TechSpot

Infected... "sirefef" keeps returning

By John Sharp
Nov 22, 2012
  1. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Dupe
     
  2. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    ESET found no files, but I am still getting occasional redirects...especially from google searches
     
  3. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Which browser is affected?
    What about other browser(s)?
     
  4. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Firefox and IE... I happens prob 1 out of 10 clicks or so
     
  5. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Let's start with IE.
    Open it go Tools>Internet options>Advanced tab and click on "Reset" button.
    Restart IE use it for a while and let me know how it goes.
     
  6. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Still getting re-directs...

    IE example: searching from google for "tire help", click on a link for goodyear, it directs to compare.us.com/xxxxxxxxxxxxx
     
  7. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

    If you are using Vista or Windows 7 enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

      • Startup Repair
        System Restore
        Windows Complete PC Restore
        Windows Memory Diagnostic Tool
        Command Prompt
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
     
  8. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    FRST

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-12-2012
    Ran by SYSTEM at 10-12-2012 10:00:11
    Running from E:\
    Windows 7 Home Premium (X64) OS Language: English(US)
    The current controlset is ControlSet001

    ==================== Registry (Whitelisted) ===================

    HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2122536 2010-05-07] (Synaptics Incorporated)
    HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10144288 2010-04-13] (Realtek Semiconductor)
    HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]
    HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
    HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
    HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
    HKLM-x32\...\Run: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe" [82792 2012-11-26] (Sendori, Inc.)
    HKU\jah\...\Run: [Novatel Wireless] Rundll32.exe "C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll",ompd_free_thread_info [760320 2012-12-04] ()
    Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
    Tcpip\..\Interfaces\{00DB6E6E-F3AB-4C9D-8D23-EDB53E8402C6}: [NameServer]192.168.9.1
    Startup: C:\Users\All Users\Start Menu\Programs\Startup\Jungle Disk Desktop.lnk
    ShortcutTarget: Jungle Disk Desktop.lnk -> C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe (Jungle Disk, Inc.)
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
    Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
    ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
    Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
    ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    Startup: C:\Users\jah\Start Menu\Programs\Startup\PdaNet Desktop.lnk
    ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe ()

    ==================== Services (Whitelisted) ===================

    2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [118632 2012-11-26] (Sendori, Inc.)
    2 JungleDiskService; "C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe" --service [9761096 2011-05-17] (Jungle Disk, Inc.)
    2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
    3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
    2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [14696 2012-11-26] (sendori)
    2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3569512 2012-11-26] (Sendori)

    ==================== Drivers (Whitelisted) =====================

    1 cbfs3; C:\Windows\System32\Drivers\cbfs3.sys [321424 2010-11-30] (EldoS Corporation)
    0 mbamchameleon; C:\Windows\System32\Drivers\mbamchameleon.sys [36680 2012-11-23] ()
    0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
    3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
    0 mbamswissarmy; C:\Windows\System32\drivers\mbamswissarmy.sys [x]
    3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

    ==================== NetSvcs (Whitelisted) ====================


    ==================== One Month Created Files and Folders ========

    2012-12-08 11:00 - 2011-10-04 04:22 - 00203320 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudmdm.sys
    2012-12-08 11:00 - 2011-10-04 04:22 - 00095544 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudbus.sys
    2012-12-08 10:59 - 2012-12-08 10:59 - 00000000 ____D C:\Program Files\SAMSUNG
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Samsung
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Application Data\Samsung
    2012-12-08 10:57 - 2012-12-08 10:58 - 00000000 ____D C:\Samsung Galaxy S3 QCom ToolKit
    2012-12-08 10:57 - 2012-12-08 10:57 - 00001651 ____A C:\Users\jah\Desktop\Samsung GS3 QCom ToolKit.lnk
    2012-12-08 10:26 - 2012-12-08 10:26 - 07444480 ____A C:\Users\jah\Desktop\recovery-clockwork-touch-6.0.1.2-d2spr.tar
    2012-12-08 10:25 - 2012-12-08 10:25 - 06410240 ____A C:\Users\jah\Desktop\Sprint_Stock_Recovery.tar
    2012-12-08 09:45 - 2012-12-08 09:45 - 00000000 ____D C:\Users\jah\Desktop\Odin3-v1.85
    2012-12-08 09:42 - 2012-12-08 09:42 - 01461029 ____A (Farbar) C:\Users\jah\Desktop\FRST64(1).exe
    2012-12-07 14:09 - 2012-12-07 14:09 - 00683568 ____A C:\Windows\Minidump\120712-18876-01.dmp
    2012-12-06 18:06 - 2012-12-06 18:07 - 00000030 ____A C:\Users\jah\Desktop\New Text Document.txt
    2012-12-06 14:06 - 2012-12-06 14:07 - 00683568 ____A C:\Windows\Minidump\120612-17799-01.dmp
    2012-12-04 18:15 - 2012-12-04 18:15 - 00000000 ____D C:\Program Files (x86)\ESET
    2012-12-04 18:14 - 2012-12-04 18:14 - 02322184 ____A (ESET) C:\Users\jah\Downloads\esetsmartinstaller_enu.exe
    2012-12-04 18:02 - 2012-12-04 18:02 - 00448512 ____A (OldTimer Tools) C:\Users\jah\Desktop\TFC.exe
    2012-12-04 18:01 - 2012-12-04 18:02 - 00696153 ____A (Farbar) C:\Users\jah\Desktop\FSS.exe
    2012-12-04 18:01 - 2012-12-04 18:01 - 00856731 ____A C:\Users\jah\Desktop\SecurityCheck.exe
    2012-12-04 17:53 - 2012-12-04 17:53 - 00000000 ____D C:\_OTL
    2012-12-04 17:51 - 2012-12-04 17:52 - 00602112 ____A (OldTimer Tools) C:\Users\jah\Desktop\OTL.exe
    2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\Local Settings\Novatel Wireless
    2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Novatel Wireless
    2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\AppData\Local\Novatel Wireless
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\PDF Architect
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\Application Data\PDF Architect
    2012-11-26 19:36 - 2012-11-26 19:36 - 00069384 ____A C:\Users\JMS\Downloads\TS010169559.dotx
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\Application Data\PDF Architect
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\AppData\Roaming\PDF Architect
    2012-11-26 19:28 - 2012-11-29 21:05 - 00000000 ____D C:\Users\All Users\Sendori
    2012-11-26 19:28 - 2012-11-29 21:05 - 00000000 ____D C:\Users\All Users\Application Data\Sendori
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\Application Data\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\AppData\Roaming\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 13:12 - 00321384 ____A (Sendori) C:\Windows\SysWOW64\Sendori.dll
    2012-11-26 19:27 - 2012-11-29 21:06 - 00000000 ____D C:\Program Files (x86)\Sendori
    2012-11-26 19:27 - 2012-11-26 19:28 - 00000000 ____D C:\Program Files (x86)\PDFCreator
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\OpenCandy
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\OpenCandy
    2012-11-26 19:27 - 2012-10-28 17:32 - 00103936 ____A (pdfforge GbR) C:\Windows\System32\pdfcmon.dll
    2012-11-26 19:27 - 2012-05-05 09:54 - 01071088 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
    2012-11-26 19:27 - 2012-05-05 09:54 - 00662288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCT2.OCX
    2012-11-26 19:27 - 2012-05-05 09:54 - 00137000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSMAPI32.OCX
    2012-11-26 19:27 - 2012-05-05 09:54 - 00023552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSMPIDE.DLL
    2012-11-26 19:21 - 2012-11-26 19:21 - 00457048 ____A (pdfforge GbR ) C:\Users\JMS\Downloads\PDFCreatorWebSetup.exe
    2012-11-26 19:17 - 2012-11-26 20:04 - 00000000 ____D C:\Users\JMS\Application Data\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 20:04 - 00000000 ____D C:\Users\JMS\AppData\Roaming\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Local\SoftGrid Client
    2012-11-23 18:09 - 2012-11-23 18:18 - 00000000 ____D C:\Qoobox
    2012-11-23 18:09 - 2012-11-23 18:16 - 00000000 ____D C:\Windows\erdnt
    2012-11-23 18:09 - 2011-06-26 00:45 - 00256000 ____A C:\Windows\PEV.exe
    2012-11-23 18:09 - 2010-11-07 11:20 - 00208896 ____A C:\Windows\MBR.exe
    2012-11-23 18:09 - 2009-04-19 22:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00098816 ____A C:\Windows\sed.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00080412 ____A C:\Windows\grep.exe
    2012-11-23 18:09 - 2000-08-30 18:00 - 00068096 ____A C:\Windows\zip.exe
    2012-11-23 15:18 - 2012-11-23 15:18 - 00279088 ____A C:\Windows\Minidump\112312-19936-01.dmp
    2012-11-23 13:34 - 2012-11-23 13:34 - 00000317 ____A C:\Users\jah\Downloads\fixlist.txt
    2012-11-23 13:07 - 2012-11-23 13:07 - 01461039 ____A (Farbar) C:\Users\jah\Downloads\FRST64.exe
    2012-11-23 11:17 - 2012-11-23 11:17 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
    2012-11-22 23:15 - 2012-11-22 23:17 - 12961620 ____A C:\Users\jah\Downloads\mbar-1.01.0.1009.zip
    2012-11-22 19:02 - 2012-11-22 19:02 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-11-22 18:25 - 2012-11-22 18:45 - 13529576 ____A (Microsoft Corporation) C:\Users\jah\Downloads\mseinstall.exe
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\Application Data\Malwarebytes
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\AppData\Roaming\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-22 18:13 - 2012-09-29 18:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
    2012-11-22 18:05 - 2012-11-22 18:12 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\jah\Downloads\mbam-setup-1.65.1.1000.exe
    2012-11-15 10:26 - 2012-01-31 06:44 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


    ==================== One Month Modified Files and Folders =======

    2012-12-10 08:57 - 2009-07-13 23:10 - 01199752 ____A C:\Windows\WindowsUpdate.log
    2012-12-10 08:56 - 2009-07-13 22:51 - 00030623 ____A C:\Windows\setupact.log
    2012-12-08 11:24 - 2009-07-13 22:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2012-12-08 11:24 - 2009-07-13 22:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2012-12-08 11:21 - 2009-07-13 23:13 - 00714754 ____A C:\Windows\System32\PerfStringBackup.INI
    2012-12-08 11:17 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-12-08 10:59 - 2012-12-08 10:59 - 00000000 ____D C:\Program Files\SAMSUNG
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Samsung
    2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Application Data\Samsung
    2012-12-08 10:58 - 2012-12-08 10:57 - 00000000 ____D C:\Samsung Galaxy S3 QCom ToolKit
    2012-12-08 10:57 - 2012-12-08 10:57 - 00001651 ____A C:\Users\jah\Desktop\Samsung GS3 QCom ToolKit.lnk
    2012-12-08 10:26 - 2012-12-08 10:26 - 07444480 ____A C:\Users\jah\Desktop\recovery-clockwork-touch-6.0.1.2-d2spr.tar
    2012-12-08 10:25 - 2012-12-08 10:25 - 06410240 ____A C:\Users\jah\Desktop\Sprint_Stock_Recovery.tar
    2012-12-08 09:45 - 2012-12-08 09:45 - 00000000 ____D C:\Users\jah\Desktop\Odin3-v1.85
    2012-12-08 09:42 - 2012-12-08 09:42 - 01461029 ____A (Farbar) C:\Users\jah\Desktop\FRST64(1).exe
    2012-12-07 14:09 - 2012-12-07 14:09 - 00683568 ____A C:\Windows\Minidump\120712-18876-01.dmp
    2012-12-07 14:09 - 2012-09-08 22:42 - 00000000 ____D C:\Windows\Minidump
    2012-12-07 14:09 - 2012-09-08 22:41 - 374365794 ____A C:\Windows\MEMORY.DMP
    2012-12-06 19:11 - 2012-10-29 14:52 - 00000000 ____D C:\Users\jah\My Documents\Misc
    2012-12-06 19:11 - 2012-10-29 14:52 - 00000000 ____D C:\Users\jah\Documents\Misc
    2012-12-06 18:07 - 2012-12-06 18:06 - 00000030 ____A C:\Users\jah\Desktop\New Text Document.txt
    2012-12-06 14:07 - 2012-12-06 14:06 - 00683568 ____A C:\Windows\Minidump\120612-17799-01.dmp
    2012-12-05 09:28 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\Application Data\SoftGrid Client
    2012-12-05 09:28 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\AppData\Roaming\SoftGrid Client
    2012-12-04 18:15 - 2012-12-04 18:15 - 00000000 ____D C:\Program Files (x86)\ESET
    2012-12-04 18:14 - 2012-12-04 18:14 - 02322184 ____A (ESET) C:\Users\jah\Downloads\esetsmartinstaller_enu.exe
    2012-12-04 18:02 - 2012-12-04 18:02 - 00448512 ____A (OldTimer Tools) C:\Users\jah\Desktop\TFC.exe
    2012-12-04 18:02 - 2012-12-04 18:01 - 00696153 ____A (Farbar) C:\Users\jah\Desktop\FSS.exe
    2012-12-04 18:01 - 2012-12-04 18:01 - 00856731 ____A C:\Users\jah\Desktop\SecurityCheck.exe
    2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\Local Settings\Novatel Wireless
    2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Novatel Wireless
    2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\AppData\Local\Novatel Wireless
    2012-12-04 17:53 - 2012-12-04 17:53 - 00000000 ____D C:\_OTL
    2012-12-04 17:52 - 2012-12-04 17:51 - 00602112 ____A (OldTimer Tools) C:\Users\jah\Desktop\OTL.exe
    2012-11-29 21:06 - 2012-11-26 19:27 - 00000000 ____D C:\Program Files (x86)\Sendori
    2012-11-29 21:05 - 2012-11-26 19:28 - 00000000 ____D C:\Users\All Users\Sendori
    2012-11-29 21:05 - 2012-11-26 19:28 - 00000000 ____D C:\Users\All Users\Application Data\Sendori
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\PDF Architect
    2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\Application Data\PDF Architect
    2012-11-27 09:30 - 2010-11-17 20:47 - 00010474 ____A C:\Windows\PFRO.log
    2012-11-26 20:04 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Application Data\SoftGrid Client
    2012-11-26 20:04 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Roaming\SoftGrid Client
    2012-11-26 19:36 - 2012-11-26 19:36 - 00069384 ____A C:\Users\JMS\Downloads\TS010169559.dotx
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\Application Data\PDF Architect
    2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\AppData\Roaming\PDF Architect
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\Application Data\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\AppData\Roaming\APP_NAME_NON_STRING
    2012-11-26 19:28 - 2012-11-26 19:27 - 00000000 ____D C:\Program Files (x86)\PDFCreator
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\OpenCandy
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\pdfforge
    2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\OpenCandy
    2012-11-26 19:21 - 2012-11-26 19:21 - 00457048 ____A (pdfforge GbR ) C:\Users\JMS\Downloads\PDFCreatorWebSetup.exe
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\SoftGrid Client
    2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Local\SoftGrid Client
    2012-11-26 13:12 - 2012-11-26 19:28 - 00321384 ____A (Sendori) C:\Windows\SysWOW64\Sendori.dll
    2012-11-23 18:18 - 2012-11-23 18:09 - 00000000 ____D C:\Qoobox
    2012-11-23 18:18 - 2009-07-13 21:20 - 00000000 __RHD C:\users\Default
    2012-11-23 18:16 - 2012-11-23 18:09 - 00000000 ____D C:\Windows\erdnt
    2012-11-23 18:15 - 2009-07-13 20:34 - 00000215 ____A C:\Windows\system.ini
    2012-11-23 17:42 - 2012-11-03 11:46 - 00000000 ____D C:\Users\jah\Desktop\From Phone
    2012-11-23 15:18 - 2012-11-23 15:18 - 00279088 ____A C:\Windows\Minidump\112312-19936-01.dmp
    2012-11-23 13:34 - 2012-11-23 13:34 - 00000317 ____A C:\Users\jah\Downloads\fixlist.txt
    2012-11-23 13:07 - 2012-11-23 13:07 - 01461039 ____A (Farbar) C:\Users\jah\Downloads\FRST64.exe
    2012-11-23 11:17 - 2012-11-23 11:17 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
    2012-11-22 23:17 - 2012-11-22 23:15 - 12961620 ____A C:\Users\jah\Downloads\mbar-1.01.0.1009.zip
    2012-11-22 19:02 - 2012-11-22 19:02 - 00001945 ____A C:\Windows\epplauncher.mif
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
    2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
    2012-11-22 18:45 - 2012-11-22 18:25 - 13529576 ____A (Microsoft Corporation) C:\Users\jah\Downloads\mseinstall.exe
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\Application Data\Malwarebytes
    2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\AppData\Roaming\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
    2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2012-11-22 18:12 - 2012-11-22 18:05 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\jah\Downloads\mbam-setup-1.65.1.1000.exe
    2012-11-15 09:05 - 2010-11-17 19:29 - 00000000 ____D C:\Program Files (x86)\Dell
    2012-11-13 18:51 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\NDF
    2012-11-13 18:40 - 2011-01-15 07:44 - 00000073 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log
    2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\Local Settings\SoftThinks
    2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\SoftThinks
    2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\AppData\Local\SoftThinks
    2012-11-11 14:49 - 2012-11-06 17:22 - 00000000 ____D C:\Users\JMS\Application Data\JungleDisk
    2012-11-11 14:49 - 2012-11-06 17:22 - 00000000 ____D C:\Users\JMS\AppData\Roaming\JungleDisk


    ZeroAccess:
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\@
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\00000004.@
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\4cce1f70
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\55490ac4

    ==================== Known DLLs (Whitelisted) =================


    ==================== Bamital & volsnap Check =================

    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\SysWOW64\wininit.exe => MD5 is legit
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\SysWOW64\explorer.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\SysWOW64\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\SysWOW64\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\SysWOW64\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    ==================== EXE ASSOCIATION =====================

    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK

    ==================== Restore Points =========================

    Restore point made on: 2012-11-22 17:49:08
    Restore point made on: 2012-11-22 23:18:28
    Restore point made on: 2012-11-22 23:50:24
    Restore point made on: 2012-11-23 11:37:24
    Restore point made on: 2012-11-23 18:01:27
    Restore point made on: 2012-11-26 19:18:30
    Restore point made on: 2012-11-27 09:33:25
    Restore point made on: 2012-11-29 11:40:36
    Restore point made on: 2012-11-30 12:43:18
    Restore point made on: 2012-12-03 13:23:44
    Restore point made on: 2012-12-05 18:31:14
    Restore point made on: 2012-12-07 09:02:34

    ==================== Memory info ===========================

    Percentage of memory in use: 14%
    Total physical RAM: 3892.52 MB
    Available physical RAM: 3339.3 MB
    Total Pagefile: 3890.67 MB
    Available Pagefile: 3328.34 MB
    Total Virtual: 8192 MB
    Available Virtual: 8191.89 MB

    ==================== Partitions =============================

    1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:417.64 GB) NTFS
    3 Drive e: (XP-KOMKU) (Removable) (Total:3.73 GB) (Free:2.67 GB) FAT
    4 Drive f: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

    Disk ### Status Size Free Dyn Gpt
    -------- ------------- ------- ------- --- ---
    Disk 0 Online 465 GB 0 B
    Disk 1 No Media 0 B 0 B
    Disk 2 Online 3821 MB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 101 MB 31 KB
    Partition 2 Primary 14 GB 101 MB
    Partition 3 Primary 451 GB 14 GB

    ==================================================================================

    Disk: 0
    Partition 1
    Type : DE
    Hidden: Yes
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 5 FAT Partition 101 MB Healthy Hidden

    =========================================================

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 F RECOVERY NTFS Partition 14 GB Healthy

    =========================================================

    Disk: 0
    Partition 3
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C OS NTFS Partition 451 GB Healthy

    =========================================================

    Partitions of Disk 2:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 3821 MB 31 KB

    ==================================================================================

    Disk: 2
    Partition 1
    Type : 0E
    Hidden: No
    Active: Yes

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 4 E XP-KOMKU FAT Removable 3821 MB Healthy

    =========================================================

    Last Boot: 2012-12-05 18:57

    ==================== End Of Log =============================
     
  9. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    On Vista or Windows 7: Now please enter System Recovery Options.
    On Windows XP: Now please boot into the UBCD.
    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Next...

    Restart normally and check for redirections.
     

    Attached Files:

  10. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-12-2012
    Ran by SYSTEM at 2012-12-11 16:38:33 Run:1
    Running from E:\

    ==============================================

    HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
    C:\Windows\System32\consrv.dll not found.
    C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b moved successfully.

    ==== End of Fixlog ====


    Still getting redirects from google searches
     
  11. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Which browser?

    Create new restore point before proceeding with the next step....
    How to:
    - Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
    - Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
    - Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
    - XP: http://support.microsoft.com/kb/948247

    ********************************************

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
     
  12. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Both firefox and IE

    I tried to download MBAR again and it the site seems to be down and MBAR that I downloaded previously says it is outdated and will not run
     
  13. Broni

    Broni Malware Annihilator Posts: 52,899   +344

  14. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Thanks..not sure why, the Mbyte site loads, but will not connect to the file..anyway here are the logs
    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7600 Windows 7 x64

    Account is Administrative

    Internet Explorer version: 8.0.7600.16385

    Java version: 1.6.0_37

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 4081606656, free: 2555224064

    Initializing...
    Done!
    Scanning directory: C:\Windows\system32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 7F2837E

    Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 208782

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 208845 Numsec = 30720000
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 30928845 Numsec = 945842275

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 500107862016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 217934C

    Partition information:

    Partition 0 type is Other (0xe)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 7827329
    Partition file system is FAT
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 4007624704 bytes
    Sector size: 512 bytes

    Done!
    Performing system, memory and registry scan...
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Novatel Wireless --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\Local Settings\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Infected: C:\Users\jah\Local Settings\Application Data\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
    Done!
    Scan finished
    Creating System Restore point...
    Scheduling clean up...
    Removal scheduling successful. System shutdown needed.
    System shutdown occurred
    =======================================


    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.01.0.1011

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7600 Windows 7 x64

    Account is Administrative

    Internet Explorer version: 8.0.7600.16385

    Java version: 1.6.0_37

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
    CPU speed: 1.995000 GHz
    Memory total: 4081606656, free: 2974633984






    Malwarebytes Anti-Rootkit 1.01.0.1011
    www.malwarebytes.org

    Database version: v2012.12.03.14

    Windows 7 x64 NTFS
    Internet Explorer 8.0.7600.16385
    jah :: JAH-PC [administrator]

    12/11/2012 6:11:15 PM
    mbar-log-2012-12-11 (18-11-15).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
    Scan options disabled:
    Objects scanned: 26433
    Time elapsed: 12 minute(s), 2 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 8
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Novatel Wireless (Spyware.Password) -> Data: Rundll32.exe "C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll",ompd_free_thread_info -> Delete on reboot.

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\Local Settings\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
    C:\Users\jah\Local Settings\Application Data\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.

    (end)
     
  15. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    It looks like you got reinfected at some point.

    Re-run Combofix and post new log.
     
  16. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    hmmm..I don't know where I could have been re[infected.

    ComboFix 12-12-10.01 - jah 12/12/2012 0:03.3.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3893.2808 [GMT -5:00]
    Running from: c:\users\jah\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
    SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-11-12 to 2012-12-12 )))))))))))))))))))))))))))))))
    .
    .
    2012-12-12 05:08 . 2012-12-12 05:08 -------- d-----w- c:\users\JMS\AppData\Local\temp
    2012-12-12 05:08 . 2012-12-12 05:08 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-12-11 20:41 . 2012-11-19 06:01 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BB58237F-1BFC-4A94-A2E0-C0F64CC9CA83}\mpengine.dll
    2012-12-11 20:38 . 2012-11-19 06:01 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2012-12-11 20:23 . 2012-12-11 20:23 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
    2012-12-10 16:00 . 2012-12-10 16:00 -------- d-----w- C:\FRST
    2012-12-08 17:00 . 2011-10-04 10:22 95544 ----a-w- c:\windows\system32\drivers\ssudbus.sys
    2012-12-08 17:00 . 2011-10-04 10:22 203320 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
    2012-12-08 16:59 . 2012-12-08 16:59 -------- d-----w- c:\program files\SAMSUNG
    2012-12-08 16:58 . 2012-12-08 16:58 -------- d-----w- c:\programdata\Samsung
    2012-12-08 16:57 . 2012-12-08 16:58 -------- d-----w- C:\Samsung Galaxy S3 QCom ToolKit
    2012-12-05 00:15 . 2012-12-05 00:15 -------- d-----w- c:\program files (x86)\ESET
    2012-12-04 23:53 . 2012-12-04 23:53 -------- d-----w- C:\_OTL
    2012-11-27 20:54 . 2012-12-11 23:23 -------- d-----w- c:\users\jah\AppData\Local\Novatel Wireless
    2012-11-27 15:34 . 2012-11-27 15:34 -------- d-----w- c:\programdata\PDF Architect
    2012-11-27 01:32 . 2012-11-27 01:32 -------- d-----w- c:\users\JMS\AppData\Roaming\PDF Architect
    2012-11-27 01:28 . 2012-11-27 01:28 -------- d-----w- c:\users\JMS\AppData\Roaming\APP_NAME_NON_STRING
    2012-11-27 01:28 . 2012-11-26 19:12 321384 ----a-w- c:\windows\SysWow64\Sendori.dll
    2012-11-27 01:28 . 2012-11-30 03:05 -------- d-----w- c:\programdata\Sendori
    2012-11-27 01:27 . 2012-11-30 03:06 -------- d-----w- c:\program files (x86)\Sendori
    2012-11-27 01:27 . 2012-11-27 01:27 -------- d-----w- c:\users\jah\AppData\Roaming\pdfforge
    2012-11-27 01:27 . 2012-10-28 23:32 103936 ----a-w- c:\windows\system32\pdfcmon.dll
    2012-11-27 01:27 . 2012-05-05 15:54 662288 ----a-w- c:\windows\SysWow64\MSCOMCT2.OCX
    2012-11-27 01:27 . 2012-05-05 15:54 137000 ----a-w- c:\windows\SysWow64\MSMAPI32.OCX
    2012-11-27 01:27 . 2012-05-05 15:54 1071088 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2012-11-27 01:27 . 2012-11-27 01:28 -------- d-----w- c:\program files (x86)\PDFCreator
    2012-11-27 01:27 . 2012-11-27 01:27 -------- d-----w- c:\users\jah\AppData\Roaming\OpenCandy
    2012-11-27 01:27 . 2012-05-05 15:54 23552 ----a-w- c:\windows\SysWow64\MSMPIDE.DLL
    2012-11-27 01:26 . 2012-11-27 01:26 -------- d-----w- c:\users\jah\AppData\Local\Programs
    2012-11-27 01:17 . 2012-11-27 02:04 -------- d-----w- c:\users\JMS\AppData\Roaming\SoftGrid Client
    2012-11-27 01:17 . 2012-11-27 01:17 -------- d-----w- c:\users\JMS\AppData\Local\SoftGrid Client
    2012-11-23 01:00 . 2012-11-23 01:00 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2012-11-23 01:00 . 2012-11-23 01:00 -------- d-----w- c:\program files\Microsoft Security Client
    2012-11-23 00:14 . 2012-11-23 00:14 -------- d-----w- c:\users\jah\AppData\Roaming\Malwarebytes
    2012-11-23 00:13 . 2012-11-23 00:13 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2012-11-23 00:13 . 2012-11-23 00:13 -------- d-----w- c:\programdata\Malwarebytes
    2012-11-23 00:13 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
    2012-11-15 16:26 . 2012-10-17 08:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8AAAE944-8C65-4237-9062-2AA068A12DD5}\mpengine.dll
    2012-11-15 16:26 . 2012-01-31 12:44 279656 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-10-31 17:16 . 2012-10-31 17:16 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
    2012-10-31 17:16 . 2010-11-18 00:55 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2012-10-29 20:44 . 2012-10-29 20:44 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-10-29 20:44 . 2012-10-29 20:44 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
    @="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
    [HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
    2010-11-30 17:03 155416 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
    "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
    "Sendori Tray"="c:\program files (x86)\Sendori\SendoriTray.exe" [2012-11-26 82792]
    .
    c:\users\jah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    PdaNet Desktop.lnk - c:\program files (x86)\PdaNet for Android\PdaNetPC.exe [2012-10-27 484976]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Jungle Disk Desktop.lnk - c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-5-17 9761096]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-10-13 9216]
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2011-10-04 95544]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
    R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [x]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-05-07 245792]
    R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2011-10-04 203320]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
    S1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2010-11-30 321424]
    S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
    S2 Application Sendori;Application Sendori;c:\program files (x86)\Sendori\SendoriSvc.exe [2012-11-26 118632]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
    S2 JungleDiskService;JungleDiskService;c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-05-17 9761096]
    S2 Service Sendori;Service Sendori;c:\program files (x86)\Sendori\Sendori.Service.exe [2012-11-26 14696]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
    S2 sndappv2;sndappv2;c:\program files (x86)\Sendori\sndappv2.exe [2012-11-26 3569512]
    S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-07-01 2533400]
    S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [2010-02-02 20984]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
    S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
    S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-21 287232]
    S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2009-12-22 74280]
    S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2011-11-25 15360]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2009-12-03 721768]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2009-12-03 269672]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-12-03 25960]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2009-12-03 22376]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
    .
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
    @="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
    [HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
    2010-11-30 17:03 188696 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk1_Complete]
    @="{78061A12-1E91-4446-8B65-8ED2FF328D4A}"
    [HKEY_CLASSES_ROOT\CLSID\{78061A12-1E91-4446-8B65-8ED2FF328D4A}]
    2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk2_InProgress]
    @="{700AD13D-E86F-41C9-9A8F-39B4C438806F}"
    [HKEY_CLASSES_ROOT\CLSID\{700AD13D-E86F-41C9-9A8F-39B4C438806F}]
    2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk3_Conflicted]
    @="{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}"
    [HKEY_CLASSES_ROOT\CLSID\{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}]
    2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-04-14 10144288]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = g.msn.com/USCON/1
    mLocal Page = c:\windows\SysWOW64\blank.htm
    TCP: DhcpNameServer = 192.168.2.254
    TCP: Interfaces\{00DB6E6E-F3AB-4C9D-8D23-EDB53E8402C6}: NameServer = 192.168.9.1
    TCP: Interfaces\{AF2F0A21-2F5A-4F21-A096-48DD4B96F4C6}\D496649643632303C402A45647071636B6022383332402355636572756: NameServer = 192.168.1.1
    FF - ProfilePath - c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\
    FF - prefs.js: browser.startup.homepage - hxxp://forums.offtopic.com/
    FF - ExtSQL: 2012-10-29 16:37; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
    FF - ExtSQL: 2012-10-29 16:39; tineye@ideeinc.com; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\tineye@ideeinc.com.xpi
    FF - ExtSQL: 2012-10-31 13:16; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
    FF - ExtSQL: 2012-11-03 17:15; {8ed952a0-199c-11d9-9669-0800200c9a66}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{8ed952a0-199c-11d9-9669-0800200c9a66}.xpi
    FF - ExtSQL: 2012-11-21 21:03; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
    FF - ExtSQL: 2012-11-23 13:21; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
    "ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-12-12 00:09:58
    ComboFix-quarantined-files.txt 2012-12-12 05:09
    .
    Pre-Run: 447,213,293,568 bytes free
    Post-Run: 447,150,936,064 bytes free
    .
    - - End Of File - - 3640E6940A7DD1D66484CB28BB4923D7
     
  17. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    Looks good.
    How is redirection?
     
  18. John Sharp

    John Sharp TS Rookie Topic Starter Posts: 23

    Everything seems good now...THANK YOU! Should I be using something other than Defender and Essentials?
     
  19. Broni

    Broni Malware Annihilator Posts: 52,899   +344

    You're fine.

    Make sure you reset your restore point one more time.
    Turn system restore off.
    Restart computer.
    Turn system restore on.

    Good luck and stay safe :)
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...