Solved Infected... "sirefef" keeps returning

Let's start with IE.
Open it go Tools>Internet options>Advanced tab and click on "Reset" button.
Restart IE use it for a while and let me know how it goes.
 
Still getting re-directs...

IE example: searching from google for "tire help", click on a link for goodyear, it directs to compare.us.com/xxxxxxxxxxxxx
 
For x32 (x86) bit systems download Farbar Recovery Scan Tool 32-Bit and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool 64-Bit and save it to a flash drive.

Plug the flashdrive into the infected PC.

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.

If you are using Vista or Windows 7 enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
 
FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 06-12-2012
Ran by SYSTEM at 10-12-2012 10:00:11
Running from E:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2122536 2010-05-07] (Synaptics Incorporated)
HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [10144288 2010-04-13] (Realtek Semiconductor)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey [x]
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [35696 2009-02-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [498160 2009-10-15] ()
HKLM-x32\...\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2 [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254896 2012-09-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Sendori Tray] "C:\Program Files (x86)\Sendori\SendoriTray.exe" [82792 2012-11-26] (Sendori, Inc.)
HKU\jah\...\Run: [Novatel Wireless] Rundll32.exe "C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll",ompd_free_thread_info [760320 2012-12-04] ()
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Tcpip\..\Interfaces\{00DB6E6E-F3AB-4C9D-8D23-EDB53E8402C6}: [NameServer]192.168.9.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Jungle Disk Desktop.lnk
ShortcutTarget: Jungle Disk Desktop.lnk -> C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe (Jungle Disk, Inc.)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Best Buy pc app.lnk
ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
Startup: C:\Users\Default User\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
Startup: C:\Users\jah\Start Menu\Programs\Startup\PdaNet Desktop.lnk
ShortcutTarget: PdaNet Desktop.lnk -> C:\Program Files (x86)\PdaNet for Android\PdaNetPC.exe ()

==================== Services (Whitelisted) ===================

2 Application Sendori; C:\Program Files (x86)\Sendori\SendoriSvc.exe [118632 2012-11-26] (Sendori, Inc.)
2 JungleDiskService; "C:\Program Files\Jungle Disk Desktop\JungleDiskMonitor.exe" --service [9761096 2011-05-17] (Jungle Disk, Inc.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [22072 2012-09-12] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [368896 2012-09-12] (Microsoft Corporation)
2 Service Sendori; C:\Program Files (x86)\Sendori\Sendori.Service.exe [14696 2012-11-26] (sendori)
2 sndappv2; C:\Program Files (x86)\Sendori\sndappv2.exe [3569512 2012-11-26] (Sendori)

==================== Drivers (Whitelisted) =====================

1 cbfs3; C:\Windows\System32\Drivers\cbfs3.sys [321424 2010-11-30] (EldoS Corporation)
0 mbamchameleon; C:\Windows\System32\Drivers\mbamchameleon.sys [36680 2012-11-23] ()
0 MpFilter; C:\Windows\System32\Drivers\MpFilter.sys [228768 2012-08-30] (Microsoft Corporation)
3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [128456 2012-08-30] (Microsoft Corporation)
0 mbamswissarmy; C:\Windows\System32\drivers\mbamswissarmy.sys [x]
3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [x]

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-12-08 11:00 - 2011-10-04 04:22 - 00203320 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudmdm.sys
2012-12-08 11:00 - 2011-10-04 04:22 - 00095544 ____A (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\System32\Drivers\ssudbus.sys
2012-12-08 10:59 - 2012-12-08 10:59 - 00000000 ____D C:\Program Files\SAMSUNG
2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Samsung
2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Application Data\Samsung
2012-12-08 10:57 - 2012-12-08 10:58 - 00000000 ____D C:\Samsung Galaxy S3 QCom ToolKit
2012-12-08 10:57 - 2012-12-08 10:57 - 00001651 ____A C:\Users\jah\Desktop\Samsung GS3 QCom ToolKit.lnk
2012-12-08 10:26 - 2012-12-08 10:26 - 07444480 ____A C:\Users\jah\Desktop\recovery-clockwork-touch-6.0.1.2-d2spr.tar
2012-12-08 10:25 - 2012-12-08 10:25 - 06410240 ____A C:\Users\jah\Desktop\Sprint_Stock_Recovery.tar
2012-12-08 09:45 - 2012-12-08 09:45 - 00000000 ____D C:\Users\jah\Desktop\Odin3-v1.85
2012-12-08 09:42 - 2012-12-08 09:42 - 01461029 ____A (Farbar) C:\Users\jah\Desktop\FRST64(1).exe
2012-12-07 14:09 - 2012-12-07 14:09 - 00683568 ____A C:\Windows\Minidump\120712-18876-01.dmp
2012-12-06 18:06 - 2012-12-06 18:07 - 00000030 ____A C:\Users\jah\Desktop\New Text Document.txt
2012-12-06 14:06 - 2012-12-06 14:07 - 00683568 ____A C:\Windows\Minidump\120612-17799-01.dmp
2012-12-04 18:15 - 2012-12-04 18:15 - 00000000 ____D C:\Program Files (x86)\ESET
2012-12-04 18:14 - 2012-12-04 18:14 - 02322184 ____A (ESET) C:\Users\jah\Downloads\esetsmartinstaller_enu.exe
2012-12-04 18:02 - 2012-12-04 18:02 - 00448512 ____A (OldTimer Tools) C:\Users\jah\Desktop\TFC.exe
2012-12-04 18:01 - 2012-12-04 18:02 - 00696153 ____A (Farbar) C:\Users\jah\Desktop\FSS.exe
2012-12-04 18:01 - 2012-12-04 18:01 - 00856731 ____A C:\Users\jah\Desktop\SecurityCheck.exe
2012-12-04 17:53 - 2012-12-04 17:53 - 00000000 ____D C:\_OTL
2012-12-04 17:51 - 2012-12-04 17:52 - 00602112 ____A (OldTimer Tools) C:\Users\jah\Desktop\OTL.exe
2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\Local Settings\Novatel Wireless
2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Novatel Wireless
2012-11-27 14:54 - 2012-12-04 17:58 - 00000000 ____D C:\Users\jah\AppData\Local\Novatel Wireless
2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\PDF Architect
2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\Application Data\PDF Architect
2012-11-26 19:36 - 2012-11-26 19:36 - 00069384 ____A C:\Users\JMS\Downloads\TS010169559.dotx
2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\Application Data\PDF Architect
2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\AppData\Roaming\PDF Architect
2012-11-26 19:28 - 2012-11-29 21:05 - 00000000 ____D C:\Users\All Users\Sendori
2012-11-26 19:28 - 2012-11-29 21:05 - 00000000 ____D C:\Users\All Users\Application Data\Sendori
2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\Application Data\APP_NAME_NON_STRING
2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\AppData\Roaming\APP_NAME_NON_STRING
2012-11-26 19:28 - 2012-11-26 13:12 - 00321384 ____A (Sendori) C:\Windows\SysWOW64\Sendori.dll
2012-11-26 19:27 - 2012-11-29 21:06 - 00000000 ____D C:\Program Files (x86)\Sendori
2012-11-26 19:27 - 2012-11-26 19:28 - 00000000 ____D C:\Program Files (x86)\PDFCreator
2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\pdfforge
2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\OpenCandy
2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\pdfforge
2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\OpenCandy
2012-11-26 19:27 - 2012-10-28 17:32 - 00103936 ____A (pdfforge GbR) C:\Windows\System32\pdfcmon.dll
2012-11-26 19:27 - 2012-05-05 09:54 - 01071088 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
2012-11-26 19:27 - 2012-05-05 09:54 - 00662288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCT2.OCX
2012-11-26 19:27 - 2012-05-05 09:54 - 00137000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSMAPI32.OCX
2012-11-26 19:27 - 2012-05-05 09:54 - 00023552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSMPIDE.DLL
2012-11-26 19:21 - 2012-11-26 19:21 - 00457048 ____A (pdfforge GbR ) C:\Users\JMS\Downloads\PDFCreatorWebSetup.exe
2012-11-26 19:17 - 2012-11-26 20:04 - 00000000 ____D C:\Users\JMS\Application Data\SoftGrid Client
2012-11-26 19:17 - 2012-11-26 20:04 - 00000000 ____D C:\Users\JMS\AppData\Roaming\SoftGrid Client
2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\SoftGrid Client
2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\SoftGrid Client
2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Local\SoftGrid Client
2012-11-23 18:09 - 2012-11-23 18:18 - 00000000 ____D C:\Qoobox
2012-11-23 18:09 - 2012-11-23 18:16 - 00000000 ____D C:\Windows\erdnt
2012-11-23 18:09 - 2011-06-26 00:45 - 00256000 ____A C:\Windows\PEV.exe
2012-11-23 18:09 - 2010-11-07 11:20 - 00208896 ____A C:\Windows\MBR.exe
2012-11-23 18:09 - 2009-04-19 22:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-11-23 18:09 - 2000-08-30 18:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-11-23 18:09 - 2000-08-30 18:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-11-23 18:09 - 2000-08-30 18:00 - 00098816 ____A C:\Windows\sed.exe
2012-11-23 18:09 - 2000-08-30 18:00 - 00080412 ____A C:\Windows\grep.exe
2012-11-23 18:09 - 2000-08-30 18:00 - 00068096 ____A C:\Windows\zip.exe
2012-11-23 15:18 - 2012-11-23 15:18 - 00279088 ____A C:\Windows\Minidump\112312-19936-01.dmp
2012-11-23 13:34 - 2012-11-23 13:34 - 00000317 ____A C:\Users\jah\Downloads\fixlist.txt
2012-11-23 13:07 - 2012-11-23 13:07 - 01461039 ____A (Farbar) C:\Users\jah\Downloads\FRST64.exe
2012-11-23 11:17 - 2012-11-23 11:17 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2012-11-22 23:15 - 2012-11-22 23:17 - 12961620 ____A C:\Users\jah\Downloads\mbar-1.01.0.1009.zip
2012-11-22 19:02 - 2012-11-22 19:02 - 00001945 ____A C:\Windows\epplauncher.mif
2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-11-22 18:25 - 2012-11-22 18:45 - 13529576 ____A (Microsoft Corporation) C:\Users\jah\Downloads\mseinstall.exe
2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\Application Data\Malwarebytes
2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\AppData\Roaming\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-22 18:13 - 2012-09-29 18:54 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-11-22 18:05 - 2012-11-22 18:12 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\jah\Downloads\mbam-setup-1.65.1.1000.exe
2012-11-15 10:26 - 2012-01-31 06:44 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe


==================== One Month Modified Files and Folders =======

2012-12-10 08:57 - 2009-07-13 23:10 - 01199752 ____A C:\Windows\WindowsUpdate.log
2012-12-10 08:56 - 2009-07-13 22:51 - 00030623 ____A C:\Windows\setupact.log
2012-12-08 11:24 - 2009-07-13 22:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-12-08 11:24 - 2009-07-13 22:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-12-08 11:21 - 2009-07-13 23:13 - 00714754 ____A C:\Windows\System32\PerfStringBackup.INI
2012-12-08 11:17 - 2009-07-13 23:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-12-08 10:59 - 2012-12-08 10:59 - 00000000 ____D C:\Program Files\SAMSUNG
2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Samsung
2012-12-08 10:58 - 2012-12-08 10:58 - 00000000 ____D C:\Users\All Users\Application Data\Samsung
2012-12-08 10:58 - 2012-12-08 10:57 - 00000000 ____D C:\Samsung Galaxy S3 QCom ToolKit
2012-12-08 10:57 - 2012-12-08 10:57 - 00001651 ____A C:\Users\jah\Desktop\Samsung GS3 QCom ToolKit.lnk
2012-12-08 10:26 - 2012-12-08 10:26 - 07444480 ____A C:\Users\jah\Desktop\recovery-clockwork-touch-6.0.1.2-d2spr.tar
2012-12-08 10:25 - 2012-12-08 10:25 - 06410240 ____A C:\Users\jah\Desktop\Sprint_Stock_Recovery.tar
2012-12-08 09:45 - 2012-12-08 09:45 - 00000000 ____D C:\Users\jah\Desktop\Odin3-v1.85
2012-12-08 09:42 - 2012-12-08 09:42 - 01461029 ____A (Farbar) C:\Users\jah\Desktop\FRST64(1).exe
2012-12-07 14:09 - 2012-12-07 14:09 - 00683568 ____A C:\Windows\Minidump\120712-18876-01.dmp
2012-12-07 14:09 - 2012-09-08 22:42 - 00000000 ____D C:\Windows\Minidump
2012-12-07 14:09 - 2012-09-08 22:41 - 374365794 ____A C:\Windows\MEMORY.DMP
2012-12-06 19:11 - 2012-10-29 14:52 - 00000000 ____D C:\Users\jah\My Documents\Misc
2012-12-06 19:11 - 2012-10-29 14:52 - 00000000 ____D C:\Users\jah\Documents\Misc
2012-12-06 18:07 - 2012-12-06 18:06 - 00000030 ____A C:\Users\jah\Desktop\New Text Document.txt
2012-12-06 14:07 - 2012-12-06 14:06 - 00683568 ____A C:\Windows\Minidump\120612-17799-01.dmp
2012-12-05 09:28 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\Application Data\SoftGrid Client
2012-12-05 09:28 - 2012-11-03 16:31 - 00000000 ____D C:\Users\jah\AppData\Roaming\SoftGrid Client
2012-12-04 18:15 - 2012-12-04 18:15 - 00000000 ____D C:\Program Files (x86)\ESET
2012-12-04 18:14 - 2012-12-04 18:14 - 02322184 ____A (ESET) C:\Users\jah\Downloads\esetsmartinstaller_enu.exe
2012-12-04 18:02 - 2012-12-04 18:02 - 00448512 ____A (OldTimer Tools) C:\Users\jah\Desktop\TFC.exe
2012-12-04 18:02 - 2012-12-04 18:01 - 00696153 ____A (Farbar) C:\Users\jah\Desktop\FSS.exe
2012-12-04 18:01 - 2012-12-04 18:01 - 00856731 ____A C:\Users\jah\Desktop\SecurityCheck.exe
2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\Local Settings\Novatel Wireless
2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\Novatel Wireless
2012-12-04 17:58 - 2012-11-27 14:54 - 00000000 ____D C:\Users\jah\AppData\Local\Novatel Wireless
2012-12-04 17:53 - 2012-12-04 17:53 - 00000000 ____D C:\_OTL
2012-12-04 17:52 - 2012-12-04 17:51 - 00602112 ____A (OldTimer Tools) C:\Users\jah\Desktop\OTL.exe
2012-11-29 21:06 - 2012-11-26 19:27 - 00000000 ____D C:\Program Files (x86)\Sendori
2012-11-29 21:05 - 2012-11-26 19:28 - 00000000 ____D C:\Users\All Users\Sendori
2012-11-29 21:05 - 2012-11-26 19:28 - 00000000 ____D C:\Users\All Users\Application Data\Sendori
2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\PDF Architect
2012-11-27 09:34 - 2012-11-27 09:34 - 00000000 ____D C:\Users\All Users\Application Data\PDF Architect
2012-11-27 09:30 - 2010-11-17 20:47 - 00010474 ____A C:\Windows\PFRO.log
2012-11-26 20:04 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Application Data\SoftGrid Client
2012-11-26 20:04 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Roaming\SoftGrid Client
2012-11-26 19:36 - 2012-11-26 19:36 - 00069384 ____A C:\Users\JMS\Downloads\TS010169559.dotx
2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\Application Data\PDF Architect
2012-11-26 19:32 - 2012-11-26 19:32 - 00000000 ____D C:\Users\JMS\AppData\Roaming\PDF Architect
2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\Application Data\APP_NAME_NON_STRING
2012-11-26 19:28 - 2012-11-26 19:28 - 00000000 ____D C:\Users\JMS\AppData\Roaming\APP_NAME_NON_STRING
2012-11-26 19:28 - 2012-11-26 19:27 - 00000000 ____D C:\Program Files (x86)\PDFCreator
2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\pdfforge
2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\Application Data\OpenCandy
2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\pdfforge
2012-11-26 19:27 - 2012-11-26 19:27 - 00000000 ____D C:\Users\jah\AppData\Roaming\OpenCandy
2012-11-26 19:21 - 2012-11-26 19:21 - 00457048 ____A (pdfforge GbR ) C:\Users\JMS\Downloads\PDFCreatorWebSetup.exe
2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\SoftGrid Client
2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\Local Settings\Application Data\SoftGrid Client
2012-11-26 19:17 - 2012-11-26 19:17 - 00000000 ____D C:\Users\JMS\AppData\Local\SoftGrid Client
2012-11-26 13:12 - 2012-11-26 19:28 - 00321384 ____A (Sendori) C:\Windows\SysWOW64\Sendori.dll
2012-11-23 18:18 - 2012-11-23 18:09 - 00000000 ____D C:\Qoobox
2012-11-23 18:18 - 2009-07-13 21:20 - 00000000 __RHD C:\users\Default
2012-11-23 18:16 - 2012-11-23 18:09 - 00000000 ____D C:\Windows\erdnt
2012-11-23 18:15 - 2009-07-13 20:34 - 00000215 ____A C:\Windows\system.ini
2012-11-23 17:42 - 2012-11-03 11:46 - 00000000 ____D C:\Users\jah\Desktop\From Phone
2012-11-23 15:18 - 2012-11-23 15:18 - 00279088 ____A C:\Windows\Minidump\112312-19936-01.dmp
2012-11-23 13:34 - 2012-11-23 13:34 - 00000317 ____A C:\Users\jah\Downloads\fixlist.txt
2012-11-23 13:07 - 2012-11-23 13:07 - 01461039 ____A (Farbar) C:\Users\jah\Downloads\FRST64.exe
2012-11-23 11:17 - 2012-11-23 11:17 - 00036680 ____A C:\Windows\System32\Drivers\mbamchameleon.sys
2012-11-22 23:17 - 2012-11-22 23:15 - 12961620 ____A C:\Users\jah\Downloads\mbar-1.01.0.1009.zip
2012-11-22 19:02 - 2012-11-22 19:02 - 00001945 ____A C:\Windows\epplauncher.mif
2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-11-22 19:00 - 2012-11-22 19:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-11-22 18:45 - 2012-11-22 18:25 - 13529576 ____A (Microsoft Corporation) C:\Users\jah\Downloads\mseinstall.exe
2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\Application Data\Malwarebytes
2012-11-22 18:14 - 2012-11-22 18:14 - 00000000 ____D C:\Users\jah\AppData\Roaming\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-22 18:13 - 2012-11-22 18:13 - 00001111 ____A C:\Users\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Users\All Users\Application Data\Malwarebytes
2012-11-22 18:13 - 2012-11-22 18:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-11-22 18:12 - 2012-11-22 18:05 - 10669952 ____A (Malwarebytes Corporation ) C:\Users\jah\Downloads\mbam-setup-1.65.1.1000.exe
2012-11-15 09:05 - 2010-11-17 19:29 - 00000000 ____D C:\Program Files (x86)\Dell
2012-11-13 18:51 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\System32\NDF
2012-11-13 18:40 - 2011-01-15 07:44 - 00000073 ____A C:\Windows\SysWOW64\ToasterLauncherLog.log
2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\Local Settings\SoftThinks
2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\Local Settings\Application Data\SoftThinks
2012-11-13 18:40 - 2011-01-15 07:42 - 00000000 ____D C:\Users\jah\AppData\Local\SoftThinks
2012-11-11 14:49 - 2012-11-06 17:22 - 00000000 ____D C:\Users\JMS\Application Data\JungleDisk
2012-11-11 14:49 - 2012-11-06 17:22 - 00000000 ____D C:\Users\JMS\AppData\Roaming\JungleDisk


ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\@
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\U
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\00000004.@
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\4cce1f70
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b\L\55490ac4

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-22 17:49:08
Restore point made on: 2012-11-22 23:18:28
Restore point made on: 2012-11-22 23:50:24
Restore point made on: 2012-11-23 11:37:24
Restore point made on: 2012-11-23 18:01:27
Restore point made on: 2012-11-26 19:18:30
Restore point made on: 2012-11-27 09:33:25
Restore point made on: 2012-11-29 11:40:36
Restore point made on: 2012-11-30 12:43:18
Restore point made on: 2012-12-03 13:23:44
Restore point made on: 2012-12-05 18:31:14
Restore point made on: 2012-12-07 09:02:34

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3892.52 MB
Available physical RAM: 3339.3 MB
Total Pagefile: 3890.67 MB
Available Pagefile: 3328.34 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

==================== Partitions =============================

1 Drive c: (OS) (Fixed) (Total:451.01 GB) (Free:417.64 GB) NTFS
3 Drive e: (XP-KOMKU) (Removable) (Total:3.73 GB) (Free:2.67 GB) FAT
4 Drive f: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:8.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 No Media 0 B 0 B
Disk 2 Online 3821 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 101 MB 31 KB
Partition 2 Primary 14 GB 101 MB
Partition 3 Primary 451 GB 14 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 101 MB Healthy Hidden

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 F RECOVERY NTFS Partition 14 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 451 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3821 MB 31 KB

==================================================================================

Disk: 2
Partition 1
Type : 0E
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E XP-KOMKU FAT Removable 3821 MB Healthy

=========================================================

Last Boot: 2012-12-05 18:57

==================== End Of Log =============================
 
Download attached fixlist.txt file and save it to the very same USB flash drive you've been using. Plug the drive back in.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the UBCD.
Run FRST/FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Next...

Restart normally and check for redirections.
 

Attachments

  • fixlist.txt
    167 bytes · Views: 1
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 06-12-2012
Ran by SYSTEM at 2012-12-11 16:38:33 Run:1
Running from E:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
C:\Windows\System32\consrv.dll not found.
C:\$Recycle.Bin\S-1-5-21-4169508272-3924329090-955796134-1000\$c614d3bf243a3fd7a4fd36cd3756874b moved successfully.

==== End of Fixlog ====


Still getting redirects from google searches
 
Which browser?

Create new restore point before proceeding with the next step....
How to:
- Windows 8: http://www.vikitech.com/11302/system-restore-windows-8
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

********************************************

Download Malwarebytes Anti-Rootkit (MBAR) from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
 
Both firefox and IE

I tried to download MBAR again and it the site seems to be down and MBAR that I downloaded previously says it is outdated and will not run
 
Thanks..not sure why, the Mbyte site loads, but will not connect to the file..anyway here are the logs
---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

Java version: 1.6.0_37

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 4081606656, free: 2555224064

Initializing...
Done!
Scanning directory: C:\Windows\system32\drivers...
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 7F2837E

Partition information:

Partition 0 type is Other (0xde)
Partition is NOT ACTIVE.
Partition starts at LBA: 63 Numsec = 208782

Partition 1 type is Primary (0x7)
Partition is ACTIVE.
Partition starts at LBA: 208845 Numsec = 30720000
Partition file system is NTFS
Partition is bootable

Partition 2 type is Primary (0x7)
Partition is NOT ACTIVE.
Partition starts at LBA: 30928845 Numsec = 945842275

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
Drive 1
Scanning MBR on drive 1...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 217934C

Partition information:

Partition 0 type is Other (0xe)
Partition is ACTIVE.
Partition starts at LBA: 63 Numsec = 7827329
Partition file system is FAT
Partition is bootable

Partition 1 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 2 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Partition 3 type is Empty (0x0)
Partition is NOT ACTIVE.
Partition starts at LBA: 0 Numsec = 0

Disk Size: 4007624704 bytes
Sector size: 512 bytes

Done!
Performing system, memory and registry scan...
Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
Infected: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Novatel Wireless --> [Spyware.Password]
Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
Infected: C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
Infected: C:\Users\jah\Local Settings\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
Infected: C:\Users\jah\Local Settings\Application Data\Novatel Wireless\kwnlrzdh.dll --> [Spyware.Password]
Done!
Scan finished
Creating System Restore point...
Scheduling clean up...
Removal scheduling successful. System shutdown needed.
System shutdown occurred
=======================================


---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.01.0.1011

(c) Malwarebytes Corporation 2011-2012

OS version: 6.1.7600 Windows 7 x64

Account is Administrative

Internet Explorer version: 8.0.7600.16385

Java version: 1.6.0_37

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 1.995000 GHz
Memory total: 4081606656, free: 2974633984






Malwarebytes Anti-Rootkit 1.01.0.1011
www.malwarebytes.org

Database version: v2012.12.03.14

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
jah :: JAH-PC [administrator]

12/11/2012 6:11:15 PM
mbar-log-2012-12-11 (18-11-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 26433
Time elapsed: 12 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 8
C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Novatel Wireless (Spyware.Password) -> Data: Rundll32.exe "C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll",ompd_free_thread_info -> Delete on reboot.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\jah\AppData\Local\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
C:\Users\jah\Local Settings\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.
C:\Users\jah\Local Settings\Application Data\Novatel Wireless\kwnlrzdh.dll (Spyware.Password) -> Delete on reboot.

(end)
 
It looks like you got reinfected at some point.

Re-run Combofix and post new log.
 
hmmm..I don't know where I could have been re[infected.

ComboFix 12-12-10.01 - jah 12/12/2012 0:03.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3893.2808 [GMT -5:00]
Running from: c:\users\jah\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}
SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-12 to 2012-12-12 )))))))))))))))))))))))))))))))
.
.
2012-12-12 05:08 . 2012-12-12 05:08 -------- d-----w- c:\users\JMS\AppData\Local\temp
2012-12-12 05:08 . 2012-12-12 05:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-11 20:41 . 2012-11-19 06:01 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BB58237F-1BFC-4A94-A2E0-C0F64CC9CA83}\mpengine.dll
2012-12-11 20:38 . 2012-11-19 06:01 9125352 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-12-11 20:23 . 2012-12-11 20:23 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-12-10 16:00 . 2012-12-10 16:00 -------- d-----w- C:\FRST
2012-12-08 17:00 . 2011-10-04 10:22 95544 ----a-w- c:\windows\system32\drivers\ssudbus.sys
2012-12-08 17:00 . 2011-10-04 10:22 203320 ----a-w- c:\windows\system32\drivers\ssudmdm.sys
2012-12-08 16:59 . 2012-12-08 16:59 -------- d-----w- c:\program files\SAMSUNG
2012-12-08 16:58 . 2012-12-08 16:58 -------- d-----w- c:\programdata\Samsung
2012-12-08 16:57 . 2012-12-08 16:58 -------- d-----w- C:\Samsung Galaxy S3 QCom ToolKit
2012-12-05 00:15 . 2012-12-05 00:15 -------- d-----w- c:\program files (x86)\ESET
2012-12-04 23:53 . 2012-12-04 23:53 -------- d-----w- C:\_OTL
2012-11-27 20:54 . 2012-12-11 23:23 -------- d-----w- c:\users\jah\AppData\Local\Novatel Wireless
2012-11-27 15:34 . 2012-11-27 15:34 -------- d-----w- c:\programdata\PDF Architect
2012-11-27 01:32 . 2012-11-27 01:32 -------- d-----w- c:\users\JMS\AppData\Roaming\PDF Architect
2012-11-27 01:28 . 2012-11-27 01:28 -------- d-----w- c:\users\JMS\AppData\Roaming\APP_NAME_NON_STRING
2012-11-27 01:28 . 2012-11-26 19:12 321384 ----a-w- c:\windows\SysWow64\Sendori.dll
2012-11-27 01:28 . 2012-11-30 03:05 -------- d-----w- c:\programdata\Sendori
2012-11-27 01:27 . 2012-11-30 03:06 -------- d-----w- c:\program files (x86)\Sendori
2012-11-27 01:27 . 2012-11-27 01:27 -------- d-----w- c:\users\jah\AppData\Roaming\pdfforge
2012-11-27 01:27 . 2012-10-28 23:32 103936 ----a-w- c:\windows\system32\pdfcmon.dll
2012-11-27 01:27 . 2012-05-05 15:54 662288 ----a-w- c:\windows\SysWow64\MSCOMCT2.OCX
2012-11-27 01:27 . 2012-05-05 15:54 137000 ----a-w- c:\windows\SysWow64\MSMAPI32.OCX
2012-11-27 01:27 . 2012-05-05 15:54 1071088 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-11-27 01:27 . 2012-11-27 01:28 -------- d-----w- c:\program files (x86)\PDFCreator
2012-11-27 01:27 . 2012-11-27 01:27 -------- d-----w- c:\users\jah\AppData\Roaming\OpenCandy
2012-11-27 01:27 . 2012-05-05 15:54 23552 ----a-w- c:\windows\SysWow64\MSMPIDE.DLL
2012-11-27 01:26 . 2012-11-27 01:26 -------- d-----w- c:\users\jah\AppData\Local\Programs
2012-11-27 01:17 . 2012-11-27 02:04 -------- d-----w- c:\users\JMS\AppData\Roaming\SoftGrid Client
2012-11-27 01:17 . 2012-11-27 01:17 -------- d-----w- c:\users\JMS\AppData\Local\SoftGrid Client
2012-11-23 01:00 . 2012-11-23 01:00 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-11-23 01:00 . 2012-11-23 01:00 -------- d-----w- c:\program files\Microsoft Security Client
2012-11-23 00:14 . 2012-11-23 00:14 -------- d-----w- c:\users\jah\AppData\Roaming\Malwarebytes
2012-11-23 00:13 . 2012-11-23 00:13 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-23 00:13 . 2012-11-23 00:13 -------- d-----w- c:\programdata\Malwarebytes
2012-11-23 00:13 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-15 16:26 . 2012-10-17 08:31 9291768 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8AAAE944-8C65-4237-9062-2AA068A12DD5}\mpengine.dll
2012-11-15 16:26 . 2012-01-31 12:44 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-31 17:16 . 2012-10-31 17:16 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-10-31 17:16 . 2010-11-18 00:55 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-10-29 20:44 . 2012-10-29 20:44 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-29 20:44 . 2012-10-29 20:44 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2010-11-30 17:03 155416 ----a-w- c:\windows\SysWOW64\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
"Sendori Tray"="c:\program files (x86)\Sendori\SendoriTray.exe" [2012-11-26 82792]
.
c:\users\jah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PdaNet Desktop.lnk - c:\program files (x86)\PdaNet for Android\PdaNetPC.exe [2012-10-27 484976]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Jungle Disk Desktop.lnk - c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-5-17 9761096]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Best Buy pc app.lnk - c:\programdata\Best Buy pc app\ClickOnceSetup.exe [2010-10-13 9216]
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2010-5-28 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2011-10-04 95544]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2010-05-07 245792]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2011-10-04 203320]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2009-07-09 55280]
S1 cbfs3;cbfs3;c:\windows\system32\drivers\cbfs3.sys [2010-11-30 321424]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 Application Sendori;Application Sendori;c:\program files (x86)\Sendori\SendoriSvc.exe [2012-11-26 118632]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 JungleDiskService;JungleDiskService;c:\program files\Jungle Disk Desktop\JungleDiskMonitor.exe [2011-05-17 9761096]
S2 Service Sendori;Service Sendori;c:\program files (x86)\Sendori\Sendori.Service.exe [2012-11-26 14696]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2009-12-03 483688]
S2 sndappv2;sndappv2;c:\program files (x86)\Sendori\sndappv2.exe [2012-11-26 3569512]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2010-07-01 2533400]
S3 BcmVWL;Broadcom Virtual Wireless;c:\windows\system32\DRIVERS\bcmvwl64.sys [2010-02-02 20984]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 172704]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-06-21 287232]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys [2009-12-22 74280]
S3 pneteth;PdaNet Broadband;c:\windows\system32\DRIVERS\pneteth.sys [2011-11-25 15360]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2009-12-03 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2009-12-03 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2009-12-03 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2009-12-03 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2009-12-03 209768]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EldosIconOverlay]
@="{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}"
[HKEY_CLASSES_ROOT\CLSID\{5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC}]
2010-11-30 17:03 188696 ----a-w- c:\windows\System32\CbFsMntNtf3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk1_Complete]
@="{78061A12-1E91-4446-8B65-8ED2FF328D4A}"
[HKEY_CLASSES_ROOT\CLSID\{78061A12-1E91-4446-8B65-8ED2FF328D4A}]
2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk2_InProgress]
@="{700AD13D-E86F-41C9-9A8F-39B4C438806F}"
[HKEY_CLASSES_ROOT\CLSID\{700AD13D-E86F-41C9-9A8F-39B4C438806F}]
2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\JungleDisk3_Conflicted]
@="{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}"
[HKEY_CLASSES_ROOT\CLSID\{48C7A606-0F84-4DC8-8AFD-A157BDF18A08}]
2011-03-04 17:26 1072640 ----a-w- c:\program files\Jungle Disk Desktop\monitor_shellext.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-04-14 10144288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = g.msn.com/USCON/1
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.2.254
TCP: Interfaces\{00DB6E6E-F3AB-4C9D-8D23-EDB53E8402C6}: NameServer = 192.168.9.1
TCP: Interfaces\{AF2F0A21-2F5A-4F21-A096-48DD4B96F4C6}\D496649643632303C402A45647071636B6022383332402355636572756: NameServer = 192.168.1.1
FF - ProfilePath - c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\
FF - prefs.js: browser.startup.homepage - hxxp://forums.offtopic.com/
FF - ExtSQL: 2012-10-29 16:37; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2012-10-29 16:39; tineye@ideeinc.com; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\tineye@ideeinc.com.xpi
FF - ExtSQL: 2012-10-31 13:16; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - ExtSQL: 2012-11-03 17:15; {8ed952a0-199c-11d9-9669-0800200c9a66}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{8ed952a0-199c-11d9-9669-0800200c9a66}.xpi
FF - ExtSQL: 2012-11-21 21:03; {e4a8a97b-f2ed-450b-b12d-ee082ba24781}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
FF - ExtSQL: 2012-11-23 13:21; {73a6fe31-595d-460b-a920-fcc0f8843232}; c:\users\jah\AppData\Roaming\Mozilla\Firefox\Profiles\1ekl3aw3.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-MSC - c:\program files\Microsoft Security Client\mssecex.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10k.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-12-12 00:09:58
ComboFix-quarantined-files.txt 2012-12-12 05:09
.
Pre-Run: 447,213,293,568 bytes free
Post-Run: 447,150,936,064 bytes free
.
- - End Of File - - 3640E6940A7DD1D66484CB28BB4923D7
 
You're fine.

Make sure you reset your restore point one more time.
Turn system restore off.
Restart computer.
Turn system restore on.

Good luck and stay safe :)
 
Back