mRun: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
    mRun: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    StartupFolder: C:\Users\brandon\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\GMOTES~1.LNK - C:\Program Files (x86)\GmoteServer\GmoteServer.exe
    StartupFolder: C:\Users\brandon\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Webshots.lnk - C:\Program Files (x86)\Webshots\3.1.5.7617\Launcher.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
    DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    TCP: DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{486DE355-9C9B-40E1-AFE1-8ED22220C4E1} : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{486DE355-9C9B-40E1-AFE1-8ED22220C4E1}\2656C6B696E6534376 : DhcpNameServer = 192.168.2.1 68.105.28.11 68.105.29.11 68.105.28.12
    TCP: Interfaces\{486DE355-9C9B-40E1-AFE1-8ED22220C4E1}\36F6E6E677962756C6563737 : DhcpNameServer = 136.244.1.1 136.244.1.2
    TCP: Interfaces\{486DE355-9C9B-40E1-AFE1-8ED22220C4E1}\469616E65637C6166756 : DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{486DE355-9C9B-40E1-AFE1-8ED22220C4E1}\7405C475962756C656373723 : DhcpNameServer = 192.168.150.1 216.255.161.13 68.94.156.1
    TCP: Interfaces\{853E03E0-7BC5-4313-A004-B9A2797B6E88} : DhcpNameServer = 68.94.156.1 68.94.157.1
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO-X64: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO-X64: SkypeIEPluginBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    mRun-x64: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    mRun-x64: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    mRun-x64: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
    mRun-x64: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\brandon\AppData\Roaming\Mozilla\Firefox\Profiles\az64lpfz.default\
    FF - prefs.js: browser.startup.homepage - hxxp://randomabs.com/
    FF - component: C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}\components\SkypeFfComponent.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
    FF - Ext: BlockSite: {dd3d7613-0246-469d-bc65-2a3cc1668adc} - %profile%\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: XUL Cache: {e00528cb-afc0-472a-9e4c-557cc4512550} - %profile%\extensions\{e00528cb-afc0-472a-9e4c-557cc4512550}
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
    R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
    R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys --> C:\Windows\system32\DRIVERS\aswFsBlk.sys [?]
    R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys --> C:\Windows\system32\DRIVERS\aswMonFlt.sys [?]
    R2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast4\ashServ.exe [2011-3-18 138680]
    R3 MRVW148;Marvell TOPDOG (TM) 802.11abgn Driver for Vista Native WIFI (CB8x/EC8x);C:\Windows\system32\DRIVERS\MRVW148.sys --> C:\Windows\system32\DRIVERS\MRVW148.sys [?]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S2 AGCoreService;AG Core Services;"C:\Program Files (x86)\AGI\core\4.2.0.10753\AGCoreService.exe" --> C:\Program Files (x86)\AGI\core\4.2.0.10753\AGCoreService.exe [?]
    S2 gupdate1cafb891d680e77;Google Update Service (gupdate1cafb891d680e77);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-24 133104]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2010-8-12 2151640]
    S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;C:\Windows\system32\Drivers\ssadadb.sys --> C:\Windows\system32\Drivers\ssadadb.sys [?]
    S3 avast! Mail Scanner;avast! Mail Scanner;C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2011-3-18 254040]
    S3 avast! Web Scanner;avast! Web Scanner;C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2011-3-18 352920]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-24 133104]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
    S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);C:\Windows\system32\DRIVERS\ssadbus.sys --> C:\Windows\system32\DRIVERS\ssadbus.sys [?]
    S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);C:\Windows\system32\DRIVERS\ssadmdfl.sys --> C:\Windows\system32\DRIVERS\ssadmdfl.sys [?]
    S3 ssadmdm;SAMSUNG Android USB Modem Drivers;C:\Windows\system32\DRIVERS\ssadmdm.sys --> C:\Windows\system32\DRIVERS\ssadmdm.sys [?]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-08-20 20:40:02 912344 ----a-w- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    2011-08-20 20:27:29 -------- d-----w- C:\Users\brandon\AppData\Roaming\Malwarebytes
    2011-08-20 20:27:20 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-08-20 20:27:18 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-08-20 20:27:14 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-08-20 20:27:13 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-08-20 10:01:28 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7A018B43-774D-4ADA-BF46-050F7F37F3CA}\mpengine.dll
    2011-08-11 20:53:56 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F517459A-A578-4313-84C5-B420EC6A13AF}\gapaengine.dll
    2011-08-10 01:29:08 126976 ----a-w- C:\Program Files\Common Files\System\Ole DB\msdaosp.dll
    2011-08-10 01:29:08 106496 ----a-w- C:\Windows\System32\odbccu32.dll
    2011-08-10 01:29:08 106496 ----a-w- C:\Windows\System32\odbccr32.dll
    2011-08-10 01:29:07 212992 ----a-w- C:\Windows\System32\odbctrac.dll
    2011-08-10 01:29:07 163840 ----a-w- C:\Windows\System32\odbccp32.dll
    2011-08-10 01:29:06 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
    2011-08-10 01:29:06 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
    2011-08-10 01:29:06 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
    2011-08-10 01:29:05 94208 ----a-w- C:\Program Files (x86)\Common Files\System\Ole DB\msdaosp.dll
    2011-08-10 01:29:05 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
    2011-08-10 01:29:05 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
    2011-07-30 07:02:26 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
    2011-07-30 07:01:33 8578896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    .
    ==================== Find3M ====================
    .
    2011-07-22 05:35:08 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-07-22 04:56:17 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-07-16 05:26:54 362496 ----a-w- C:\Windows\System32\wow64win.dll
    2011-07-16 05:26:53 243200 ----a-w- C:\Windows\System32\wow64.dll
    2011-07-16 05:26:53 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
    2011-07-16 05:26:18 214528 ----a-w- C:\Windows\System32\winsrv.dll
    2011-07-16 05:24:09 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
    2011-07-16 05:21:32 422400 ----a-w- C:\Windows\System32\KernelBase.dll
    2011-07-16 05:17:46 338432 ----a-w- C:\Windows\System32\conhost.exe
    2011-07-16 04:36:09 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
    2011-07-16 04:32:14 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
    2011-07-16 04:31:50 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
    2011-07-16 04:30:29 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
    2011-07-16 04:30:27 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
    2011-07-16 02:26:12 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
    2011-07-16 02:26:11 2048 ----a-w- C:\Windows\SysWow64\user.exe
    2011-07-16 02:21:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
    2011-07-16 02:21:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
    2011-07-16 02:21:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
    2011-07-16 02:21:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
    2011-07-09 02:44:55 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
    2011-07-04 20:01:05 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
    2011-06-23 05:29:39 5507968 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2011-06-23 04:38:05 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
    2011-06-23 04:38:04 3902336 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
    2011-06-21 06:27:14 1896832 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2011-06-21 06:20:48 1197056 ----a-w- C:\Windows\System32\wininet.dll
    2011-06-21 06:20:06 57856 ----a-w- C:\Windows\System32\licmgr10.dll
    2011-06-21 05:36:36 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-06-21 05:35:05 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
    2011-06-21 05:05:13 482816 ----a-w- C:\Windows\System32\html.iec
    2011-06-21 04:26:02 386048 ----a-w- C:\Windows\SysWow64\html.iec
    2011-06-11 02:56:44 3134464 ----a-w- C:\Windows\System32\win32k.sys
    2011-05-24 11:21:59 404992 ----a-w- C:\Windows\System32\umpnpmgr.dll
    2011-05-24 10:34:20 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
    2011-05-24 10:34:20 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
    2011-05-24 10:34:00 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
    2011-05-24 10:32:46 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
    .
    ============= FINISH: 19:46:25.00 ===============





    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows 7 Enterprise
    Boot Device: \Device\HarddiskVolume2
    Install Date: 5/13/2010 4:36:36 PM
    System Uptime: 8/20/2011 6:38:09 PM (1 hours ago)
    .
    Motherboard: Gateway | |
    Processor: Intel(R) Core(TM)2 Duo CPU T5450 @ 1.66GHz | U2E1 | 1316/667mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 222 GiB total, 43.641 GiB free.
    D: is FIXED (NTFS) - 11 GiB total, 3.873 GiB free.
    E: is CDROM ()
    F: is CDROM (CDFS)
    G: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP356: 8/9/2011 3:05:58 AM - Windows Update
    RP357: 8/10/2011 3:00:16 AM - Windows Update
    RP358: 8/10/2011 3:37:18 AM - Windows Update
    RP359: 8/11/2011 4:52:43 PM - Windows Update
    RP360: 8/12/2011 9:14:31 PM - Windows Update
    RP361: 8/13/2011 10:03:16 PM - Windows Update
    RP362: 8/14/2011 11:16:27 PM - Windows Update
    RP363: 8/16/2011 12:56:45 AM - Windows Update
    RP364: 8/17/2011 4:32:23 AM - Windows Update
    RP365: 8/18/2011 7:52:11 AM - Windows Update
    RP366: 8/20/2011 6:01:04 AM - Windows Update
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    µTorrent
    AC3Filter (remove only)
    Ad-Aware
    Adobe AIR
    Adobe Community Help
    Adobe Digital Editions
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Media Player
    Adobe Photoshop CS5
    Adobe Reader 9.4.5
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    avast! Antivirus
    Click to Call with Skype
    DivX Setup
    F.lux
    GmoteServer
    Google Earth
    Google Update Helper
    Java Auto Updater
    Java(TM) 6 Update 20
    Juniper Networks Setup Client
    Juniper Networks Setup Client Activex Control
    Malwarebytes' Anti-Malware version 1.51.1.1800
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Mozilla Firefox (3.6.20)
    PDF Settings CS5
    Photomatix Pro version 4.0.1
    PowerISO
    QuickTime
    Rosetta Stone Version 3
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft Office 2007 System (KB2541012)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2541007)
    Security Update for Microsoft Office Groove 2007 (KB2494047)
    Security Update for Microsoft Office InfoPath 2007 (KB2510061)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    ShiftN 3.6
    Skype™ 5.5
    SoulSeek Client 156c
    Topaz Adjust 4
    Topaz Detail 2
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office Outlook 2007 (KB2509470)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2586924)
    VC80CRTRedist - 8.0.50727.4053
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.1.7
    Webshots Desktop
    Windows Media Player Firefox Plugin
    WinPcap 4.1.2
    WinZip 15.0
    Xvid 1.2.1 final uninstall
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/20/2011 7:45:58 PM, Error: MRVW148 [515] -
    8/20/2011 7:14:13 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk2\DR2.
    8/20/2011 4:39:35 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    8/20/2011 4:38:44 PM, Error: Microsoft Antimalware [3002] - Microsoft Antimalware Real-Time Protection feature has encountered an error and failed. Feature: Behavior Monitoring Error Code: 0x80004005 Error description: Unspecified error Reason: The filter driver requires an up-to-date engine in order to function. You must install the latest definition updates in order to enable real-time protection.
    8/20/2011 4:38:28 PM, Error: Service Control Manager [7000] - The AG Core Services service failed to start due to the following error: The system cannot find the file specified.
    8/19/2011 9:10:47 AM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk4\DR9.
    8/16/2011 6:22:34 AM, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
    .
    ==== End Of File ===========================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, there are times I have to sit back and ask myself- "where to start?" This is one of them.

    Antivirus programs
    • There were no directions to disable the AV for these 3 preliminary scans.
    • You should run only one AV
    • Avast is outdated: Uninstall:Avast Removal
    • Disable AdWatch:
      [o]Right click on the Ad-Aware icon in the system tray. [​IMG]
      [o]Click on Disable Ad-Watch Live!
    ======================================
    Specific malware
    • Keylogger: All of the entries for the The Akai Pro MPK mini have the REFOG Keylogger and in several languages. Did you intentionally install the keylogger?
      REFOG Keylogger has everything that's in the Free Keylogger Software, and adds the Complete Invisibility mode. Being able to run silently and undetectable, REFOG Keylogger is impossible to be seen or removed by your teenage kids or the spouse.
    • Adware, Tracking Cookies, Known malware sites:
    • Remove any entries for Fun Web Site & My Web Search in Add/Remove Programs
      [o]Use Windows explorer> to access Program files and right click> Delete program folders for those uninstalled programs..
    • Reset Cookies
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

      [o]For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List

      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
      (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    =======================================
    The Java is outdated- v6u20. Update now to v6u26: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    ====================================
    You will have malware in the Java cache, so it needs to be emptied:
    1. . Click Start > Control Panel.
    2. . Double-click the Java icon [​IMG] in the Control Panel.
    3. . Click Settings under Temporary Internet Files.
      http://www.java.com/en/img/download/5000020303.jpg[/b]
      There are three options on this window to clear the cache.(Version dependent)
      [o]. Delete Files
      [o]. View Applications
      [o]. View Applets
      [*]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [*]. Click OK on Temporary Files Settings window. [/list]
      =========================================
      [list]
      [*] Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      [url=http://eset.com/onlinescan][b][color=blue]ESETOnlineScan[/b][/color][/url]
      [*] For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [img]http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.pngon your desktop.
    4. Check 'Yes I accept terms of use.'
    5. Click Start button
    6. Accept any security warnings from your browser.
      [​IMG]
    7. Uncheck 'Remove found threats'
    8. Check 'Scan archives/
    9. Leave remaining settings as is.
    10. Press the Start button.
    11. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    12. When the scan completes, press List of found threats
    13. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    14. Push the Back button
    15. Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    Leave log in next reply if malware is found. I will remove the entries.

    Go on to next post.[/b
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
     
  6. lthebmanl

    lthebmanl TS Rookie Topic Starter Posts: 24

    I deleted Avast and disabled Adwatch

    I did install the Keylogger but forgot how to use it. Not sure if I deleted it...

    I checked Add/Remove Programs for Fun Web Sites & My Web Search but did not find anything. I looked in Program Files and didn't see anything either.

    I reset cookies for Firefox and also unchecked accept third party cookies

    I added Adblock Plus as well as Easy List

    I updated Java to the latest version

    I deleted Java cache

    I clicked on the ESET OnlineScan and the link came up as an error. I was unable to download it.

    I performed the ComboFix scan and here is the log:

    ComboFix 11-08-21.01 - brandon 08/20/2011 22:52:52.1.2 - x64
    Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3062.1560 [GMT -4:00]
    Running from: c:\users\brandon\Downloads\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\brandon\AppData\Roaming\Mozilla\Firefox\Profiles\az64lpfz.default\extensions\{e00528cb-afc0-472a-9e4c-557cc4512550}
    c:\users\brandon\AppData\Roaming\Mozilla\Firefox\Profiles\az64lpfz.default\extensions\{e00528cb-afc0-472a-9e4c-557cc4512550}\chrome.manifest
    c:\users\brandon\AppData\Roaming\Mozilla\Firefox\Profiles\az64lpfz.default\extensions\{e00528cb-afc0-472a-9e4c-557cc4512550}\chrome\xulcache.jar
    c:\users\brandon\AppData\Roaming\Mozilla\Firefox\Profiles\az64lpfz.default\extensions\{e00528cb-afc0-472a-9e4c-557cc4512550}\defaults\preferences\xulcache.js
    c:\users\brandon\AppData\Roaming\Mozilla\Firefox\Profiles\az64lpfz.default\extensions\{e00528cb-afc0-472a-9e4c-557cc4512550}\install.rdf
    c:\windows\Downloaded Program Files\popcaploader.dll
    c:\windows\Downloaded Program Files\popcaploader.inf
    D:\Autorun.inf
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-21 to 2011-08-21 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-21 02:18 . 2011-08-21 02:18 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-08-20 20:40 . 2011-08-20 20:40 912344 ----a-w- c:\program files (x86)\Mozilla Firefox\firefox.exe
    2011-08-20 20:27 . 2011-08-20 20:27 -------- d-----w- c:\users\brandon\AppData\Roaming\Malwarebytes
    2011-08-20 20:27 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-08-20 20:27 . 2011-08-20 20:27 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-20 20:27 . 2011-07-06 23:52 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-20 20:27 . 2011-08-20 20:27 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-08-20 10:01 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7A018B43-774D-4ADA-BF46-050F7F37F3CA}\mpengine.dll
    2011-08-11 20:53 . 2011-02-01 19:15 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F517459A-A578-4313-84C5-B420EC6A13AF}\gapaengine.dll
    2011-08-10 01:29 . 2011-06-15 09:58 106496 ----a-w- c:\windows\system32\odbccu32.dll
    2011-08-10 01:29 . 2011-06-15 09:58 106496 ----a-w- c:\windows\system32\odbccr32.dll
    2011-08-10 01:29 . 2011-06-15 09:58 126976 ----a-w- c:\program files\Common Files\System\Ole DB\msdaosp.dll
    2011-08-10 01:29 . 2011-06-15 09:58 212992 ----a-w- c:\windows\system32\odbctrac.dll
    2011-08-10 01:29 . 2011-06-15 09:58 163840 ----a-w- c:\windows\system32\odbccp32.dll
    2011-08-10 01:29 . 2011-06-15 09:04 81920 ----a-w- c:\windows\SysWow64\odbccr32.dll
    2011-08-10 01:29 . 2011-06-15 09:04 319488 ----a-w- c:\windows\SysWow64\odbcjt32.dll
    2011-08-10 01:29 . 2011-06-15 09:04 122880 ----a-w- c:\windows\SysWow64\odbccp32.dll
    2011-08-10 01:29 . 2011-06-15 09:04 86016 ----a-w- c:\windows\SysWow64\odbccu32.dll
    2011-08-10 01:29 . 2011-06-15 09:04 163840 ----a-w- c:\windows\SysWow64\odbctrac.dll
    2011-08-10 01:29 . 2011-06-15 09:04 94208 ----a-w- c:\program files (x86)\Common Files\System\Ole DB\msdaosp.dll
    2011-07-30 07:02 . 2011-07-30 07:02 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2011-07-30 07:01 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-12 04:10 . 2010-05-16 16:13 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-07-16 04:32 . 2011-08-10 01:28 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2011-07-04 20:01 . 2010-11-05 16:12 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-11 02:56 . 2011-07-12 22:46 3134464 ----a-w- c:\windows\system32\win32k.sys
    2011-05-24 11:21 . 2011-06-29 02:49 404992 ----a-w- c:\windows\system32\umpnpmgr.dll
    2011-05-24 10:34 . 2011-06-29 02:49 64512 ----a-w- c:\windows\SysWow64\devobj.dll
    2011-05-24 10:34 . 2011-06-29 02:49 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
    2011-05-24 10:34 . 2011-06-29 02:49 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
    2011-05-24 10:32 . 2011-06-29 02:49 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-25 297808]
    .
    [HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    [HKEY_CLASSES_ROOT\agihelper.AGUtils]
    .
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    2009-11-25 16:47 297808 ----a-w- c:\windows\System32\mscoree.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "F.lux"="c:\users\brandon\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-08-10 421888]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
    "PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    c:\users\brandon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    GmoteServer.lnk - c:\program files (x86)\GmoteServer\GmoteServer.exe [2011-3-12 451584]
    Webshots.lnk - c:\program files (x86)\Webshots\3.1.5.7617\Launcher.exe [2010-5-24 157088]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 AGCoreService;AG Core Services;c:\program files (x86)\AGI\core\4.2.0.10753\AGCoreService.exe [x]
    R2 gupdate1cafb891d680e77;Google Update Service (gupdate1cafb891d680e77);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-24 133104]
    R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-24 133104]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-02-04 17152]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
    R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
    R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-06-28 2151640]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
    S3 MRVW148;Marvell TOPDOG (TM) 802.11abgn Driver for Vista Native WIFI (CB8x/EC8x);c:\windows\system32\DRIVERS\MRVW148.sys [x]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-24 21:35]
    .
    2011-08-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-24 21:35]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.2.1
    FF - ProfilePath - c:\users\brandon\AppData\Roaming\Mozilla\Firefox\Profiles\az64lpfz.default\
    FF - prefs.js: browser.startup.homepage - hxxp://randomabs.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
    FF - Ext: BlockSite: {dd3d7613-0246-469d-bc65-2a3cc1668adc} - %profile%\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Wow6432Node-HKCU-Run-AdobeBridge - (no file)
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-{2857dbef-0b50-361c-8690-7d505747009f} - c:\program files (x86)\AGI\core\4.2.0.10753\InstallerGUI.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files (x86)\Java\jre6\bin\javaw.exe
    c:\program files (x86)\Webshots\3.1.5.7617\webshots.scr
    c:\program files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-20 23:12:09 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-21 03:12
    .
    Pre-Run: 45,788,184,576 bytes free
    Post-Run: 46,078,033,920 bytes free
    .
    - - End Of File - - 95794FD70DF6803D52632A0E21BCE8F7
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Nice job! If everyone followed by directions as well as you did, then came back and told me just what they did, I might have enough free time to help twice as many members!

    Can you tell me what error came up when you tried to run the Eset scan? If you don't remember, try running it again. If the error comes up, make a note to tell me what it says. If you don't get the error and can go ahead with the scan, then leave the log.
    ==========================================
    This deletion in Combofix, D:\Autorun.inf indicates that you used an infected flash drive- it needs to be disinfected:
    • Please download Panda USB Vaccine(you must provide valid e-mail and they will send you download link to this e-mail address) to your desktop.
    • Install and run it.
    • Plug in USB drive and click on Vaccinate USB and Vaccinate computer.
    You should disinfect any movable drives that connected to the machine.
    ==========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    DDS::
    uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    uRun: [F.lux] "C:\Users\brandon\Local Settings\Apps\F.lux\flux.exe" /noshow
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    BHO-X64: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"=-.
    [HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    [HKEY_CLASSES_ROOT\agihelper.AGUtils]
    [HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "F.lux"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    =======================================
    Please open Firefox> Tools> Add ons and remove the Java v6u16 and v6u20 outdated plugins. And for the future, you don't need to add a separate Java update to Firefox.
    =====================================
    The Adobe Reader needs to be updated to v10: Update now: Adobe Reader site . Uninstall any earlier updates as they are vulnerabilities.
    =====================================
    When finished with above, please Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called[/u] c:\HijackThis[/u].
      [*]Then navigate to that directory and double-click on the hijackthis.exe file.
      [*]When started click on the Scan button and then the Save Log button to create a log of your information.
      [*]The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
      [*] Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
      [*] Come back here to this thread and paste (Ctrl+V) the log in your next reply.


    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  8. lthebmanl

    lthebmanl TS Rookie Topic Starter Posts: 24

    The online scan worked

    C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{190A2F4F-CDB0-4DA1-BC6B-C10431D730E8}-FascinateRoot_v02.zip Android/Exploit.RageCage.A trojan
    C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{559DE9C0-3347-42CE-976A-220A077B9EFE}-FascinateRoot_v02.zip Android/Exploit.RageCage.A trojan
    C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{A2B30104-2D7E-47B4-ADE8-56E7F750E33A}-FascinateRoot_v02.zip Android/Exploit.RageCage.A trojan
    C:\Qoobox\Quarantine\C\Users\brandon\AppData\Roaming\Mozilla\Firefox\Profiles\az64lpfz.default\extensions\{e00528cb-afc0-472a-9e4c-557cc4512550}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan
    C:\Qoobox\Quarantine\C\Users\brandon\AppData\Roaming\Mozilla\Firefox\Profiles\az64lpfz.default\extensions\{e00528cb-afc0-472a-9e4c-557cc4512550}\chrome\xulcache.jar.vir JS/Agent.NDJ trojan
    C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{190A2F4F-CDB0-4DA1-BC6B-C10431D730E8}-FascinateRoot_v02.zip Android/Exploit.RageCage.A trojan
    C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{559DE9C0-3347-42CE-976A-220A077B9EFE}-FascinateRoot_v02.zip Android/Exploit.RageCage.A trojan
    C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{A2B30104-2D7E-47B4-ADE8-56E7F750E33A}-FascinateRoot_v02.zip Android/Exploit.RageCage.A trojan
    C:\Windows\System32\msauncerp.dll a variant of Win32/Spy.KeyLogger.NOB trojan
    C:\Windows\SysWOW64\msauncerp.dll a variant of Win32/Spy.KeyLogger.NOB trojan




    I installed the Panda program and ran it as you instructed.

    ComboFix 11-08-24.06 - brandon 08/24/2011 18:28:16.2.2 - x64
    Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.3062.1466 [GMT -4:00]
    Running from: c:\users\brandon\Desktop\New folder (2)\ComboFix.exe
    Command switches used :: c:\users\brandon\Desktop\CFScript.txt
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\brandon\AppData\Local\Temp\jna602907723646504310.tmp
    H:\autorun.inf . . . . Failed to delete
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-24 22:41 . 2011-08-24 22:41 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-08-24 22:17 . 2011-08-24 22:17 -------- d-----w- c:\programdata\Panda Security
    2011-08-24 22:16 . 2011-08-24 22:16 -------- d-----w- c:\program files (x86)\Panda USB Vaccine
    2011-08-23 22:49 . 2011-08-23 22:49 -------- d-----w- c:\program files (x86)\ESET
    2011-08-23 22:44 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E998F6B8-001F-44E4-900D-0C3A91D994BB}\mpengine.dll
    2011-08-21 02:18 . 2011-08-21 02:18 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-08-20 20:40 . 2011-08-20 20:40 912344 ----a-w- c:\program files (x86)\Mozilla Firefox\firefox.exe
    2011-08-20 20:27 . 2011-08-20 20:27 -------- d-----w- c:\users\brandon\AppData\Roaming\Malwarebytes
    2011-08-20 20:27 . 2011-07-06 23:52 41272 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-08-20 20:27 . 2011-08-20 20:27 -------- d-----w- c:\programdata\Malwarebytes
    2011-08-20 20:27 . 2011-07-06 23:52 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-08-20 20:27 . 2011-08-20 20:27 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-08-11 20:53 . 2011-02-01 19:15 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F517459A-A578-4313-84C5-B420EC6A13AF}\gapaengine.dll
    2011-08-10 01:29 . 2011-06-15 09:58 106496 ----a-w- c:\windows\system32\odbccu32.dll
    2011-08-10 01:29 . 2011-06-15 09:58 106496 ----a-w- c:\windows\system32\odbccr32.dll
    2011-08-10 01:29 . 2011-06-15 09:58 126976 ----a-w- c:\program files\Common Files\System\Ole DB\msdaosp.dll
    2011-08-10 01:29 . 2011-06-15 09:58 212992 ----a-w- c:\windows\system32\odbctrac.dll
    2011-08-10 01:29 . 2011-06-15 09:58 163840 ----a-w- c:\windows\system32\odbccp32.dll
    2011-08-10 01:29 . 2011-06-15 09:04 81920 ----a-w- c:\windows\SysWow64\odbccr32.dll
    2011-08-10 01:29 . 2011-06-15 09:04 319488 ----a-w- c:\windows\SysWow64\odbcjt32.dll
    2011-08-10 01:29 . 2011-06-15 09:04 122880 ----a-w- c:\windows\SysWow64\odbccp32.dll
    2011-08-10 01:29 . 2011-06-15 09:04 86016 ----a-w- c:\windows\SysWow64\odbccu32.dll
    2011-08-10 01:29 . 2011-06-15 09:04 163840 ----a-w- c:\windows\SysWow64\odbctrac.dll
    2011-08-10 01:29 . 2011-06-15 09:04 94208 ----a-w- c:\program files (x86)\Common Files\System\Ole DB\msdaosp.dll
    2011-07-30 07:02 . 2011-07-30 07:02 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2011-07-30 07:01 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-12 04:10 . 2010-05-16 16:13 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-07-16 04:32 . 2011-08-10 01:28 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2011-07-04 20:01 . 2010-11-05 16:12 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2011-06-11 02:56 . 2011-07-12 22:46 3134464 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-21_03.06.19 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2009-07-14 04:54 . 2011-08-21 03:04 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2011-08-24 22:44 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2011-08-24 22:44 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2011-08-21 03:04 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2011-08-24 22:44 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2011-08-21 03:04 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 05:10 . 2011-08-21 03:07 46544 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2009-07-14 05:10 . 2011-08-24 22:46 46544 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-05-14 14:37 . 2011-08-24 22:46 12552 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2017227136-3672621299-1236113359-1000_UserData.bin
    - 2010-05-14 14:37 . 2011-08-21 01:52 12552 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2017227136-3672621299-1236113359-1000_UserData.bin
    - 2010-05-13 20:35 . 2011-08-10 07:27 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-05-13 20:35 . 2011-08-24 22:16 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-05-13 20:35 . 2011-08-10 07:27 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-05-13 20:35 . 2011-08-24 22:16 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2011-08-10 07:27 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2011-08-24 22:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-05-19 02:00 . 2011-08-24 22:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-05-19 02:00 . 2011-08-21 03:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-05-19 02:00 . 2011-08-21 03:06 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-05-19 02:00 . 2011-08-24 22:45 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-05-19 02:00 . 2011-08-24 22:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-05-19 02:00 . 2011-08-21 03:06 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-05-14 00:45 . 2011-08-24 22:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-05-14 00:45 . 2011-08-21 03:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-05-14 00:45 . 2011-08-24 22:45 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-05-14 00:45 . 2011-08-21 03:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-08-21 03:03 . 2011-08-21 03:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-08-24 22:44 . 2011-08-24 22:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-08-21 03:03 . 2011-08-21 03:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-08-24 22:44 . 2011-08-24 22:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2010-05-18 02:37 . 2011-08-24 11:32 176876 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
    + 2010-05-14 00:42 . 2011-08-24 21:44 289660 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    - 2009-07-14 02:34 . 2011-08-21 00:09 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    + 2009-07-14 02:34 . 2011-08-24 21:46 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-07-23 402432]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-08-10 421888]
    "DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
    "PWRISOVM.EXE"="c:\program files (x86)\PowerISO\PWRISOVM.EXE" [2010-04-12 180224]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    c:\users\brandon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    GmoteServer.lnk - c:\program files (x86)\GmoteServer\GmoteServer.exe [2011-3-12 451584]
    Webshots.lnk - c:\program files (x86)\Webshots\3.1.5.7617\Launcher.exe [2010-5-24 157088]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux1"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 AGCoreService;AG Core Services;c:\program files (x86)\AGI\core\4.2.0.10753\AGCoreService.exe [x]
    R2 gupdate1cafb891d680e77;Google Update Service (gupdate1cafb891d680e77);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-24 133104]
    R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys [x]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-24 133104]
    R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
    R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
    R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
    R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
    S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-06-28 2151640]
    S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
    S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    S3 MRVW148;Marvell TOPDOG (TM) 802.11abgn Driver for Vista Native WIFI (CB8x/EC8x);c:\windows\system32\DRIVERS\MRVW148.sys [x]
    S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 11:19]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-24 21:35]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-24 21:35]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.0.1
    FF - ProfilePath - c:\users\brandon\AppData\Roaming\Mozilla\Firefox\Profiles\az64lpfz.default\
    FF - prefs.js: browser.startup.homepage - hxxp://randomabs.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Click to call with Skype: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
    FF - Ext: BlockSite: {dd3d7613-0246-469d-bc65-2a3cc1668adc} - %profile%\extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10e.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10e.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10e.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
    c:\program files (x86)\Panda USB Vaccine\USBVaccine.exe
    c:\program files (x86)\Webshots\3.1.5.7617\webshots.scr
    c:\program files (x86)\Java\jre6\bin\javaw.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-24 19:04:39 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-24 23:04
    ComboFix2.txt 2011-08-21 03:12
    .
    Pre-Run: 37,494,517,760 bytes free
    Post-Run: 36,383,043,584 bytes free
    .
    - - End Of File - - 6FB544ED39AAEE75EF6AF75A6A0B2CE6



    I disabled the outdated Java plugins - you said I don't need Java plugin for Firefox. Should I just disable the updated version as well?

    I uninstalled the outdated Adobe reader and installed the updated version.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:36:52 PM, on 8/24/2011
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16839)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files (x86)\GmoteServer\GmoteServer.exe
    C:\Program Files (x86)\Webshots\3.1.5.7617\webshots.scr
    C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
    C:\Program Files (x86)\Java\jre6\bin\javaw.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    C:\Users\brandon\Desktop\New folder (2)\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - Startup: GmoteServer.lnk = C:\Program Files (x86)\GmoteServer\GmoteServer.exe
    O4 - Startup: Webshots.lnk = C:\Program Files (x86)\Webshots\3.1.5.7617\Launcher.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: AG Core Services (AGCoreService) - Unknown owner - C:\Program Files (x86)\AGI\core\4.2.0.10753\AGCoreService.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate1cafb891d680e77) (gupdate1cafb891d680e77) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 7965 bytes
     
  9. lthebmanl

    lthebmanl TS Rookie Topic Starter Posts: 24

    Hey,

    I'm assuming that my computer is cleaned since I haven't received a response from you... Just double-checking.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No, don't assume. Understand that the feedback email of a reply sometimes-like now-doesn't get through. Give me a few minutes and I'll have instructions for you.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you have the device for Drive H connected when you ran Panda?
    Combofix shows: H:\autorun.inf . . . . Failed to delete
    ======================================
    Most of the entries in Eset relate to Android. I am removing those entries, but if you hve a removable device using Android, you will need to disinfect it also. Just be sure it's connected when you run Panda.
    -------------------------
    There were also entries related to the keylogger.
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{190A2F4F-CDB0-4DA1-BC6B-C10431D730E8}-FascinateRoot_v02.zip 
      C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{559DE9C0-3347-42CE-976A-220A077B9EFE}-FascinateRoot_v02.zip 
      C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{A2B30104-2D7E-47B4-ADE8-56E7F750E33A}-FascinateRoot_v02.zip 
      C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{190A2F4F-CDB0-4DA1-BC6B-C10431D730E8}-FascinateRoot_v02.zip 
      C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{559DE9C0-3347-42CE-976A-220A077B9EFE}-FascinateRoot_v02.zip 
      C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{A2B30104-2D7E-47B4-ADE8-56E7F750E33A}-FascinateRoot_v02.zip 
      C:\Windows\System32\msauncerp.dll 
      C:\Windows\SysWOW64\msauncerp.dll 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =============================================
    Please open Firefox> Tools> Addon> remove the Java entries for v6u16, v6u20 and v6u26.
    Update the Java now to v6u27: Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Note: Uncheck 'Install Yahoo Toolbar' on the download screen before you do the update.
    It is not necessary to add a separate extension to Firefox for Java.
    ============================================
    The system looks great! Combofix and HijackThis do not require any changes.
    It would be a good idea to run this to get rid of any Tracking Cookies left. Just be sure to check the lind to remove the entries found:
    [​IMG]
    SuperAntiSpyware Home Edition Free Version
    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    • Click on 'Preferences'.
    • Click on the 'Statistics/Logs' tab.
    • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply

    If there are no new problems, after you run the above, I'll have you remove the cleaning tools.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do you plan to continue?
     
  13. lthebmanl

    lthebmanl TS Rookie Topic Starter Posts: 24

    Yes. Sorry. I've been slammed at work. I've got half of it done.
     
  14. lthebmanl

    lthebmanl TS Rookie Topic Starter Posts: 24

    I did have a device connected to Drive H. I fixed it and had it deleted.

    I no longer have the Android phone.

    Here is the OTM log:

    All processes killed
    ========== FILES ==========
    C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{190A2F4F-CDB0-4DA1-BC6B-C10431D730E8}-FascinateRoot_v02.zip moved successfully.
    C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{559DE9C0-3347-42CE-976A-220A077B9EFE}-FascinateRoot_v02.zip moved successfully.
    C:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{A2B30104-2D7E-47B4-ADE8-56E7F750E33A}-FascinateRoot_v02.zip moved successfully.
    File/Folder C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{190A2F4F-CDB0-4DA1-BC6B-C10431D730E8}-FascinateRoot_v02.zip not found.
    File/Folder C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{559DE9C0-3347-42CE-976A-220A077B9EFE}-FascinateRoot_v02.zip not found.
    File/Folder C:\Users\All Users\Microsoft\Microsoft Antimalware\LocalCopy\{A2B30104-2D7E-47B4-ADE8-56E7F750E33A}-FascinateRoot_v02.zip not found.
    DllUnregisterServer procedure not found in C:\Windows\System32\msauncerp.dll
    C:\Windows\System32\msauncerp.dll moved successfully.
    File/Folder C:\Windows\SysWOW64\msauncerp.dll not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: brandon
    ->Temp folder emptied: 123207844 bytes
    ->Temporary Internet Files folder emptied: 67246818 bytes
    ->Java cache emptied: 1 bytes
    ->FireFox cache emptied: 99352719 bytes
    ->Flash cache emptied: 372406 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 41620 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 508928 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 89080 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 84860 bytes
    RecycleBin emptied: 515024323 bytes

    Total Files Cleaned = 769.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 09072011_205858

    Files moved on Reboot...
    C:\Users\brandon\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

    Registry entries deleted on Reboot...


    I tried to remove the Java addons for Firefox; however, the browser only gave me the option to disable and not to remove.

    Here is the SAS log


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 09/08/2011 at 00:12 AM

    Application Version : 5.0.1118

    Core Rules Database Version : 7658
    Trace Rules Database Version: 5470

    Scan type : Complete Scan
    Total Scan Time : 02:00:01

    Operating System Information
    Windows 7 Enterprise 64-bit (Build 6.01.7600)
    UAC On - Limited User

    Memory items scanned : 545
    Memory threats detected : 0
    Registry items scanned : 71206
    Registry threats detected : 156
    File items scanned : 100651
    File threats detected : 12

    Adware.MyWebSearch/FunWebProducts
    (x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}
    (x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
    (x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
    (x86) HKCR\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
    (x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}
    (x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\ProxyStubClsid32
    (x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib
    (x86) HKCR\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}\TypeLib#Version
    (x64) HKCR\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA}
    (x64) HKCR\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA}\ProxyStubClsid32
    (x64) HKCR\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA}\TypeLib
    (x64) HKCR\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA}\TypeLib#Version
    (x64) HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}
    (x64) HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\ProxyStubClsid32
    (x64) HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\TypeLib
    (x64) HKCR\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\TypeLib#Version
    (x64) HKCR\Interface\{1093995A-BA37-41D2-836E-091067C4AD17}
    (x64) HKCR\Interface\{1093995A-BA37-41D2-836E-091067C4AD17}\ProxyStubClsid32
    (x64) HKCR\Interface\{1093995A-BA37-41D2-836E-091067C4AD17}\TypeLib
    (x64) HKCR\Interface\{1093995A-BA37-41D2-836E-091067C4AD17}\TypeLib#Version
    (x64) HKCR\Interface\{120927BF-1700-43BC-810F-FAB92549B390}
    (x64) HKCR\Interface\{120927BF-1700-43BC-810F-FAB92549B390}\ProxyStubClsid32
    (x64) HKCR\Interface\{120927BF-1700-43BC-810F-FAB92549B390}\TypeLib
    (x64) HKCR\Interface\{120927BF-1700-43BC-810F-FAB92549B390}\TypeLib#Version
    (x64) HKCR\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}
    (x64) HKCR\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}\ProxyStubClsid32
    (x64) HKCR\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}\TypeLib
    (x64) HKCR\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}\TypeLib#Version
    (x64) HKCR\Interface\{1F52A5FA-A705-4415-B975-88503B291728}
    (x64) HKCR\Interface\{1F52A5FA-A705-4415-B975-88503B291728}\ProxyStubClsid32
    (x64) HKCR\Interface\{1F52A5FA-A705-4415-B975-88503B291728}\TypeLib
    (x64) HKCR\Interface\{1F52A5FA-A705-4415-B975-88503B291728}\TypeLib#Version
    (x64) HKCR\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}
    (x64) HKCR\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}\ProxyStubClsid32
    (x64) HKCR\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}\TypeLib
    (x64) HKCR\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}\TypeLib#Version
    (x64) HKCR\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}
    (x64) HKCR\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32
    (x64) HKCR\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib
    (x64) HKCR\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib#Version
    (x64) HKCR\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495}
    (x64) HKCR\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495}\ProxyStubClsid32
    (x64) HKCR\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495}\TypeLib
    (x64) HKCR\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495}\TypeLib#Version
    (x64) HKCR\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}
    (x64) HKCR\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}\ProxyStubClsid32
    (x64) HKCR\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}\TypeLib
    (x64) HKCR\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}\TypeLib#Version
    (x64) HKCR\Interface\{3E720451-B472-4954-B7AA-33069EB53906}
    (x64) HKCR\Interface\{3E720451-B472-4954-B7AA-33069EB53906}\ProxyStubClsid32
    (x64) HKCR\Interface\{3E720451-B472-4954-B7AA-33069EB53906}\TypeLib
    (x64) HKCR\Interface\{3E720451-B472-4954-B7AA-33069EB53906}\TypeLib#Version
    (x64) HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}
    (x64) HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\ProxyStubClsid32
    (x64) HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\TypeLib
    (x64) HKCR\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\TypeLib#Version
    (x64) HKCR\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}
    (x64) HKCR\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}\ProxyStubClsid32
    (x64) HKCR\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}\TypeLib
    (x64) HKCR\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}\TypeLib#Version
    (x64) HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}
    (x64) HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\ProxyStubClsid32
    (x64) HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib
    (x64) HKCR\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib#Version
    (x64) HKCR\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA}
    (x64) HKCR\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA}\ProxyStubClsid32
    (x64) HKCR\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA}\TypeLib
    (x64) HKCR\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA}\TypeLib#Version
    (x64) HKCR\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A}
    (x64) HKCR\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A}\ProxyStubClsid32
    (x64) HKCR\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A}\TypeLib
    (x64) HKCR\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A}\TypeLib#Version
    (x64) HKCR\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9}
    (x64) HKCR\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9}\ProxyStubClsid32
    (x64) HKCR\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib
    (x64) HKCR\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib#Version
    (x64) HKCR\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}
    (x64) HKCR\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}\ProxyStubClsid32
    (x64) HKCR\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib
    (x64) HKCR\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib#Version
    (x64) HKCR\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}
    (x64) HKCR\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}\ProxyStubClsid32
    (x64) HKCR\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib
    (x64) HKCR\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib#Version
    (x64) HKCR\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}
    (x64) HKCR\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}\ProxyStubClsid32
    (x64) HKCR\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib
    (x64) HKCR\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib#Version
    (x64) HKCR\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}
    (x64) HKCR\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}\ProxyStubClsid32
    (x64) HKCR\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}\TypeLib
    (x64) HKCR\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}\TypeLib#Version
    (x64) HKCR\Interface\{991AAC62-B100-47CE-8B75-253965244F69}
    (x64) HKCR\Interface\{991AAC62-B100-47CE-8B75-253965244F69}\ProxyStubClsid32
    (x64) HKCR\Interface\{991AAC62-B100-47CE-8B75-253965244F69}\TypeLib
    (x64) HKCR\Interface\{991AAC62-B100-47CE-8B75-253965244F69}\TypeLib#Version
    (x64) HKCR\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}
    (x64) HKCR\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}\ProxyStubClsid32
    (x64) HKCR\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}\TypeLib
    (x64) HKCR\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}\TypeLib#Version
    (x64) HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}
    (x64) HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\ProxyStubClsid32
    (x64) HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\TypeLib
    (x64) HKCR\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\TypeLib#Version
    (x64) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}
    (x64) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32
    (x64) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib
    (x64) HKCR\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib#Version
    (x64) HKCR\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}
    (x64) HKCR\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}\ProxyStubClsid32
    (x64) HKCR\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}\TypeLib
    (x64) HKCR\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}\TypeLib#Version
    (x64) HKCR\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}
    (x64) HKCR\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}\ProxyStubClsid32
    (x64) HKCR\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}\TypeLib
    (x64) HKCR\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}\TypeLib#Version
    (x64) HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E}
    (x64) HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E}\ProxyStubClsid32
    (x64) HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E}\TypeLib
    (x64) HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E}\TypeLib#Version
    (x64) HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}
    (x64) HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\ProxyStubClsid32
    (x64) HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\TypeLib
    (x64) HKCR\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\TypeLib#Version
    (x64) HKCR\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}
    (x64) HKCR\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}\ProxyStubClsid32
    (x64) HKCR\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib
    (x64) HKCR\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib#Version
    (x64) HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}
    (x64) HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\ProxyStubClsid32
    (x64) HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib
    (x64) HKCR\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib#Version
    (x64) HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}
    (x64) HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\ProxyStubClsid32
    (x64) HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\TypeLib
    (x64) HKCR\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\TypeLib#Version
    (x64) HKCR\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}
    (x64) HKCR\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}\ProxyStubClsid32
    (x64) HKCR\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}\TypeLib
    (x64) HKCR\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}\TypeLib#Version

    Adware.Zango/ShoppingReport
    (x86) HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}
    (x86) HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\ProxyStubClsid32
    (x86) HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\TypeLib
    (x86) HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\TypeLib#Version
    (x86) HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}
    (x86) HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\ProxyStubClsid32
    (x86) HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\TypeLib
    (x86) HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\TypeLib#Version
    (x86) HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}
    (x86) HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\ProxyStubClsid32
    (x86) HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\TypeLib
    (x86) HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\TypeLib#Version
    (x64) HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}
    (x64) HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}\ProxyStubClsid32
    (x64) HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}\TypeLib
    (x64) HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}\TypeLib#Version

    Adware.Tracking Cookie
    C:\Users\brandon\AppData\Roaming\Microsoft\Windows\Cookies\brandon@cts.metricsdirect[1].txt
    C:\Users\brandon\AppData\Roaming\Microsoft\Windows\Cookies\brandon@cts.zroitracker[1].txt
    C:\Users\brandon\AppData\Roaming\Microsoft\Windows\Cookies\brandon@invitemedia[2].txt
    C:\Users\brandon\AppData\Roaming\Microsoft\Windows\Cookies\brandon@lucidmedia[2].txt
    C:\Users\brandon\AppData\Roaming\Microsoft\Windows\Cookies\brandon@media.licenseacquisition[1].txt
    C:\Users\brandon\AppData\Roaming\Microsoft\Windows\Cookies\brandon@media6degrees[2].txt
    C:\Users\brandon\AppData\Roaming\Microsoft\Windows\Cookies\brandon@content.licenseacquisition[1].txt
    C:\Users\brandon\AppData\Roaming\Microsoft\Windows\Cookies\XQKEJXOE.txt
    C:\Users\brandon\AppData\Roaming\Microsoft\Windows\Cookies\3WFZTMJU.txt
    C:\USERS\BRANDON\APPDATA\ROAMING\MICROSOFT\WINDOWS\COOKIES\LOW\BRANDON@IMRWORLDWIDE[2].TXT
    media.mtvnservices.com [ C:\WINDOWS.OLD\USERS\BRANDON\APPDATA\ROAMING\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\Y47ZYERM ]

    Rogue.Agent/Gen-Nullo[DLL]
    C:\WINDOWS\SYSTEM32\CWIENAUG.DLL
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    sign on to the Administrative account> That should display both options.
    ==================================
    You can use the Mbam you just downloaded for this:
    Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ==================================
    Reset Cookies

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    (First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
    =======================================
    This is a hefty number of files in OTM: Total Files Cleaned = 769.00 mb You might want to consider doing the computer maintenance more often.
     
  16. lthebmanl

    lthebmanl TS Rookie Topic Starter Posts: 24

    I am the administrator on the computer and it still doesn't give me the option.

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 7719

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    9/15/2011 12:12:30 AM
    mbam-log-2011-09-15 (00-12-30).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 508638
    Time elapsed: 1 hour(s), 59 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    I followed your previous instructions for removing cookies on firefox


    I have previously added 'adblock plus' and 'easy list' per your instructions

    yes, I realized that I should do this more often. I appreciate your advice.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay- is it safe to assume you are no longer being redirected?

    As for Java in Firefox- disabled is okay. You can try accessing the Java Comsole in Firefox and see if it will delete there.

    You've done a good job. I will leave some tips to help the system stay clean.

    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
      [o] Click START> then RUN
      [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
      [o] Double click OTCleanIt.exe.
      [o] Click the CleanUp! button.
      [o] If you are prompted to Reboot during the cleanup, select Yes.
      [o]The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • Set a new, clean Restore Point
      [o] Click on Start> right click on Computer> Properties
      [o] Select System Protection
      [o] Click on the Create button (near bottom)
      [o] Type a name for the Restore Point
      [o] Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
      [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
      [o] Click Disk Cleanup from there.
      [​IMG]
      [o] Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
      [o] Click the More Options tab
      [​IMG]
      [o] Click the Clean up under System Restore and Shadow Copies.
      [o] Click OK.
      [o] You will get a confirmation screen> Just click Delete.
      [o] Click OK on the Disk Cleanup Screen.
      [o] Click Delete Files on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin
    =================================
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner
      [o] ATF Cleaner by Atribune
    6. Restore Points:
      [o]See System Restore Guide
    7. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.
     
  18. lthebmanl

    lthebmanl TS Rookie Topic Starter Posts: 24

    Another problem :(

    Hey,

    So I'm having an issue with my computer and I posted a thread asking for help and who ever responded didn't provide much help. The last time I worked with you, you were very thorough and very helpful, so, I wanted to ask you about my problem directly. Here goes:

    Last night I was watching a movie on my computer and fell asleep. This is common practice. I woke up several hours later to see my computer had froze. I was forced to perform a hard restart. Upon restart I noticed that Windows was configuring updates. It finished and I logged on. From there, the computer ran, and continues to run, painfully slow. Taking well over two minutes to respond to a ctrl-alt-del command.

    I restarted the computer again and gave it 30 min while I ate breakfast. When I returned, the computer was still acting up. So I booted it up in safe mode. From there, I uninstalled the Windows updates. I also tried to uninstall the Microsoft Office 2007 updates but the installer was denied as it wasn't listed as a safe program.

    I restarted the computer again and nothing changed. I do believe this issue is fixable because the computer ran great in safe mode. This just comes as very unexpected because I wasn't doing anything to the computer to cause this. The computer was running perfect before I went to sleep.

    I was told to do a security software scan to look for infected drivers. I used one of the programs you told me to download a few months back. Nothing came back as infected.

    I then began to disable drivers while in safe mode to see if that would work. Now, when I boot normally it looks like I'm in safe mode but the problem still continues.

    Any help would be great. Thanks.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please refer to the help you are getting here: http://www.techspot.com/vb/topic177636.html

    There is a reply indicating it appears to be driver issue> Ask if you should post mini-dump logs on that thread.

    When that thread has finished, if the helper thinks there might be a malware issue, you will be referred back to this forum.

    This thread should have been closed as Solved
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...