TechSpot

Infected... "sirefef" keeps returning

Solved
By John Sharp
Nov 22, 2012
  1. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

  2. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    ESET found no files, but I am still getting occasional redirects...especially from google searches
     
  3. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Which browser is affected?
    What about other browser(s)?
     
  4. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Firefox and IE... I happens prob 1 out of 10 clicks or so
     
  5. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Let's start with IE.
    Open it go Tools>Internet options>Advanced tab and click on "Reset" button.
    Restart IE use it for a while and let me know how it goes.
     
  6. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Still getting re-directs...

    IE example: searching from google for "tire help", click on a link for goodyear, it directs to compare.us.com/xxxxxxxxxxxxx
     
  7. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  8. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    FRST

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-12-2012
    Ran by SYSTEM at 10-12-2012 10:00:11
    Running from E:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2122536 2010-05-07] (Synaptics Incorporated)
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10144288 2010-04-13] (Realtek Semiconductor)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
    HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe" [82792 2012-11-26] (Sendori, Inc.)
    HKU\jah\...\Run: [Novatel Wireless] Rundll32.exe "C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll",ompd_free_thread_info [760320 2012-12-04] ()
    Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
    Tcpip\..\Interfaces\{00DB6E6E-F3AB-4C9D-8D23-EDB53E8402C6}: [NameServer]192.168.9.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Jungle Disk Desktop.lnk
    ShortcutTarget: Jungle Disk Desktop.lnk -> C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe (Jungle Disk, Inc.)
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\jah\Start Menu\Programs\Startup\PdaNet Desktop.lnk
    ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe ()

    ==================== Services (Whitelisted) ===================

    2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [118632 2012-11-26] (Sendori, Inc.)
    2 JungleDiskService; "C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe" --service [9761096 2011-05-17] (Jungle Disk, Inc.)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
    2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [14696 2012-11-26] (sendori)
    2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3569512 2012-11-26] (Sendori)

    ==================== Drivers (Whitelisted) =====================

    1 cbfs3; C:\Windows\System32\Drivers\cbfs3.sys [321424 2010-11-30] (EldoS Corporation)
    0 mbamchameleon; C:\Windows\System32\Drivers\mbamchameleon.sys [36680 2012-11-23] ()
    0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
    3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
    0 mbamswissarmy; C:\Windows\System32\drivers\mbamswissarmy.sys [x]
    3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-12-08 11:00 - 2011-10-04 04:22 - 00203320 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudmdm.sys
    2012-12-08 11:00 - 2011-10-04 04:22 - 00095544 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudbus.sys
    2012-12-08 10:59 - 2012-12-08 10:59 - 00000000 ____D C:\Program Files\SAMSUNG
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Samsung
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Application Data\Samsung
    2012-12-08 10:57 - 2012-12-08 10:58 - 00000000 ____D C:\Samsung Galaxy S3 QCom ToolKit
    2012-12-08 10:57 - 2012-12-08 10:57 - 00001651 ____A C:\Users\jah\Desktop\Samsung GS3 QCom ToolKit.lnk
    2012-12-08 10:26 - 2012-12-08 10:26 - 07444480 ____A C:\Users\jah\Desktop\recovery-clockwork-touch-6.0.1.2-d2spr.tar
    2012-12-08 10:25 - 2012-12-08 10:25 - 06410240 ____A C:\Users\jah\Desktop\Sprint_Stock_Recovery.tar
    2012-12-08 09:45 - 2012-12-08 09:45 - 00000000 ____D C:\Users\jah\Desktop\Odin3-v1.85
    2012-12-08 09:42 - 2012-12-08 09:42 - 01461029 ____A (Farbar) C:\Users\jah\Desktop\FRST64(1).exe
    2012-12-07 14:09 - 2012-12-07 14:09 - 00683568 ____A C:\Windows\Minidump\120712-18876-01.dmp
    2012-12-06 18:06 - 2012-12-06 18:07 - 00000030 ____A C:\Users\jah\Desktop\New Text Document.txt
    2012-12-06 14:06 - 2012-12-06 14:07 - 00683568 ____A C:\Windows\Minidump\120612-17799-01.dmp
    2012-12-04 18:15 - 2012-12-04 18:15 - 00000000 ____D C:\Program Files (x86)\ESET
    2012-12-04 18:14 - 2012-12-04 18:14 - 02322184 ____A (ESET) C:\Users\jah\Downloads\esetsmartinstaller_enu.exe
    2012-12-04 18:02 - 2012-12-04 18:02 - 00448512 ____A (OldTimer Tools) C:\Users\jah\Desktop\TFC.exe
    2012-12-04 18:01 - 2012-12-04 18:02 - 00696153 ____A (Farbar) C:\Users\jah\Desktop\FSS.exe
    2012-12-04 18:01 - 2012-12-04 18:01 - 00856731 ____A C:\Users\jah\Desktop\SecurityCheck.exe
    2012-12-04 17:53 - 2012-12-04 17:53 - 00000000 ____D C:\_OTL
    2012-12-04 17:51 - 2012-12-04 17:52 - 00602112 ____A (OldTimer Tools) C:\Users\jah\Desktop\OTL.exe
    2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\Local Settings\Novatel Wireless
    2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Novatel Wireless
    2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\AppData\Local\Novatel Wireless
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\PDF Architect
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\Application Data\PDF Architect
    2012-11-26 19:36 - 2012-11-26 19:36 - 00069384 ____A C:\Users\JMS\Downloads\TS010169559.dotx
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\Application Data\PDF Architect
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\AppData\Roaming\PDF Architect
    2012-11-26 19:28 - 2012-11-29 21:05 - 00000000 ____D C:\Users\All Users\Sendori
    2012-11-26 19:28 - 2012-11-29 21:05 - 00000000 ____D C:\Users\All Users\Application Data\Sendori
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\Application Data\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\AppData\Roaming\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 13:12 - 00321384 ____A (Sendori) C:\Windows\SysWOW64\Sendori.dll
    2012-11-26 19:27 - 2012-11-29 21:06 - 00000000 ____D C:\Program Files (x86)\Sendori
    2012-11-26 19:27 - 2012-11-26 19:28 - 00000000 ____D C:\Program Files (x86)\PDFCreator
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\OpenCandy
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\OpenCandy
    2012-11-26 19:27 - 2012-10-28 17:32 - 00103936 ____A (pdfforge GbR) C:\Windows\System32\pdfcmon.dll
    2012-11-26 19:27 - 2012-05-05 09:54 - 01071088 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
    2012-11-26 19:27 - 2012-05-05 09:54 - 00662288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCT2.OCX
    2012-11-26 19:27 - 2012-05-05 09:54 - 00137000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSMAPI32.OCX
    2012-11-26 19:27 - 2012-05-05 09:54 - 00023552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSMPIDE.DLL
    2012-11-26 19:21 - 2012-11-26 19:21 - 00457048 ____A (pdfforge GbR ) C:\Users\JMS\Downloads\PDFCreatorWebSetup.exe
    2012-11-26 19:17 - 2012-11-26 20:04 - 00000000 ____D C:\Users\JMS\Application Data\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 20:04 - 00000000 ____D C:\Users\JMS\AppData\Roaming\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Local\SoftGrid Client
    2012-11-23 18:09 - 2012-11-23 18:18 - 00000000 ____D C:\Qoobox
    2012-11-23 18:09 - 2012-11-23 18:16 - 00000000 ____D C:\Windows\erdnt
    2012-11-23 18:09 - 2011-06-26 00:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-11-23 18:09 - 2010-11-07 11:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-11-23 18:09 - 2009-04-19 22:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00098816 ____A C:\Windows\sed.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00080412 ____A C:\Windows\grep.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00068096 ____A C:\Windows\zip.exe
    2012-11-23 15:18 - 2012-11-23 15:18 - 00279088 ____A C:\Windows\Minidump\112312-19936-01.dmp
    2012-11-23 13:34 - 2012-11-23 13:34 - 00000317 ____A C:\Users\jah\Downloads\fixlist.txt
    2012-11-23 13:07 - 2012-11-23 13:07 - 01461039 ____A (Farbar) C:\Users\jah\Downloads\FRST64.exe
    2012-11-23 11:17 - 2012-11-23 11:17 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
    2012-11-22 23:15 - 2012-11-22 23:17 - 12961620 ____A C:\Users\jah\Downloads\mbar-1.01.0.1009.zip
    2012-11-22 19:02 - 2012-11-22 19:02 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-11-22 18:25 - 2012-11-22 18:45 - 13529576 ____A (Microsoft Corporation) C:\Users\jah\Downloads\mseinstall.exe
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\Application Data\Malwarebytes
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\AppData\Roaming\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-22 18:13 - 2012-09-29 18:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-11-22 18:05 - 2012-11-22 18:12 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\jah\Downloads\mbam-setup-1.65.1.1000.exe
    2012-11-15 10:26 - 2012-01-31 06:44 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


    ==================== One Month Modified Files and Folders =======

    2012-12-10 08:57 - 2009-07-13 23:10 - 01199752 ____A C:\Windows\WindowsUpdate.log
    2012-12-10 08:56 - 2009-07-13 22:51 - 00030623 ____A C:\Windows\setupact.log
    2012-12-08 11:24 - 2009-07-13 22:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-12-08 11:24 - 2009-07-13 22:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-12-08 11:21 - 2009-07-13 23:13 - 00714754 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-12-08 11:17 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-12-08 10:59 - 2012-12-08 10:59 - 00000000 ____D C:\Program Files\SAMSUNG
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Samsung
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Application Data\Samsung
    2012-12-08 10:58 - 2012-12-08 10:57 - 00000000 ____D C:\Samsung Galaxy S3 QCom ToolKit
    2012-12-08 10:57 - 2012-12-08 10:57 - 00001651 ____A C:\Users\jah\Desktop\Samsung GS3 QCom ToolKit.lnk
    2012-12-08 10:26 - 2012-12-08 10:26 - 07444480 ____A C:\Users\jah\Desktop\recovery-clockwork-touch-6.0.1.2-d2spr.tar
    2012-12-08 10:25 - 2012-12-08 10:25 - 06410240 ____A C:\Users\jah\Desktop\Sprint_Stock_Recovery.tar
    2012-12-08 09:45 - 2012-12-08 09:45 - 00000000 ____D C:\Users\jah\Desktop\Odin3-v1.85
    2012-12-08 09:42 - 2012-12-08 09:42 - 01461029 ____A (Farbar) C:\Users\jah\Desktop\FRST64(1).exe
    2012-12-07 14:09 - 2012-12-07 14:09 - 00683568 ____A C:\Windows\Minidump\120712-18876-01.dmp
    2012-12-07 14:09 - 2012-09-08 22:42 - 00000000 ____D C:\Windows\Minidump
    2012-12-07 14:09 - 2012-09-08 22:41 - 374365794 ____A C:\Windows\MEMORY.DMP
    2012-12-06 19:11 - 2012-10-29 14:52 - 00000000 ____D C:\Users\jah\My Documents\Misc
    2012-12-06 19:11 - 2012-10-29 14:52 - 00000000 ____D C:\Users\jah\Documents\Misc
    2012-12-06 18:07 - 2012-12-06 18:06 - 00000030 ____A C:\Users\jah\Desktop\New Text Document.txt
    2012-12-06 14:07 - 2012-12-06 14:06 - 00683568 ____A C:\Windows\Minidump\120612-17799-01.dmp
    2012-12-05 09:28 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\Application Data\SoftGrid Client
    2012-12-05 09:28 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\AppData\Roaming\SoftGrid Client
    2012-12-04 18:15 - 2012-12-04 18:15 - 00000000 ____D C:\Program Files (x86)\ESET
    2012-12-04 18:14 - 2012-12-04 18:14 - 02322184 ____A (ESET) C:\Users\jah\Downloads\esetsmartinstaller_enu.exe
    2012-12-04 18:02 - 2012-12-04 18:02 - 00448512 ____A (OldTimer Tools) C:\Users\jah\Desktop\TFC.exe
    2012-12-04 18:02 - 2012-12-04 18:01 - 00696153 ____A (Farbar) C:\Users\jah\Desktop\FSS.exe
    2012-12-04 18:01 - 2012-12-04 18:01 - 00856731 ____A C:\Users\jah\Desktop\SecurityCheck.exe
    2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\Local Settings\Novatel Wireless
    2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Novatel Wireless
    2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\AppData\Local\Novatel Wireless
    2012-12-04 17:53 - 2012-12-04 17:53 - 00000000 ____D C:\_OTL
    2012-12-04 17:52 - 2012-12-04 17:51 - 00602112 ____A (OldTimer Tools) C:\Users\jah\Desktop\OTL.exe
    2012-11-29 21:06 - 2012-11-26 19:27 - 00000000 ____D C:\Program Files (x86)\Sendori
    2012-11-29 21:05 - 2012-11-26 19:28 - 00000000 ____D C:\Users\All Users\Sendori
    2012-11-29 21:05 - 2012-11-26 19:28 - 00000000 ____D C:\Users\All Users\Application Data\Sendori
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\PDF Architect
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\Application Data\PDF Architect
    2012-11-27 09:30 - 2010-11-17 20:47 - 00010474 ____A C:\Windows\PFRO.log
    2012-11-26 20:04 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Application Data\SoftGrid Client
    2012-11-26 20:04 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Roaming\SoftGrid Client
    2012-11-26 19:36 - 2012-11-26 19:36 - 00069384 ____A C:\Users\JMS\Downloads\TS010169559.dotx
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\Application Data\PDF Architect
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\AppData\Roaming\PDF Architect
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\Application Data\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\AppData\Roaming\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 19:27 - 00000000 ____D C:\Program Files (x86)\PDFCreator
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\OpenCandy
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\OpenCandy
    2012-11-26 19:21 - 2012-11-26 19:21 - 00457048 ____A (pdfforge GbR ) C:\Users\JMS\Downloads\PDFCreatorWebSetup.exe
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Local\SoftGrid Client
    2012-11-26 13:12 - 2012-11-26 19:28 - 00321384 ____A (Sendori) C:\Windows\SysWOW64\Sendori.dll
    2012-11-23 18:18 - 2012-11-23 18:09 - 00000000 ____D C:\Qoobox
    2012-11-23 18:18 - 2009-07-13 21:20 - 00000000 __RHD C:\users\Default
    2012-11-23 18:16 - 2012-11-23 18:09 - 00000000 ____D C:\Windows\erdnt
    2012-11-23 18:15 - 2009-07-13 20:34 - 00000215 ____A C:\Windows\system.ini
    2012-11-23 17:42 - 2012-11-03 11:46 - 00000000 ____D C:\Users\jah\Desktop\From Phone
    2012-11-23 15:18 - 2012-11-23 15:18 - 00279088 ____A C:\Windows\Minidump\112312-19936-01.dmp
    2012-11-23 13:34 - 2012-11-23 13:34 - 00000317 ____A C:\Users\jah\Downloads\fixlist.txt
    2012-11-23 13:07 - 2012-11-23 13:07 - 01461039 ____A (Farbar) C:\Users\jah\Downloads\FRST64.exe
    2012-11-23 11:17 - 2012-11-23 11:17 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
    2012-11-22 23:17 - 2012-11-22 23:15 - 12961620 ____A C:\Users\jah\Downloads\mbar-1.01.0.1009.zip
    2012-11-22 19:02 - 2012-11-22 19:02 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-11-22 18:45 - 2012-11-22 18:25 - 13529576 ____A (Microsoft Corporation) C:\Users\jah\Downloads\mseinstall.exe
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\Application Data\Malwarebytes
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\AppData\Roaming\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-22 18:12 - 2012-11-22 18:05 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\jah\Downloads\mbam-setup-1.65.1.1000.exe
    2012-11-15 09:05 - 2010-11-17 19:29 - 00000000 ____D C:\Program Files (x86)\Dell
    2012-11-13 18:51 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\NDF
    2012-11-13 18:40 - 2011-01-15 07:44 - 00000073 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log
    2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\Local Settings\SoftThinks
    2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\SoftThinks
    2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\AppData\Local\SoftThinks
    2012-11-11 14:49 - 2012-11-06 17:22 - 00000000 ____D C:\Users\JMS\Application Data\JungleDisk
    2012-11-11 14:49 - 2012-11-06 17:22 - 00000000 ____D C:\Users\JMS\AppData\Roaming\JungleDisk


    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\@
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\00000004.@
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\4cce1f70
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\55490ac4

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-11-22 17:49:08
    Restore point made on: 2012-11-22 23:18:28
    Restore point made on: 2012-11-22 23:50:24
    Restore point made on: 2012-11-23 11:37:24
    Restore point made on: 2012-11-23 18:01:27
    Restore point made on: 2012-11-26 19:18:30
    Restore point made on: 2012-11-27 09:33:25
    Restore point made on: 2012-11-29 11:40:36
    Restore point made on: 2012-11-30 12:43:18
    Restore point made on: 2012-12-03 13:23:44
    Restore point made on: 2012-12-05 18:31:14
    Restore point made on: 2012-12-07 09:02:34

    ==================== Memory info ===========================

    Percentage of memory in use: 14%
    Total physical RAM: 3892.52 MB
    Available physical RAM: 3339.3 MB
    Total Pagefile: 3890.67 MB
    Available Pagefile: 3328.34 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB

    ==================== Partitions =============================

    1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:417.64 GB) NTFS
    3 Drive e: (XP-KOMKU) (Removable) (Total:3.73 GB) (Free:2.67 GB) FAT
    4 Drive f: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 Online 3821 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 101 MB 31 KB
    Partition 2 Primary 14 GB 101 MB
    Partition 3 Primary 451 GB 14 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 FAT Partition 101 MB Healthy Hidden

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 F RECOVERY NTFS Partition 14 GB Healthy

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 451 GB Healthy

    =========================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3821 MB 31 KB

    ==================================================================================

    Disk: 2
    Partition 1
    Type : 0E
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 E XP-KOMKU FAT Removable 3821 MB Healthy

    =========================================================

    Last Boot: 2012-12-05 18:57

    ==================== End Of Log =============================
     
  9. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally and check for redirections.
     

    Attached Files:

  10. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-12-2012
    Ran by SYSTEM at 2012-12-11 16:38:33 Run:1
    Running from E:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b moved successfully.

    ==== End of Fixlog ====


    Still getting redirects from google searches
     
  11. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Which browser?

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ********************************************

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
     
     
  12. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Both firefox and IE

    I tried to download MBAR again and it the site seems to be down and MBAR that I downloaded previously says it is outdated and will not run
     
  13. Broni

    Broni Malware Annihilator Posts: 47,066   +256

  14. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Thanks..not sure why, the Mbyte site loads, but will not connect to the file..anyway here are the logs
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7600 Windows 7 x64

    Account is Administrative

    Internet Explorer version: 8.0.7600.16385

    Java version: 1.6.0_37

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 4081606656, free: 2555224064

    Initializing...
    Done!
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 7F2837E

    Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 208782

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 208845 Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30928845 Numsec = 945842275

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 500107862016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 217934C

    Partition information:

    Partition 0 type is Other (0xe)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 7827329
    Partition file system is FAT
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 4007624704 bytes
    Sector size: 512 bytes

    Done!
    Performing system, memory and registry scan...
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Novatel Wireless --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\Local Settings\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\Local Settings\Application Data\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Done!
    Scan finished
    Creating System Restore point...
    Scheduling clean up...
    Removal scheduling successful. System shutdown needed.
    System shutdown occurred
    =======================================


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7600 Windows 7 x64

    Account is Administrative

    Internet Explorer version: 8.0.7600.16385

    Java version: 1.6.0_37

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 4081606656, free: 2974633984






    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org

    Database version: v2012.12.03.14

    Windows 7 x64 NTFS
    Internet Explorer 8.0.7600.16385
    jah :: JAH-PC [administrator]

    12/11/2012 6:11:15 PM
    mbar-log-2012-12-11 (18-11-15).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 26433
    Time elapsed: 12 minute(s), 2 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 8
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Novatel Wireless (Spyware.Password) -> Data: Rundll32.exe "C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll",ompd_free_thread_info -> Delete on reboot.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\Local Settings\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\Local Settings\Application Data\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.

    (end)
     
  15. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    It looks like you got reinfected at some point.

    Re-run Combofix and post new log.
     
  16. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    hmmm..I don't know where I could have been re[infected.

    ComboFix 12-12-10.01 - jah 12/12/2012 0:03.3.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3893.2808 [GMT -5:00]
    Running from: c:\users\jah\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
    SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-12 to 2012-12-12 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-12 05:08 . 2012-12-12 05:08 -------- d-----w- c:\users\JMS\AppData\Local\temp
    2012-12-12 05:08 . 2012-12-12 05:08 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-12-11 20:41 . 2012-11-19 06:01 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BB58237F-1BFC-4A94-A2E0-C0F64CC9CA83}\mpengine.dll
    2012-12-11 20:38 . 2012-11-19 06:01 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-12-11 20:23 . 2012-12-11 20:23 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2012-12-10 16:00 . 2012-12-10 16:00 -------- d-----w- C:\FRST
    2012-12-08 17:00 . 2011-10-04 10:22 95544 ----a-w- c:\windows\system32\drivers\ssudbus.sys
    2012-12-08 17:00 . 2011-10-04 10:22 203320 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
    2012-12-08 16:59 . 2012-12-08 16:59 -------- d-----w- c:\program files\SAMSUNG
    2012-12-08 16:58 . 2012-12-08 16:58 -------- d-----w- c:\programdata\Samsung
    2012-12-08 16:57 . 2012-12-08 16:58 -------- d-----w- C:\Samsung Galaxy S3 QCom ToolKit
    2012-12-05 00:15 . 2012-12-05 00:15 -------- d-----w- c:\program files (x86)\ESET
    2012-12-04 23:53 . 2012-12-04 23:53 -------- d-----w- C:\_OTL
    2012-11-27 20:54 . 2012-12-11 23:23 -------- d-----w- c:\users\jah\AppData\Local\Novatel Wireless
    2012-11-27 15:34 . 2012-11-27 15:34 -------- d-----w- c:\programdata\PDF Architect
    2012-11-27 01:32 . 2012-11-27 01:32 -------- d-----w- c:\users\JMS\AppData\Roaming\PDF Architect
    2012-11-27 01:28 . 2012-11-27 01:28 -------- d-----w- c:\users\JMS\AppData\Roaming\APP_NAME_NON_STRING
    2012-11-27 01:28 . 2012-11-26 19:12 321384 ----a-w- c:\windows\SysWow64\Sendori.dll
    2012-11-27 01:28 . 2012-11-30 03:05 -------- d-----w- c:\programdata\Sendori
    2012-11-27 01:27 . 2012-11-30 03:06 -------- d-----w- c:\program files (x86)\Sendori
    2012-11-27 01:27 . 2012-11-27 01:27 -------- d-----w- c:\users\jah\AppData\Roaming\pdfforge
    2012-11-27 01:27 . 2012-10-28 23:32 103936 ----a-w- c:\windows\system32\pdfcmon.dll
    2012-11-27 01:27 . 2012-05-05 15:54 662288 ----a-w- c:\windows\SysWow64\MSCOMCT2.OCX
    2012-11-27 01:27 . 2012-05-05 15:54 137000 ----a-w- c:\windows\SysWow64\MSMAPI32.OCX
    2012-11-27 01:27 . 2012-05-05 15:54 1071088 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2012-11-27 01:27 . 2012-11-27 01:28 -------- d-----w- c:\program files (x86)\PDFCreator
    2012-11-27 01:27 . 2012-11-27 01:27 -------- d-----w- c:\users\jah\AppData\Roaming\OpenCandy
    2012-11-27 01:27 . 2012-05-05 15:54 23552 ----a-w- c:\windows\SysWow64\MSMPIDE.DLL
    2012-11-27 01:26 . 2012-11-27 01:26 -------- d-----w- c:\users\jah\AppData\Local\Programs
    2012-11-27 01:17 . 2012-11-27 02:04 -------- d-----w- c:\users\JMS\AppData\Roaming\SoftGrid Client
    2012-11-27 01:17 . 2012-11-27 01:17 -------- d-----w- c:\users\JMS\AppData\Local\SoftGrid Client
    2012-11-23 01:00 . 2012-11-23 01:00 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-11-23 01:00 . 2012-11-23 01:00 -------- d-----w- c:\program files\Microsoft Security Client
    2012-11-23 00:14 . 2012-11-23 00:14 -------- d-----w- c:\users\jah\AppData\Roaming\Malwarebytes
    2012-11-23 00:13 . 2012-11-23 00:13 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-11-23 00:13 . 2012-11-23 00:13 -------- d-----w- c:\programdata\Malwarebytes
    2012-11-23 00:13 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-11-15 16:26 . 2012-10-17 08:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8AAAE944-8C65-4237-9062-2AA068A12DD5}\mpengine.dll
    2012-11-15 16:26 . 2012-01-31 12:44 279656 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-31 17:16 . 2012-10-31 17:16 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
    2012-10-31 17:16 . 2010-11-18 00:55 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-10-29 20:44 . 2012-10-29 20:44 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-10-29 20:44 . 2012-10-29 20:44 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
    @="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
    [HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
    2010-11-30 17:03 155416 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
    "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
    "Sendori Tray"="c:\program files (x86)\Sendori\SendoriTray.exe" [2012-11-26 82792]
    .
    c:\users\jah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    PdaNet Desktop.lnk - c:\program files (x86)\PdaNet for Android\PdaNetPC.exe [2012-10-27 484976]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Jungle Disk Desktop.lnk - c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-5-17 9761096]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-10-13 9216]
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2011-10-04 95544]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
    R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-05-07 245792]
    R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2011-10-04 203320]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
    S1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2010-11-30 321424]
    S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
    S2 Application Sendori;Application Sendori;c:\program files (x86)\Sendori\SendoriSvc.exe [2012-11-26 118632]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
    S2 JungleDiskService;JungleDiskService;c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-05-17 9761096]
    S2 Service Sendori;Service Sendori;c:\program files (x86)\Sendori\Sendori.Service.exe [2012-11-26 14696]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
    S2 sndappv2;sndappv2;c:\program files (x86)\Sendori\sndappv2.exe [2012-11-26 3569512]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-07-01 2533400]
    S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [2010-02-02 20984]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-21 287232]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2009-12-22 74280]
    S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2011-11-25 15360]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2009-12-03 721768]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2009-12-03 269672]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-12-03 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2009-12-03 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
    .
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
    @="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
    [HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
    2010-11-30 17:03 188696 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk1_Complete]
    @="{78061A12-1E91-4446-8B65-8ED2FF328D4A}"
    [HKEY_CLASSES_ROOT\CLSID\{78061A12-1E91-4446-8B65-8ED2FF328D4A}]
    2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk2_InProgress]
    @="{700AD13D-E86F-41C9-9A8F-39B4C438806F}"
    [HKEY_CLASSES_ROOT\CLSID\{700AD13D-E86F-41C9-9A8F-39B4C438806F}]
    2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk3_Conflicted]
    @="{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}"
    [HKEY_CLASSES_ROOT\CLSID\{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}]
    2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-04-14 10144288]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = g.msn.com/USCON/1
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.2.254
    TCP: Interfaces\{00DB6E6E-F3AB-4C9D-8D23-EDB53E8402C6}: NameServer = 192.168.9.1
    TCP: Interfaces\{AF2F0A21-2F5A-4F21-A096-48DD4B96F4C6}\D496649643632303C402A45647071636B6022383332402355636572756: NameServer = 192.168.1.1
    FF - ProfilePath - c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\
    FF - prefs.js: browser.startup.homepage - hxxp://forums.offtopic.com/
    FF - ExtSQL: 2012-10-29 16:37; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
    FF - ExtSQL: 2012-10-29 16:39; tineye@ideeinc.com; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\tineye@ideeinc.com.xpi
    FF - ExtSQL: 2012-10-31 13:16; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
    FF - ExtSQL: 2012-11-03 17:15; {8ed952a0-199c-11d9-9669-0800200c9a66}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{8ed952a0-199c-11d9-9669-0800200c9a66}.xpi
    FF - ExtSQL: 2012-11-21 21:03; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
    FF - ExtSQL: 2012-11-23 13:21; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
    "ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-12-12 00:09:58
    ComboFix-quarantined-files.txt 2012-12-12 05:09
    .
    Pre-Run: 447,213,293,568 bytes free
    Post-Run: 447,150,936,064 bytes free
    .
    - - End Of File - - 3640E6940A7DD1D66484CB28BB4923D7
     
  17. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Looks good.
    How is redirection?
     
  18. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Everything seems good now...THANK YOU! Should I be using something other than Defender and Essentials?
     
  19. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    You're fine.

    Make sure you reset your restore point one more time.
    Turn system restore off.
    Restart computer.
    Turn system restore on.

    Good luck and stay safe :)
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.