Multi Iexplore.exe and malicious URL

Inactive
By Lashire
Jul 4, 2011
Topic Status:
Not open for further replies.
  1. A couple days ago, I got the "Windows Vista Repair" virus. I went through several steps provided by bleepingcomputer.com. The warnings and the fake errors are gone, but now I am left with Avast constantly telling me that there is a Malicious URL Redirect from object 64.111.211.158 along with several processes of iexplore.exe running just from start up. When I turn them off, they came back within a few minutes even when I do not touch Internet Explorer.

    Below I have posted the logs asked for in the sticky. Gmer was blank after the scan.

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 7021

    Windows 6.0.6002 Service Pack 2 (Safe Mode)
    Internet Explorer 8.0.6001.19088

    7/4/2011 1:34:36 PM
    mbam-log-2011-07-04 (13-34-36).txt

    Scan type: Quick scan
    Objects scanned: 185450
    Time elapsed: 2 minute(s), 46 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    .
    DDS (Ver_2011-06-23.01) - NTFSAMD64 NETWORK
    Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_20
    Run by user at 14:05:58 on 2011-07-04
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2625 [GMT -7:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\REGSVR32.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.yahoo.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
    mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
    TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - C:\Program Files (x86)\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
    TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
    TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
    uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    mRunOnce: [GrpConv] grpconv -o
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: Sothink SWF Catcher - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.16.0.cab
    TCP: DhcpNameServer = 192.168.0.1
    TCP: Interfaces\{2298D81A-FAAF-42F0-B73D-A17A0E560C26} : DhcpNameServer = 192.168.0.1
    BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
    BHO-X64: 0x1 - No File
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Winamp Toolbar Loader: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    BHO-X64: Winamp Toolbar Loader - No File
    BHO-X64: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
    BHO-X64: Canon Easy-WebPrint EX BHO - No File
    BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
    BHO-X64: Yahoo! IE Services Button: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
    TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
    TB-X64: Veoh Browser Plug-in: {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files (x86)\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    TB-X64: Veoh Web Player Video Finder: {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
    TB-X64: Winamp Toolbar: {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    TB-X64: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
    TB-X64: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
    TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
    mRunOnce-x64: [GrpConv] grpconv -o
    IE-X64: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - DAEMON Search
    FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
    R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-5-4 128384]
    R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x64.sys --> C:\Windows\system32\DRIVERS\l160x64.sys [?]
    S1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
    S1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
    S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
    S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
    S2 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2011-2-9 401920]
    S2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
    S2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
    S2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-6-8 42184]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-7-17 133104]
    S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);C:\Program Files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
    S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-3-20 1153368]
    S2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-5-28 275968]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-2-23 378984]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-7-17 133104]
    S3 LiveTurbineMessageService;Turbine Message Service - Live;C:\Program Files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-9-20 267760]
    S3 LiveTurbineNetworkService;Turbine Network Service - Live;C:\Program Files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-9-20 218608]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
    S3 TFsExDisk;TFsExDisk;C:\Windows\System32\drivers\TFsExDisk.Sys [2011-4-13 16392]
    S3 WinRing0_1_1_1;WinRing0_1_1_1;C:\Program Files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-7-6 13520]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-10 89920]
    .
    =============== File Associations ===============
    .
    JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
    .
    =============== Created Last 30 ================
    .
    2012-06-09 00:45:55 -------- d-----w- C:\ProgramData\Alwil Software
    2011-07-04 19:59:23 -------- d-----w- C:\ProgramData\PrevxCSI
    2011-07-04 19:42:32 -------- d-sh--w- C:\$RECYCLE.BIN
    2011-07-04 19:40:00 -------- d-----w- C:\Users\user\AppData\Local\Apple
    2011-07-04 18:21:28 -------- d-----w- C:\ComboFix
    2011-07-04 01:14:34 -------- d-----w- C:\Users\user\AppData\Roaming\SUPERAntiSpyware.com
    2011-07-04 01:14:34 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
    2011-07-04 01:14:27 -------- d-----w- C:\ProgramData\!SASCORE
    2011-07-04 01:14:24 -------- d-----w- C:\Program Files\SUPERAntiSpyware
    2011-07-03 23:22:12 98816 ----a-w- C:\Windows\sed.exe
    2011-07-03 23:22:12 518144 ----a-w- C:\Windows\SWREG.exe
    2011-07-03 23:22:12 256000 ----a-w- C:\Windows\PEV.exe
    2011-07-03 23:22:12 208896 ----a-w- C:\Windows\MBR.exe
    2011-07-03 20:38:08 -------- d-----w- C:\ProgramData\PC Tools
    2011-07-01 12:52:41 8873296 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{11A3DB4A-D082-40E0-909C-77E1D53E576F}\mpengine.dll
    2011-06-28 23:34:04 344576 ----a-w- C:\Windows\System32\schannel.dll
    2011-06-28 23:34:03 276992 ----a-w- C:\Windows\SysWow64\schannel.dll
    2011-06-15 01:30:30 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys
    2011-06-15 01:30:30 145920 ----a-w- C:\Windows\System32\drivers\srvnet.sys
    2011-06-15 01:30:26 847360 ----a-w- C:\Windows\System32\oleaut32.dll
    2011-06-15 01:30:26 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll
    2011-06-15 01:30:20 405504 ----a-w- C:\Windows\System32\drivers\afd.sys
    2011-06-15 01:30:17 758784 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll
    2011-06-15 01:30:16 1027584 ----a-w- C:\Program Files\Common Files\Microsoft Shared\vgx\VGX.dll
    2011-06-15 01:30:14 275456 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
    2011-06-15 01:30:13 135680 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
    2011-06-15 01:30:13 107008 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
    2011-06-15 01:30:10 2762752 ----a-w- C:\Windows\System32\win32k.sys
    .
    ==================== Find3M ====================
    .
    2011-05-29 16:11:30 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 16:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-05-28 06:28:00 1147904 ----a-w- C:\Windows\System32\wininet.dll
    2011-05-28 06:24:04 56832 ----a-w- C:\Windows\System32\licmgr10.dll
    2011-05-28 06:23:47 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
    2011-05-28 06:23:30 132096 ----a-w- C:\Windows\System32\iesysprep.dll
    2011-05-28 06:23:29 77312 ----a-w- C:\Windows\System32\iesetup.dll
    2011-05-28 06:08:58 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-05-28 06:04:30 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
    2011-05-28 06:04:17 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
    2011-05-28 06:04:03 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
    2011-05-28 06:04:03 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
    2011-05-28 05:33:37 479232 ----a-w- C:\Windows\System32\html.iec
    2011-05-28 05:10:26 385024 ----a-w- C:\Windows\SysWow64\html.iec
    2011-05-28 04:53:37 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
    2011-05-28 04:52:18 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-05-28 04:33:03 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
    2011-05-28 04:31:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-05-25 02:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
    2011-05-10 12:10:59 40112 ----a-w- C:\Windows\avastSS.scr
    2011-05-10 12:04:08 600920 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
    2011-05-10 11:59:48 64344 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
    2011-05-02 17:16:14 739328 ----a-w- C:\Windows\SysWow64\inetcomm.dll
    2011-05-02 17:13:21 975360 ----a-w- C:\Windows\System32\inetcomm.dll
    2011-04-14 15:14:19 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys
    .
    ============= FINISH: 14:14:59.34 ===============
  2. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 6/25/2008 4:19:41 PM
    System Uptime: 7/4/2011 1:06:04 PM (1 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | P5KPL-VM
    Processor: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz | Socket 775 | 2997/333mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 466 GiB total, 100.629 GiB free.
    D: is CDROM ()
    G: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
    Description: Standard PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&2E2B2FDC&0
    Manufacturer: (Standard keyboards)
    Name: Standard PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&2E2B2FDC&0
    Service: i8042prt
    .
    Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
    Description: Microsoft PS/2 Mouse
    Device ID: ACPI\PNP0F03\4&2E2B2FDC&0
    Manufacturer: Microsoft
    Name: Microsoft PS/2 Mouse
    PNP Device ID: ACPI\PNP0F03\4&2E2B2FDC&0
    Service: i8042prt
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    .
    Update for Microsoft Office 2007 (KB2508958)
    µTorrent
    2007 Microsoft Office system
    3DMark06
    50 FREE MP3s +1 Free Audiobook!
    7-Zip 4.65
    ABC Amber LIT Converter
    AC3Filter 1.63b
    Acrobat.com
    Activation Assistant for the 2007 Microsoft Office suites
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Drive CS4
    Adobe Dynamiclink Support
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash CS4
    Adobe Flash CS4 Extension - Flash Lite STI en
    Adobe Flash CS4 Professional
    Adobe Flash CS4 STI-en
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Linguistics CS4
    Adobe Media Encoder CS4
    Adobe Media Player
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop 7.0
    Adobe Reader 9.4.4
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe Shockwave Player 11.5
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    AdVantage (Powering DAEMON Tools)
    Age of Conan - Hyborian Adventures
    Amazon Games & Software Downloader
    Apple Application Support
    Apple Software Update
    AutocompletePro
    avast! Free Antivirus
    AVS Update Manager 1.0
    AVS Video Converter 6
    AVS4YOU Software Navigator 1.4
    Baldur's Gate Tutu
    Baldur's Gate(TM) II - Shadows of Amn(TM) Bonus CD
    Baldur's Gate(TM) II - Throne of Bhaal (TM)
    Basic Webcam
    Big Fish Games Client
    Black & White® 2
    Caesar IV
    Canon Easy-WebPrint EX
    Canon MP Navigator EX 3.0
    Canon MP250 series User Registration
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    CCleaner
    Champions Online
    Comcast High-Speed Internet Install Wizard
    Connect
    Core FTP LE 2.1
    DAEMON Tools Lite
    DAEMON Tools Toolbar
    Delicious - Emily's Tea Garden
    DH Driver Cleaner Professional Edition
    Diner Dash: Hometown Hero
    Divinity II - DKS
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Setup
    DivX Version Checker
    Download Manager 2.3.6
    Dragon Age II
    Dragon Age Toolset
    Dragon Age: Origins
    Dragon Age: Origins Character Creator
    Driver Sweeper 1.5.5
    e-PDF To HTML Converter
    EA Download Manager
    EA Installer
    EA Shared Game Component: Activation
    Easy PDF to HTML Converter v2.0
    EverQuest II (US English)
    Facebook Plug-In
    FileZilla Client 3.3.5.1
    Free Natural Text to Speech Reader 2008
    Free Realms Installer
    GameHouse
    GanttProject
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    GPL MPEG-1/2 DirectShow Decoder Filter
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    ICatch (VI) PC Camera
    Icewind Dale
    Icewind Dale - Heart of Winter
    Icewind Dale II
    ImgBurn
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) 6 Update 4
    Java(TM) 6 Update 7
    kuler
    LimeWire 5.3.6
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Maxthon2
    MediaCentre
    MediaCentre (C:\Program Files (x86)\MediaCentre\)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Hybrid 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (BWDATOOLSET)
    Microsoft SQL Server 2005 Tools Express Edition
    Microsoft SQL Server Setup Support Files (English)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Works 6-9 Converter
    Microsoft WSE 3.0 Runtime
    MOV to WMV 1.1
    Move Media Player
    Mozilla Firefox (3.6.15)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MySQL Connector/ODBC 3.51
    Neverwinter Nights
    Neverwinter Nights 2
    NVIDIA nTune
    NVIDIA PhysX
    NVIDIA Stereoscopic 3D Driver
    NWN2 - Dark Waters
    NWN2 - Dark Waters 1
    oggcodecs 0.71.0946
    OpenOffice.org 2.4
    PDF Settings CS4
    Photoshop Camera Raw
    Pirates of the Burning Sea
    Pixel Bender Toolkit
    Power Sound Editor Free
    Powerbullet Presenter
    QuickTime
    RAD Video Tools
    Ranch Rush
    RE: Alistair++ 1
    Restaurant Empire
    Restaurant Empire 2
    RollerCoaster Tycoon 3
    Safari
    SAMSUNG Mobile USB Device
    Samsung New PC Studio
    Samsung New PC Studio USB Driver Installer
    SANYO Screen Capture 1.1
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB2509488)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft Office 2007 System (KB2541012)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB2541007)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
    Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
    Security Update for Microsoft Office Publisher 2007 (KB2284697)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Sibelius Scorch (Firefox, Opera, Netscape only)
    SimCity 4 Deluxe
    Sims2Pack Clean Installer
    Sothink SWF Quicker
    SpeedFan (remove only)
    SPORE™
    Spybot - Search & Destroy
    Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
    Star Wars®: Knights of the Old Republic (TM)
    Steam
    Suite Shared Configuration CS4
    System Requirements Lab
    System Requirements Lab CYRI
    The Movies(TM)
    The Movies(TM) Stunts & Effects
    THE SETTLERS - Rise of an Empire
    The Sims 2
    The Sims 2 Nightlife
    The Sims 2 Open For Business
    The Sims 2 Pets
    The Sims 2 University
    The Sims™ 2 Apartment Life
    The Sims™ 2 Bon Voyage
    The Sims™ 2 FreeTime
    The Sims™ 2 Seasons
    The Witcher Enhanced Edition
    Timeline Maker Professional 2.1
    Tropico 3: Steam Special Edition
    Turbine Download Manager - Live
    Update for 2007 Microsoft Office System (KB2284654)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft Office 2007 System (KB2539530)
    Update for Microsoft Office Outlook 2007 (KB2509470)
    Update for Outlook 2007 Junk Email Filter (KB2536413)
    Vampire - The Masquerade Bloodlines
    VC80CRTRedist - 8.0.50727.4053
    Veoh Web Player
    VeohTV BETA
    ViiKii Desktop Plug-in
    VLC media player 1.0.5
    Winamp
    Winamp Detector Plug-in
    Winamp Toolbar
    Windows Live OneCare safety scanner
    Windows Media Player Firefox Plugin
    WinRAR archiver
    Wonderburg
    World of Warcraft
    Xfire (remove only)
    Xvid 1.2.1 final uninstall
    Yahoo! Browser Services
    Yahoo! BrowserPlus 2.9.8
    Yahoo! Install Manager
    Yahoo! Internet Mail
    Yahoo! Messenger
    Yahoo! Search Protection
    Yahoo! Software Update
    Yahoo! Toolbar
    Zoo Tycoon 2
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/4/2011 12:48:40 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
    7/4/2011 12:09:38 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
    7/4/2011 12:07:07 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
    7/4/2011 11:16:06 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 for x64-based Systems (KB2416447).
    7/4/2011 1:31:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service NVSvc with arguments "" in order to run the server: {DCAB0989-1301-4319-BE5F-ADE89F88581C}
    7/4/2011 1:09:15 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    7/4/2011 1:08:12 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi Beep i8042prt SASDIFSV SASKUTIL spldr Wanarpv6
    7/4/2011 1:08:12 PM, Error: Service Control Manager [7001] - The Windows Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
    7/4/2011 1:08:12 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    7/4/2011 1:08:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    7/4/2011 1:07:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
    7/4/2011 1:07:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    7/4/2011 1:07:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    7/4/2011 1:07:15 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
    7/4/2011 1:07:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
    7/3/2011 7:34:56 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi i8042prt SASDIFSV SASKUTIL spldr Wanarpv6
    7/3/2011 7:33:55 PM, Error: EventLog [6008] - The previous system shutdown at 7:30:50 PM on 7/3/2011 was unexpected.
    7/3/2011 7:27:50 PM, Error: EventLog [6008] - The previous system shutdown at 7:24:49 PM on 7/3/2011 was unexpected.
    7/3/2011 4:35:22 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi i8042prt spldr Wanarpv6
    7/3/2011 1:54:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
    7/2/2011 2:53:33 PM, Error: EventLog [6008] - The previous system shutdown at 2:51:24 PM on 7/2/2011 was unexpected.
    7/2/2011 2:01:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
    7/2/2011 10:31:29 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
    7/2/2011 10:26:05 AM, Error: EventLog [6008] - The previous system shutdown at 7:37:49 AM on 7/2/2011 was unexpected.
    6/29/2011 5:16:42 AM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer PDF-XChange 3.0 with shared resource name PDF-XChange 3.0. Error 2114. The printer cannot be used by others on the network.
    6/28/2011 1:24:16 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Canon MP250 series Printer with shared resource name Canon MP250 series Printer. Error 2114. The printer cannot be used by others on the network.
    .
    ==== End Of File ===========================
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help you sort this out.
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    Multiple iexplore.exe processes are normal in IE8. However, malware can hide behind the names of most processes.

    The IP 64.111.211.158 belongs to a hosting site that carries warning or fraudulent. Are you actually getting redirected or just being warned? Do you have a firewall?

    Let's check further to see what, if any, entries are left from the previous malware:
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==============================================
    I'd like you to also run this online virus scan:
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    Please leave logs in your next reply.
  4. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    Thank you, Bobbye, for your assistance.

    You asked if I was being redirected or just warned. Whenever I try to click on a link (IE or Firefox) usually in an attempt to find something to help me with the virus (I am using another household computer at the moment) I am redirected to some random link and then usually to a Stopzilla link when that won't load. Blondie.ausbone.net being one of the many random links it attempts to send me to. However, it will warn me of the attempt to redirect even though the computer is not in use. I have Windows Defender and Avast turned on at all times, except a couple days ago when I got the virus and my registration for Avast ran out.

    I ran the Combofix uninstall, and below is my log that I received after it was reinstalled.

    ComboFix 11-07-04.02 - user 07/04/2011 23:15:50.2.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.1940 [GMT -7:00]
    Running from: c:\users\user\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-05 to 2011-07-05 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-09 00:45 . 2010-06-09 05:41 -------- d-----w- c:\programdata\Alwil Software
    2011-07-05 06:46 . 2011-07-05 06:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-07-05 06:46 . 2011-07-05 06:46 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
    2011-07-05 06:46 . 2011-07-05 06:46 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-07-05 06:02 . 2011-07-05 06:06 -------- d-----w- C:\32788R22FWJFW
    2011-07-04 19:59 . 2011-07-04 20:13 -------- d-----w- c:\programdata\PrevxCSI
    2011-07-04 19:40 . 2011-07-04 19:40 -------- d-----w- c:\users\user\AppData\Local\Apple
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\users\user\AppData\Roaming\SUPERAntiSpyware.com
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\!SASCORE
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-07-03 20:38 . 2011-07-03 20:38 -------- d-----w- c:\programdata\PC Tools
    2011-07-03 20:29 . 2011-07-03 20:29 -------- d-----w- c:\users\Public\Beck's Stories
    2011-07-01 12:52 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{11A3DB4A-D082-40E0-909C-77E1D53E576F}\mpengine.dll
    2011-06-28 23:34 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
    2011-06-28 23:34 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
    2011-06-15 01:30 . 2011-04-29 13:41 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-06-15 01:30 . 2011-04-29 13:40 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-06-15 01:30 . 2010-12-20 16:59 847360 ----a-w- c:\windows\system32\oleaut32.dll
    2011-06-15 01:30 . 2010-12-20 16:35 563712 ----a-w- c:\windows\SysWow64\oleaut32.dll
    2011-06-15 01:30 . 2011-04-21 14:20 405504 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-06-15 01:30 . 2011-04-30 06:09 758784 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll
    2011-06-15 01:30 . 2011-04-30 06:22 1027584 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
    2011-06-15 01:30 . 2011-04-29 13:39 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-15 01:30 . 2011-04-29 13:39 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-15 01:30 . 2011-04-29 13:39 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-06-15 01:30 . 2011-05-18 13:56 2762752 ----a-w- c:\windows\system32\win32k.sys
    2011-06-09 21:30 . 2011-06-09 21:30 -------- d-----w- c:\program files\Google
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-29 16:11 . 2010-03-04 23:53 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 16:11 . 2010-03-04 23:53 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-25 02:14 . 2009-10-02 22:20 270720 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-10 12:10 . 2011-03-22 01:30 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:10 . 2010-06-09 05:41 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2011-05-10 12:10 . 2011-03-22 01:30 253888 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-10 12:04 . 2011-03-22 01:30 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 12:04 . 2010-06-09 05:41 287576 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-10 12:02 . 2010-06-09 05:41 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-10 11:59 . 2010-06-09 05:41 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-10 11:59 . 2010-06-09 05:41 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-05-10 11:59 . 2010-06-09 05:41 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files (x86)\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]
    .
    [HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
    [HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
    [HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
    [HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-09 39408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
    R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
    R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-09-20 267760]
    R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-09-20 218608]
    R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
    R3 WinRing0_1_1_1;WinRing0_1_1_1;c:\program files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-01-28 13520]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
    S2 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-02-23 378984]
    S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
    .
    2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-30 153624]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-30 225816]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-30 199704]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.yahoo.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 192.168.0.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - DAEMON Search
    FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-AdVantage_DAEM - c:\program files (x86)\AdVantage\AdVUninst.exe
    AddRemove-AutocompletePro3_is1 - c:\program files (x86)\AutocompletePro\unins000.exe
    AddRemove-NWN2DW - g:\nwn2\modules\DWUninstall.exe
    AddRemove-NWN2DW1 - c:\users\user\Documents\Neverwinter Nights 2\modules\DW1Uninstall.exe
    AddRemove-Yahoo! Mail - c:\windows\system32\regsvr32
    AddRemove-YInstHelper - c:\windows\system32\regsvr32
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    @Allowed: (Read) (RestrictedCode)
    "??"=hex:94,28,83,73,ba,0c,cc,44,2a,a3,5a,be,5b,46,10,cc,8f,ec,e2,4d,e8,e1,54,
    11,d8,db,82,7e,1b,57,70,1c,03,06,db,08,31,26,6b,41,06,44,97,3d,00,fe,8e,7e,\
    "??"=hex:71,7a,e4,82,c8,87,c8,f7,49,a6,c4,3c,0c,e1,c7,54
    .
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\License information*]
    @Allowed: (Read) (RestrictedCode)
    "datasecu"=hex:e9,6c,f9,2d,57,d7,09,c6,e7,6a,59,e1,99,df,c6,56,b4,95,f9,7f,5e,
    62,1d,76,c0,40,37,db,2d,35,35,3c,21,3d,33,a8,fa,f8,1f,30,50,db,14,07,c5,89,\
    "rkeysecu"=hex:d2,9c,3b,97,4c,80,dc,0c,1f,ac,a6,07,6d,4d,64,30
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-05 00:16:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-05 07:16
    ComboFix2.txt 2011-07-04 19:41
    .
    Pre-Run: 110,218,985,472 bytes free
    Post-Run: 110,105,227,264 bytes free
    .
    - - End Of File - - 0D0F296B8CF0F408C4DAB2BCA66B36B9
  5. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\27e8c01-259d6d3d a variant of Java/TrojanDownloader.OpenStream.NBF trojan
    C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\26dcc390-12668507 multiple threats
    C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\b3f2d83-56c7e48a multiple threats
    C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\190c8233-1299c07b multiple threats
    C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\3f054e06-6ad6be8d multiple threats
    C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\59fdafbd-63155b25 multiple threats
    C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE_v4.exe probably a variant of Win32/Agent.KSZVEEK trojan
    C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE\Setup-RE.exe probably a variant of Win32/Agent.KSZVEEK trojan
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab multiple threats
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab a variant of Win32/Adware.OneStep.Y application
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab a variant of Win32/Adware.OneStep.R application
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab a variant of Win32/Adware.OneStep.X application
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab a variant of Win32/Adware.OneStep.T application
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab a variant of Win32/Adware.OneStep.S application
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab a variant of Win32/Adware.OneStep.AB application
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab a variant of Win32/Adware.OneStep.S application
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab a variant of Win32/Adware.OneStep.R application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab multiple threats
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab a variant of Win32/Adware.OneStep.Y application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab a variant of Win32/Adware.OneStep.R application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab a variant of Win32/Adware.OneStep.X application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab a variant of Win32/Adware.OneStep.T application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab a variant of Win32/Adware.OneStep.S application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab a variant of Win32/Adware.OneStep.AB application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab a variant of Win32/Adware.OneStep.S application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab a variant of Win32/Adware.OneStep.R application
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Reviewing the logs, I note several entries for the Winamp Toolbar. Please check their Privacy Policies here: http://www.winamp.com/legal/privacy

    With your permission, I'd like to include it in the script your will run through Combofix. My recommendation is to remove this.
    ============================================
    There are 2 soueces of infection in the Eset Log. The first is in to Java cache> to remove:
    1. . Click Start > Control Panel.
    2. . Double-click the Java icon [​IMG] in the cControl Panel.
    3. . Click Settings under Temporary Internet Files.
      http://www.java.com/en/img/download/5000020303.jpg[/b]
      There are three options on this window to clear the cache.(Version dependent)
      [o]. Delete Files
      [o]. View Applications
      [o]. View Applets
      [*]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [*]. Click OK on Temporary Files Settings window. [/list]
      =============================================
      [b]The second is in temporary internet files:[/b]

      Please download [url=http://oldtimer.geekstogo.com/OTM.exe][b][color=blue]OTMovit by Old Timer[/b][/color][/url] and save to your desktop.
      [list]
      [*] Double-click [b]OTMoveIt3.exe[/b] to run it. (Vista users, please right click on [b]OTMoveit3.exe[/b] and select "Run as an [b]Administrator[/b]")
      [*][b]Copy the file paths below to the clipboard[/b] by highlighting [b]ALL[/b] of them and [b]pressing CTRL + C[/b] (or, after highlighting, right-click and choose [b]Copy[/b]):
      [CODE]
      :Files
      C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE_v4.exe
      C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE\Setup-RE.exe
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab
      C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab
      C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot][/CODE]
      [*] Return to OTMoveIt3, right click in the [b]"Paste Instructions for Items to be Moved"[/b] window and choose [b]Paste[/b].
      [*]Click the red [b]Moveit![/b] button.
      [*]A log of files and folders moved will be created in the [b]c:\_OTMoveIt\MovedFiles[/b] folder in the form of Date and Time ([b]mmddyyyy_hhmmss.log[/b]). Please open this log in Notepad and post its contents in your next reply.
      [*]Close [b]OTMoveIt3[/b]
      [/list]If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose [b]Yes.[/b]
      ====================================================
      [B]Regading Java: I'm seeing a lot of infected Java cache files[/B]. Every log I see with this has outdated Java versions> you have 3> Java(TM) 6 Update 20, Java(TM) 6 Update 4, Java(TM) 6 Update 7These are all sources of vulnerabilities to the system. Please run the following to remove all of the Java on the system, thne get the current update for v6u26:
      [b]You have multiple old versions of Java [/b]and do not have the current version. The best way to handle that is to run the following: [b][color=red]Note: I do not want this log![/b][/color]

      Please download [url=http://downloads.sourceforge.net/project/javara/javara/JavaRa/JavaRa.zip?r=http%3A%2F%2Fraproducts.org%2Fwordpress%2Fsoftware&ts=1284657086&use_mirror=softlayer][b][color=blue]JavaRa[/b][/color][/url] and unzip it to your desktop.

      [b]Important![/b]***Please close any instances of Internet Explorer before continuing!***
      [list]
      [*] Double-click on [B]JavaRa[/B].exe to start the program.
      [*] From the drop-down menu, choose [B]English[/B] and click on [B]Select.[/B]
      [*] JavaRa will open; click on [B]Remove Older Versions[/B] to remove the older versions of Java installed on your computer.
      [*] Click [B]Yes [/B]when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
      [*] A logfile will pop up. Please save it to a convenient location.[b][color=red]Note: Do not leave this log.[/b][/color][/list]
      Download and install then most current version and update of Java RuntimeEnvironment (JRE)[url=http://www.java.com/en/download/manual.jsp][b][color=blue] HERE[/b][/color][/url].
      ===========================================
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    More on the Winamp Toolbar:
    {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} Winamp Search Class winamptb.dll Winamp Toolbar - see Privacy Policy

    The following Internet Connection was established:
    Server Name>> download.newaol.com
    Server Port>> 80
    Connect as User Connection Password
    [*] The data identified by the following URLs was then requested from the remote web server:
    o http://aoltoolbar.122.2o7.net/b/ ss/aoltoolbar/1/G.9-Pd-R/49?t=11/19/2007 20:59:29& pageName=tlb_winamp : status : active - tb50win&ch =us.toolbar&c1=tlb : tb50win&c2=tlb : status&c16=d efault&c17=11-19-2007&c18=&c20=5.1.14.2&c19=5.1.14..
    o localhost

    This could be a cause of the multiple iexplore.exe
    ================================================
    Please remove the following from the Trusted Zone. Security is lower in that zone and nothing needs t be in the Trusted Zone:
    Access Internet Options>Security tab> Trusted Sites> Sites> find each of the following Click to highlight> Remove:
    *. clonewarsadventures.com
    *. freerealms.com
    *.soe.com
    *.sony.com

    Apply> OK and Exit when finished.
    ===================================
    Waiting on Winam Toolbar decision to give script to run.
  8. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    Absolutely, whatever you believe to be necessary. Thank you. I honestly don't ever remember downloading it to begin with and therefore do not use it.
  9. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    When I run the JavaRa it says that all files have been deleted, but when I actually check the folder they are still there along with all the .dlls and etc. I didn't want to do anything else like install the new version or anything until you gave me the go ahead. Also, no log is created. *UPDATE: Got it to work in safe mode.

    As for OTMoveIt, the program crashed when it tried to empty temp files, so I ran it again, therefore I got two logs which I will post.

    First attempt:

    Files moved on Reboot...
    C:\Users\user\AppData\Local\Temp\~DFE5BA.tmp moved successfully.
    C:\Users\user\AppData\Local\Temp\~DFE670.tmp moved successfully.
    C:\Users\user\AppData\Local\Temp\~DFE6FD.tmp moved successfully.
    C:\Users\user\AppData\Local\Temp\~DFE738.tmp moved successfully.
    C:\Users\user\AppData\Local\Temp\~DFE7A0.tmp moved successfully.
    C:\Users\user\AppData\Local\Temp\~DFE88C.tmp moved successfully.
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\100649643@Bottom3[1].htm not found!
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\1347734882[1].htm not found!
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\aceUACping[1].htm not found!
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\ai_realmedia_com[1].htm not found!
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\ai_realmedia_com[2].htm not found!
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\emily[3].html not found!
    File move failed. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\fw-nonplayer-banner[1].htm scheduled to be moved on reboot.
    File move failed. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\fw-nonplayer-banner[2].htm scheduled to be moved on reboot.
    File move failed. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\fw-nonplayer-banner[3].htm scheduled to be moved on reboot.
    File move failed. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CN4X9FQ9\blink-182-new-album-metallica-monopoly-and[1].htm scheduled to be moved on reboot.
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CM7VERFM\client_restserver[1].htm moved successfully.

    Registry entries deleted on Reboot...

    Second Attempt:

    All processes killed
    ========== FILES ==========
    File/Folder C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE_v4.exe not found.
    File/Folder C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE\Setup-RE.exe not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab not found.
    File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab not found.
    File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Mcx1
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: user
    ->Temp folder emptied: 148992 bytes
    ->Temporary Internet Files folder emptied: 17046813 bytes
    ->Java cache emptied: 3625057 bytes
    ->FireFox cache emptied: 46823646 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 1958774 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 467696 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 8630083 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 75.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 07082011_184732

    Files moved on Reboot...
    File C:\Users\user\AppData\Local\Temp\~DF6E7E.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF6E86.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF6EE2.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF6EEA.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF6F2B.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF6F33.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DFA5F5.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DFAD1D.tmp not found!
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\;ord=1449612181[1].htm moved successfully.
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\aceUACping[1].htm moved successfully.
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\emily[1].html moved successfully.
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\fw-nonplayer-banner[1].htm not found!
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\fw-nonplayer-banner[2].htm not found!
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CN4X9FQ9\550533233@Bottom3[1].htm not found!
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CN4X9FQ9\fw-nonplayer-banner[1].htm not found!
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CM7VERFM\channels[1].htm moved successfully.
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CM7VERFM\client_restserver[1].htm moved successfully.
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    I removed everything from the trusted sites as well. Thank you for your help thus far, I really appreciate it.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Glad to help.

    I can't tell the total files cleaned in OTM but I do see that the account named User user was very full:
    User: user
    ->Temp folder emptied: 148992 bytes
    ->Temporary Internet Files folder emptied: 17046813 bytes
    ->Java cache emptied: 3625057 bytes
    ->FireFox cache emptied: 46823646 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 1958774 bytes
    ============================================
    It looks like you may not have done much cleaning up! Most of what was is OTM waa in tempporary internet files. There is on one figure for the 2 logs for Total Files Cleaner: 75mb, but it was much more than that.
    ========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    c:\users\Mcx1\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    DDS::
    uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    IE: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    BHO-X64: 0x1 - No File
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Winamp Toolbar Loader: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    BHO-X64: Winamp Toolbar Loader - No File
    TB-X64: Winamp Toolbar: {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"=-
    [HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
    [HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
    [HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
    [HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
    RegLock::
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    A note for you: As long as you continue to use file sharing programs like uTorrent and LimeWire, you will geet malware.
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall both for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I see you are working on another infected computer with Broni: http://www.techspot.com/vb/topic167648.html

    I'm going to leave him a note that we're working on this thread.

    Be sure you don't use a flash drive between the computers.
     
  12. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    I ran the combofix in safe mode, I don't know if that was the incorrect thing to do, I should have asked and didn't think if that was appropriate until after it was done.

    However, it kept complaining about not being able access due to not being run as administrator. I didn't want to run again until I was given the go ahead by you. It is also still running two or more iexplore.exe without Internet Explorer being in use. Here is the log that it produced.

    ComboFix 11-07-09.02 - user 07/09/2011 15:48:47.3.2 - x64 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2679 [GMT -7:00]
    Running from: c:\users\user\Desktop\ComboFix.exe
    Command switches used :: c:\users\user\Desktop\CFScript.txt
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\Winamp Toolbar\winamptb.dll
    c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    c:\users\Default\AppData\Local\temp
    c:\users\Mcx1\AppData\Local\temp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-09 00:45 . 2010-06-09 05:41 -------- d-----w- c:\programdata\Alwil Software
    2011-07-09 23:19 . 2011-07-09 23:19 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-07-09 18:34 . 2011-07-09 18:33 525544 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-09 18:33 . 2011-07-09 18:33 -------- d-----w- c:\program files\Java
    2011-07-09 01:40 . 2011-07-09 01:40 -------- d-----w- C:\_OTM
    2011-07-09 01:38 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBE8C931-D29C-4665-9874-8AC4F1B36CF3}\mpengine.dll
    2011-07-05 07:23 . 2011-07-05 07:23 -------- d-----w- c:\program files (x86)\ESET
    2011-07-04 19:59 . 2011-07-04 20:13 -------- d-----w- c:\programdata\PrevxCSI
    2011-07-04 19:40 . 2011-07-04 19:40 -------- d-----w- c:\users\user\AppData\Local\Apple
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\users\user\AppData\Roaming\SUPERAntiSpyware.com
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\!SASCORE
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-07-03 20:38 . 2011-07-03 20:38 -------- d-----w- c:\programdata\PC Tools
    2011-07-03 20:29 . 2011-07-03 20:29 -------- d-----w- c:\users\Public\Beck's Stories
    2011-06-28 23:34 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
    2011-06-28 23:34 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
    2011-06-15 01:30 . 2011-04-29 13:41 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-06-15 01:30 . 2011-04-29 13:40 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-06-15 01:30 . 2010-12-20 16:59 847360 ----a-w- c:\windows\system32\oleaut32.dll
    2011-06-15 01:30 . 2010-12-20 16:35 563712 ----a-w- c:\windows\SysWow64\oleaut32.dll
    2011-06-15 01:30 . 2011-04-21 14:20 405504 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-06-15 01:30 . 2011-04-30 06:09 758784 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll
    2011-06-15 01:30 . 2011-04-30 06:22 1027584 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
    2011-06-15 01:30 . 2011-04-29 13:39 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-15 01:30 . 2011-04-29 13:39 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-15 01:30 . 2011-04-29 13:39 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-06-15 01:30 . 2011-05-18 13:56 2762752 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-04 11:43 . 2011-03-22 01:30 40112 ----a-w- c:\windows\avastSS.scr
    2011-07-04 11:43 . 2010-06-09 05:41 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2011-07-04 11:43 . 2011-03-22 01:30 253888 ----a-w- c:\windows\system32\aswBoot.exe
    2011-07-04 11:36 . 2011-03-22 01:30 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-07-04 11:36 . 2010-06-09 05:41 288088 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-07-04 11:35 . 2010-06-09 05:41 45400 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-07-04 11:32 . 2010-06-09 05:41 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-07-04 11:32 . 2010-06-09 05:41 64856 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-07-04 11:32 . 2010-06-09 05:41 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-05-29 16:11 . 2010-03-04 23:53 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 16:11 . 2010-03-04 23:53 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-25 02:14 . 2009-10-02 22:20 270720 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-07-05_06.51.32 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-21 03:20 . 2011-07-05 06:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2011-07-09 23:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2011-07-09 23:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:20 . 2011-07-05 06:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2011-07-09 23:22 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2011-07-05 06:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2011-07-09 23:24 77800 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2008-06-25 23:28 . 2011-07-09 23:24 17186 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3060227821-3039954082-2317688156-1000_UserData.bin
    + 2008-06-25 23:26 . 2011-07-09 22:18 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-06-25 23:26 . 2011-07-05 06:06 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-06-25 23:26 . 2011-07-09 22:18 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-06-25 23:26 . 2011-07-09 22:18 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-06-04 00:34 . 2011-07-09 23:22 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-06-04 00:34 . 2011-07-05 06:49 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-06-04 00:34 . 2011-07-09 23:22 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-06-04 00:34 . 2011-07-09 23:22 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-09-05 19:17 . 2011-07-09 23:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-09-05 19:17 . 2011-07-09 23:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-07-09 23:22 . 2011-07-09 23:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-07-09 23:22 . 2011-07-09 23:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2006-11-02 15:45 . 2011-07-09 23:24 264720 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2011-07-09 18:34 . 2011-07-09 18:33 190752 c:\windows\system32\javaws.exe
    + 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\javaw.exe
    + 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\java.exe
    + 2011-07-09 18:33 . 2011-07-09 18:33 680960 c:\windows\Installer\4db25.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-09 39408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
    R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
    R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-09-20 267760]
    R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-09-20 218608]
    R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
    R3 WinRing0_1_1_1;WinRing0_1_1_1;c:\program files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-01-28 13520]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
    S2 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-02-23 378984]
    S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
    .
    2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-07-04 11:43 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-30 153624]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-30 225816]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-30 199704]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.yahoo.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    TCP: DhcpNameServer = 192.168.0.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - DAEMON Search
    FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    @Allowed: (Read) (RestrictedCode)
    "??"=hex:94,28,83,73,ba,0c,cc,44,2a,a3,5a,be,5b,46,10,cc,8f,ec,e2,4d,e8,e1,54,
    11,d8,db,82,7e,1b,57,70,1c,03,06,db,08,31,26,6b,41,06,44,97,3d,00,fe,8e,7e,\
    "??"=hex:71,7a,e4,82,c8,87,c8,f7,49,a6,c4,3c,0c,e1,c7,54
    .
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\License information*]
    @Allowed: (Read) (RestrictedCode)
    "datasecu"=hex:e9,6c,f9,2d,57,d7,09,c6,e7,6a,59,e1,99,df,c6,56,b4,95,f9,7f,5e,
    62,1d,76,c0,40,37,db,2d,35,35,3c,21,3d,33,a8,fa,f8,1f,30,50,db,14,07,c5,89,\
    "rkeysecu"=hex:d2,9c,3b,97,4c,80,dc,0c,1f,ac,a6,07,6d,4d,64,30
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-09 16:50:59 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-09 23:50
    ComboFix2.txt 2011-07-04 19:41
    .
    Pre-Run: 109,023,105,024 bytes free
    Post-Run: 107,547,123,712 bytes free
    .
    - - End Of File - - 9E852A1A46F2E3AC6A0B0546AD90A683
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Uness instructed otherwise, or unless Normal Mode isn't available, scans should be run in Normal Mode.

    Direction for Combofic and CF Fix are to disable security programs before starting the scan: These were running:
    AV: avast! Antivirus *Enabled
    SP: avast! Antivirus *Enabled
    SP: Windows Defender *Enabled
    =======================================
    Combofix:
    You need to be logged in as the administrator and then double click the file. Malware can create an environment that requires Administrative rights.
    ======================================
    So: Please run the following script through Combofix in Normal Mode, under Administrative logon with the security disabled:

    Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    RegNull::
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Then run This again: Also in Normal Mode:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ===============================================
    Redoing the scan in Normal Mode under the Administrative logs in is to show me if the full program ran and all of the removals were handled.
    ================================================
    Are you still having any of the original problems?

    Note: IF you did you a flash drive between the 2 computes we're working on now, then it should be disinfected.
  14. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    Still have iexplore.exe running 2 or more times when I do not have IE open, then an additional two open when I do have it open. Thank you so much for your help thus far.

    ComboFix 11-07-10.03 - user 07/10/2011 13:13:00.3.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2079 [GMT -7:00]
    Running from: c:\users\user\Desktop\ComboFix.exe
    Command switches used :: c:\users\user\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-10 to 2011-07-10 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-09 00:45 . 2010-06-09 05:41 -------- d-----w- c:\programdata\Alwil Software
    2011-07-10 20:43 . 2011-07-10 20:43 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-07-10 20:43 . 2011-07-10 20:43 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
    2011-07-10 20:43 . 2011-07-10 20:43 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-07-09 18:34 . 2011-07-09 18:33 525544 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-09 18:33 . 2011-07-09 18:33 -------- d-----w- c:\program files\Java
    2011-07-09 01:40 . 2011-07-09 01:40 -------- d-----w- C:\_OTM
    2011-07-09 01:38 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBE8C931-D29C-4665-9874-8AC4F1B36CF3}\mpengine.dll
    2011-07-05 07:23 . 2011-07-05 07:23 -------- d-----w- c:\program files (x86)\ESET
    2011-07-04 19:59 . 2011-07-04 20:13 -------- d-----w- c:\programdata\PrevxCSI
    2011-07-04 19:40 . 2011-07-04 19:40 -------- d-----w- c:\users\user\AppData\Local\Apple
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\users\user\AppData\Roaming\SUPERAntiSpyware.com
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\!SASCORE
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-07-03 20:38 . 2011-07-03 20:38 -------- d-----w- c:\programdata\PC Tools
    2011-07-03 20:29 . 2011-07-03 20:29 -------- d-----w- c:\users\Public\Beck's Stories
    2011-06-28 23:34 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
    2011-06-28 23:34 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
    2011-06-15 01:30 . 2011-04-29 13:41 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-06-15 01:30 . 2011-04-29 13:40 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-06-15 01:30 . 2010-12-20 16:59 847360 ----a-w- c:\windows\system32\oleaut32.dll
    2011-06-15 01:30 . 2010-12-20 16:35 563712 ----a-w- c:\windows\SysWow64\oleaut32.dll
    2011-06-15 01:30 . 2011-04-21 14:20 405504 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-06-15 01:30 . 2011-04-30 06:09 758784 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll
    2011-06-15 01:30 . 2011-04-30 06:22 1027584 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
    2011-06-15 01:30 . 2011-04-29 13:39 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-06-15 01:30 . 2011-04-29 13:39 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-15 01:30 . 2011-04-29 13:39 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-06-15 01:30 . 2011-05-18 13:56 2762752 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-04 11:43 . 2011-03-22 01:30 253888 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-29 16:11 . 2010-03-04 23:53 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 16:11 . 2010-03-04 23:53 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-25 02:14 . 2009-10-02 22:20 270720 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-07-05_06.51.32 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-21 03:20 . 2011-07-05 06:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2011-07-10 19:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2011-07-10 19:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:20 . 2011-07-05 06:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-01-21 03:20 . 2011-07-10 19:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-01-21 03:20 . 2011-07-05 06:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2011-07-10 20:48 77966 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2008-06-25 23:28 . 2011-07-10 20:48 17186 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3060227821-3039954082-2317688156-1000_UserData.bin
    - 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-06-25 23:26 . 2011-07-10 20:11 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-06-25 23:26 . 2011-07-05 06:06 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2008-06-25 23:26 . 2011-07-10 20:11 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-06-25 23:26 . 2011-07-10 20:11 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-06-04 00:34 . 2011-07-10 20:46 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-06-04 00:34 . 2011-07-05 06:49 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-06-04 00:34 . 2011-07-10 20:46 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-06-04 00:34 . 2011-07-10 20:46 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-09-05 19:17 . 2011-07-10 20:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-09-05 19:17 . 2011-07-10 20:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-07-10 20:46 . 2011-07-10 20:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-07-10 20:46 . 2011-07-10 20:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2006-11-02 15:45 . 2011-07-10 20:48 264720 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2011-07-09 18:34 . 2011-07-09 18:33 190752 c:\windows\system32\javaws.exe
    + 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\javaw.exe
    + 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\java.exe
    - 2010-08-12 17:40 . 2011-07-04 21:49 262144 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
    + 2010-08-12 17:40 . 2011-07-10 20:11 262144 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
    + 2011-07-09 18:33 . 2011-07-09 18:33 680960 c:\windows\Installer\4db25.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-09 39408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
    R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
    R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-09-20 267760]
    R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-09-20 218608]
    R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
    R3 WinRing0_1_1_1;WinRing0_1_1_1;c:\program files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-01-28 13520]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
    S2 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
    S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-02-23 378984]
    S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
    .
    2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-30 153624]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-30 225816]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-30 199704]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.yahoo.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    TCP: DhcpNameServer = 192.168.0.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - DAEMON Search
    FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    @Allowed: (Read) (RestrictedCode)
    "??"=hex:94,28,83,73,ba,0c,cc,44,2a,a3,5a,be,5b,46,10,cc,8f,ec,e2,4d,e8,e1,54,
    11,d8,db,82,7e,1b,57,70,1c,03,06,db,08,31,26,6b,41,06,44,97,3d,00,fe,8e,7e,\
    "??"=hex:71,7a,e4,82,c8,87,c8,f7,49,a6,c4,3c,0c,e1,c7,54
    .
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\License information*]
    @Allowed: (Read) (RestrictedCode)
    "datasecu"=hex:e9,6c,f9,2d,57,d7,09,c6,e7,6a,59,e1,99,df,c6,56,b4,95,f9,7f,5e,
    62,1d,76,c0,40,37,db,2d,35,35,3c,21,3d,33,a8,fa,f8,1f,30,50,db,14,07,c5,89,\
    "rkeysecu"=hex:d2,9c,3b,97,4c,80,dc,0c,1f,ac,a6,07,6d,4d,64,30
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-10 14:07:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-10 21:07
    ComboFix2.txt 2011-07-09 23:51
    ComboFix3.txt 2011-07-04 19:41
    .
    Pre-Run: 110,105,583,616 bytes free
    Post-Run: 110,854,270,976 bytes free
    .
    - - End Of File - - 76CA3F77FA928FBE36DEB5EFD59B29E7



    All processes killed
    ========== FILES ==========
    File/Folder c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Mcx1
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: user
    ->Temp folder emptied: 216064 bytes
    ->Temporary Internet Files folder emptied: 6122668 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 807 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 6.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 07102011_141109

    Files moved on Reboot...
    File C:\Users\user\AppData\Local\Temp\~DF2601.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF2606.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF264B.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF2650.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF2676.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF267B.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF415E.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DF4DEE.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DFAF9E.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DFAFA4.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DFAFEE.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DFAFF4.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DFB01A.tmp not found!
    File C:\Users\user\AppData\Local\Temp\~DFB01F.tmp not found!
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J14OM03C\client_restserver[1].htm moved successfully.
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EPS75EWU\fw-nonplayer-banner[1].htm moved successfully.
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EPS75EWU\fw-nonplayer-banner[2].htm moved successfully.
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EPS75EWU\xd_receiver[1].htm not found!
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AU1DH1ND\ad[1].htm moved successfully.
    File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AU1DH1ND\channels[1].htm not found!
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AU1DH1ND\emily[2].html moved successfully.
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AU1DH1ND\login_status[1].htm moved successfully.

    Registry entries deleted on Reboot...
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Glad to help!

    I put this together soon after IE8 first came out. You might find it 'enlightening!'
    IE8: What Are They Thinking?> http://www.techspot.com/vb/topic124001.html
    ============================================
    I'd like to remove or reset you default search page, homepage and default search engine in Firefox.
    This is what I'm seeing:
    Then I'll have you remove the Damon Search Bar in Add/Remove Programs.

    Please let me know if this is okay. (I can do this with script through Combofix)
  16. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    Alright, I'll be waiting for the script when you have a chance. Thank you.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I have not forgotten you. I have been spending time traveling the internet re the following> what you referred to s a "malicious URL."

    IP 64.111.211.158 belongs to ISPrime, which is a hosting site. Please read up on this in my reference below:
    http://research.microsoft.com/en-us/um/redmond/projects/strider/searchranger/
    See #3>>> ISPs against Spammers:

    ISPrine took actions around March 19, 2007, and the spammer moved to 67.15.239.42 (and near-by IP addresses) – see http://whois.domaintools.com/67.15.239.42
    ================================================
    I note you have both Safari and Firefox on the system. And also IE8. I would like you to do the following> you can change back later if you want:
    Open Firefox> Tools> Options> Advanced> System Defaults> Check 'always check to see if Firefox is the default> Check now> If it already the default, exit. If it isn't and you get the question 'do you want to make it the default> Check Yes> Exit.

    Open Internet Options in either IE Tools or the Control Panel> Select Programs tab> at the bottom of that screen uncheck 'IE should check to see if it's the default> Exit.

    In Safari, I am not familiar with those settings, but it should have a default entry like those above. You will want to uncheck that.
    =====================================
    Reboot the computer
    ====================================
    Run Please download ATF Cleaner by Atribune
    Please download ATF Cleaner[/url ]by Atribune
    This program is for XP, Vista and Windows 2000 only

    • [1] Double-click ATF-Cleaner.exe to run the program.
      [2] Under Main choose: Select All
      [3] Click the Empty Selected button.

      If you use Firefox browser
      [1] Click Firefox at the top and choose:Select All
      [2] Click the Empty Selected button.
      [3] NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    ===============================================
    We need to temporarily disable the CD Emulation> Daemon Tools and Alcohol. (If there are any other programs of this type, please include them also because the can affect the scans:

    To disable CD Emulation programs using DeFogger please perform these steps:
    1. . Please download DeFogger to your desktop.
      Link: http://download.bleepingcomputer.com/jpshortstuff/Defogger.exe
    2. . Once downloaded, double-click on the DeFogger icon to start the tool.
    3. . The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
    4. . When it prompts you whether or not you want to continue, please click on the Yes button to continue
    5. . When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
    6. . If CD Emulation programs are present and have been disabled,

    DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
    ==========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    
    DDS::
    uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    Extra::
    File::
    Firefox::
    Firefox-: - Profile - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
    Firefox-: - prefs.js- Search.DefaultURL
    Firefox-: - prefs.js- Homepage.DefaultURL
    
    RegNull::
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\License information*]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ==================================================
    Repepat the Eset online virus scan.

    Do not use IE for any of the above.

    Logs and results in next reply.
  18. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    I am sorry that it took so long to respond. Thank you so far for your help. I had a couple problems while running the scans you asked for.

    1. After I set Firefox to default and restarted then ran the CFScript, when I started Firefox again to run the scan, it informed me that it was not the default browser. Even though I followed your instructions and checked them twice.

    2. When I ran a search in yahoo to find out how to make Safari default, so I could learn how to ensure that was turned off when I hit the tab for every site with the yahoo redirect it would send me to sites like http://www.shopica.com when I was clicking on an ehow.com link. So, it seems like the redirect is now happening.

    Below are the reports requested:

    ComboFix 11-07-18.04 - user 07/18/2011 18:08:13.4.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2212 [GMT -7:00]
    Running from: c:\users\user\Desktop\ComboFix.exe
    Command switches used :: c:\users\user\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-19 to 2011-07-19 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-09 00:45 . 2010-06-09 05:41 -------- d-----w- c:\programdata\Alwil Software
    2011-07-19 01:38 . 2011-07-19 01:38 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-07-19 01:38 . 2011-07-19 01:38 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
    2011-07-19 01:38 . 2011-07-19 01:38 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-07-19 00:48 . 2011-07-19 00:48 -------- d-----w- c:\users\user\AppData\Local\Apple
    2011-07-16 13:40 . 2011-06-02 13:50 2764288 ----a-w- c:\windows\system32\win32k.sys
    2011-07-16 13:40 . 2011-04-20 16:03 451072 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-16 13:40 . 2011-04-20 15:58 85504 ----a-w- c:\windows\system32\csrsrv.dll
    2011-07-09 18:34 . 2011-07-09 18:33 525544 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-09 18:33 . 2011-07-09 18:33 -------- d-----w- c:\program files\Java
    2011-07-09 01:40 . 2011-07-09 01:40 -------- d-----w- C:\_OTM
    2011-07-09 01:38 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBE8C931-D29C-4665-9874-8AC4F1B36CF3}\mpengine.dll
    2011-07-05 07:23 . 2011-07-05 07:23 -------- d-----w- c:\program files (x86)\ESET
    2011-07-04 19:59 . 2011-07-04 20:13 -------- d-----w- c:\programdata\PrevxCSI
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\users\user\AppData\Roaming\SUPERAntiSpyware.com
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\!SASCORE
    2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-07-03 20:38 . 2011-07-03 20:38 -------- d-----w- c:\programdata\PC Tools
    2011-07-03 20:29 . 2011-07-03 20:29 -------- d-----w- c:\users\Public\Beck's Stories
    2011-06-28 23:34 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
    2011-06-28 23:34 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-04 11:43 . 2011-03-22 01:30 253888 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-29 16:11 . 2010-03-04 23:53 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 16:11 . 2010-03-04 23:53 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-28 06:28 . 2011-06-15 01:29 1147904 ----a-w- c:\windows\system32\wininet.dll
    2011-05-28 06:24 . 2011-06-15 01:29 56832 ----a-w- c:\windows\system32\licmgr10.dll
    2011-05-28 06:23 . 2011-06-15 01:29 1538560 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-05-28 06:23 . 2011-06-15 01:29 132096 ----a-w- c:\windows\system32\iesysprep.dll
    2011-05-28 06:23 . 2011-06-15 01:29 77312 ----a-w- c:\windows\system32\iesetup.dll
    2011-05-28 06:08 . 2011-06-15 01:29 916480 ----a-w- c:\windows\SysWow64\wininet.dll
    2011-05-28 06:04 . 2011-06-15 01:29 43520 ----a-w- c:\windows\SysWow64\licmgr10.dll
    2011-05-28 06:04 . 2011-06-15 01:29 1469440 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2011-05-28 06:04 . 2011-06-15 01:29 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll
    2011-05-28 06:04 . 2011-06-15 01:29 71680 ----a-w- c:\windows\SysWow64\iesetup.dll
    2011-05-28 05:33 . 2011-06-15 01:29 479232 ----a-w- c:\windows\system32\html.iec
    2011-05-28 05:10 . 2011-06-15 01:29 385024 ----a-w- c:\windows\SysWow64\html.iec
    2011-05-28 04:53 . 2011-06-15 01:29 162816 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-05-28 04:52 . 2011-06-15 01:29 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-05-28 04:33 . 2011-06-15 01:29 133632 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2011-05-28 04:31 . 2011-06-15 01:29 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2011-05-25 02:14 . 2009-10-02 22:20 270720 ------w- c:\windows\system32\MpSigStub.exe
    2011-05-02 17:16 . 2011-06-15 01:29 739328 ----a-w- c:\windows\SysWow64\inetcomm.dll
    2011-05-02 17:13 . 2011-06-15 01:29 975360 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 13:41 . 2011-06-15 01:30 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-04-29 13:40 . 2011-06-15 01:30 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-04-29 13:39 . 2011-06-15 01:30 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2011-04-29 13:39 . 2011-06-15 01:30 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-29 13:39 . 2011-06-15 01:30 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2011-04-21 14:20 . 2011-06-15 01:30 405504 ----a-w- c:\windows\system32\drivers\afd.sys
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-07-05_06.51.32 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-21 03:20 . 2011-07-10 19:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2011-07-05 06:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-01-21 03:20 . 2011-07-05 06:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 03:20 . 2011-07-10 19:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2011-07-19 01:42 78104 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2008-06-25 23:28 . 2011-07-19 01:42 17742 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3060227821-3039954082-2317688156-1000_UserData.bin
    + 2011-07-16 13:40 . 2009-06-17 10:37 35328 c:\windows\system32\DriverStore\FileRepository\bth.inf_204106c4\BTHUSB.SYS
    + 2009-09-11 00:12 . 2009-04-11 05:39 26112 c:\windows\system32\DriverStore\FileRepository\bth.inf_204106c4\bthenum.sys
    + 2008-06-25 23:26 . 2011-07-18 13:15 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-06-25 23:26 . 2011-07-05 06:06 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2011-07-12 12:41 . 2011-07-18 13:15 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-06-25 23:26 . 2011-07-18 13:15 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-06-04 00:34 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-07-03 20:11 . 2011-07-19 00:39 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2011-07-03 20:11 . 2011-07-03 20:11 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    + 2011-07-03 20:11 . 2011-07-19 00:39 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
    - 2011-07-03 20:11 . 2011-07-03 20:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
    - 2011-07-03 20:11 . 2011-07-03 20:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
    + 2011-07-03 20:11 . 2011-07-19 00:39 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
    + 2009-06-04 00:34 . 2011-07-19 01:40 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-06-04 00:34 . 2011-07-05 06:49 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-06-04 00:34 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-09-05 19:17 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-09-05 19:17 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-06-26 00:18 . 2011-07-17 13:53 35088 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\oisicon.exe
    - 2008-06-26 00:18 . 2011-06-15 12:39 35088 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\oisicon.exe
    + 2008-06-26 00:18 . 2011-07-17 13:53 18704 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\mspicons.exe
    - 2008-06-26 00:18 . 2011-06-15 12:39 18704 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\mspicons.exe
    + 2008-06-26 00:18 . 2011-07-17 13:53 20240 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\cagicon.exe
    - 2008-06-26 00:18 . 2011-06-15 12:39 20240 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\cagicon.exe
    + 2006-11-02 12:40 . 2011-07-17 14:27 86016 c:\windows\inf\infstor.dat
    - 2006-11-02 12:40 . 2011-04-28 23:04 86016 c:\windows\inf\infstor.dat
    - 2006-11-02 12:40 . 2011-04-28 23:04 51200 c:\windows\inf\infpub.dat
    + 2006-11-02 12:40 . 2011-07-17 14:27 51200 c:\windows\inf\infpub.dat
    - 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-07-19 01:40 . 2011-07-19 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2011-07-19 01:40 . 2011-07-19 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2006-11-02 15:45 . 2011-07-19 01:42 264720 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    + 2011-07-09 18:34 . 2011-07-09 18:33 190752 c:\windows\system32\javaws.exe
    + 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\javaw.exe
    + 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\java.exe
    + 2006-11-02 15:21 . 2011-07-18 13:09 474544 c:\windows\system32\FNTCACHE.DAT
    - 2006-11-02 15:21 . 2011-06-16 00:38 474544 c:\windows\system32\FNTCACHE.DAT
    + 2009-09-11 00:13 . 2009-04-11 07:10 204288 c:\windows\system32\DriverStore\FileRepository\bth.inf_204106c4\fsquirt.exe
    + 2011-07-16 13:40 . 2011-04-21 14:17 695296 c:\windows\system32\DriverStore\FileRepository\bth.inf_204106c4\bthport.sys
    - 2010-08-12 17:40 . 2011-07-04 21:49 262144 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
    + 2010-08-12 17:40 . 2011-07-10 20:11 262144 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
    + 2011-07-09 18:33 . 2011-07-09 18:33 680960 c:\windows\Installer\4db25.msi
    - 2008-06-26 00:18 . 2011-06-15 12:39 888080 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\wordicon.exe
    + 2008-06-26 00:18 . 2011-07-17 13:53 888080 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\wordicon.exe
    - 2008-06-26 00:18 . 2011-06-15 12:39 272648 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pubs.exe
    + 2008-06-26 00:18 . 2011-07-17 13:53 272648 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pubs.exe
    - 2008-06-26 00:18 . 2011-06-15 12:39 922384 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pptico.exe
    + 2008-06-26 00:18 . 2011-07-17 13:53 922384 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pptico.exe
    + 2008-06-26 00:18 . 2011-07-17 13:53 845584 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe
    - 2008-06-26 00:18 . 2011-06-15 12:39 845584 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe
    + 2008-06-26 00:18 . 2011-07-17 13:53 217864 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\misc.exe
    - 2008-06-26 00:18 . 2011-06-15 12:39 217864 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\misc.exe
    - 2006-11-02 12:40 . 2011-04-28 23:04 143360 c:\windows\inf\infstrng.dat
    + 2006-11-02 12:40 . 2011-07-17 14:27 143360 c:\windows\inf\infstrng.dat
    - 2006-11-02 12:40 . 2009-09-11 00:37 665600 c:\windows\inf\drvindex.dat
    + 2006-11-02 12:40 . 2011-07-17 14:27 665600 c:\windows\inf\drvindex.dat
    + 2011-06-21 19:01 . 2011-06-21 19:01 4991488 c:\windows\Installer\475d1.msp
    + 2008-06-26 00:18 . 2011-07-17 13:53 1172240 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\xlicons.exe
    - 2008-06-26 00:18 . 2011-06-15 12:39 1172240 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\xlicons.exe
    + 2008-06-26 00:18 . 2011-07-17 13:53 1165584 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\accicons.exe
    - 2008-06-26 00:18 . 2011-06-15 12:39 1165584 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\accicons.exe
    + 2006-11-02 12:33 . 2011-07-17 14:27 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
    - 2006-11-02 12:33 . 2011-06-29 12:41 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2006-11-02 12:35 . 2011-07-17 13:53 50867144 c:\windows\system32\mrt.exe
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-09 39408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
    R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
    R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-09-20 267760]
    R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-09-20 218608]
    R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
    R3 WinRing0_1_1_1;WinRing0_1_1_1;c:\program files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-01-28 13520]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
    S2 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
    S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-02-23 378984]
    S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
    .
    2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-30 153624]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-30 225816]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-30 199704]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.yahoo.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    TCP: DhcpNameServer = 192.168.0.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - DAEMON Search
    FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Veoh Browser Plug-in: videofinder@veoh.com - c:\program files (x86)\Veoh Networks\Veoh\Plugins\noreg\VideoFinder4
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\user\AppData\Roaming\Move Networks
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-18 19:01:50 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-19 02:01
    ComboFix2.txt 2011-07-10 21:07
    ComboFix3.txt 2011-07-09 23:51
    ComboFix4.txt 2011-07-04 19:41
    .
    Pre-Run: 107,742,191,616 bytes free
    Post-Run: 107,689,209,856 bytes free
    .
    - - End Of File - - BE2292A6CA3063693CA0B694AB7F472E

    Eset Scan:

    C:\_OTM\MovedFiles\07082011_184016\C_Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE_v4.exe probably a variant of Win32/Agent.KSZVEEK trojan
    C:\_OTM\MovedFiles\07082011_184016\C_Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE\Setup-RE.exe probably a variant of Win32/Agent.KSZVEEK trojan
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    For Safari: The selection can be changed in the Safari Preferences->General pane.

    Please give me an update on how the system is running. Did you read the information link I left for IE8?
  20. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    1. Yes, I did. Should I simply upgrade it to IE9 or see about uninstalling it completely?

    2. It seems no one uses Safari, so I would like to uninstall that if I get the go ahead from you.

    3. Whenever on any browser I use any type of redirecting link for instance on yahoo searches when you click on a link and it uses the yahoo redirect, it then sends me to a different page then what what I clicked on.

    4. Every time I open up Firefox, it sends me to both my start up page and the Daemon search page. I would like it not to do the latter. Does not do it in IE.
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    1. Yes, I did. Should I simply upgrade it to IE9 or see about uninstalling it completely? Neither at this time.
    2. It seems no one uses Safari, so I would like to uninstall that if I get the go ahead from you. Go ahead and uninstall.
    3. Okay, thanks.
    4. Resetting Firefox with scritp below:
    ==============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    DDS::
    uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
    TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    Extra::
    File::
    Firefox::
    Firefox-: - Profile-c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
    Firefox-: - prefs.js- Search.DefaultURL
    Firefox-: - prefs.js- Homepage.DefaultURL
    RegNull::
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    [HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\License information*]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ==========================================
    If Daemon still shows in FF Home page: Tools> Options> Main section> Set only the one homepage you want> Click 'use current.' Be sure 'use bookmark' isn't checked'
  22. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    ComboFix 11-08-08.02 - user 08/08/2011 14:42:55.5.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2053 [GMT -7:00]
    Running from: c:\users\user\Desktop\ComboFix.exe
    Command switches used :: c:\users\user\Desktop\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-08 to 2011-08-08 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-09 00:45 . 2010-06-09 05:41 -------- d-----w- c:\programdata\Alwil Software
    2011-08-08 22:14 . 2011-08-08 22:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-08-08 22:14 . 2011-08-08 22:14 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-08-08 22:14 . 2011-08-08 22:14 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
    2011-08-08 22:14 . 2011-08-08 22:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-07-19 00:48 . 2011-07-19 00:48 -------- d-----w- c:\users\user\AppData\Local\Apple
    2011-07-16 13:40 . 2011-06-02 13:50 2764288 ----a-w- c:\windows\system32\win32k.sys
    2011-07-16 13:40 . 2011-04-20 16:03 451072 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-16 13:40 . 2011-04-20 15:58 85504 ----a-w- c:\windows\system32\csrsrv.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-07-09 18:33 . 2011-07-09 18:34 525544 ----a-w- c:\windows\system32\deployJava1.dll
    2011-07-04 11:43 . 2011-03-22 01:30 253888 ----a-w- c:\windows\system32\aswBoot.exe
    2011-06-07 17:10 . 2011-07-09 01:38 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBE8C931-D29C-4665-9874-8AC4F1B36CF3}\mpengine.dll
    2011-05-29 16:11 . 2010-03-04 23:53 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
    2011-05-29 16:11 . 2010-03-04 23:53 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-28 06:28 . 2011-06-15 01:29 1147904 ----a-w- c:\windows\system32\wininet.dll
    2011-05-28 06:24 . 2011-06-15 01:29 56832 ----a-w- c:\windows\system32\licmgr10.dll
    2011-05-28 06:23 . 2011-06-15 01:29 1538560 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-05-28 06:23 . 2011-06-15 01:29 132096 ----a-w- c:\windows\system32\iesysprep.dll
    2011-05-28 06:23 . 2011-06-15 01:29 77312 ----a-w- c:\windows\system32\iesetup.dll
    2011-05-28 06:08 . 2011-06-15 01:29 916480 ----a-w- c:\windows\SysWow64\wininet.dll
    2011-05-28 06:04 . 2011-06-15 01:29 43520 ----a-w- c:\windows\SysWow64\licmgr10.dll
    2011-05-28 06:04 . 2011-06-15 01:29 1469440 ----a-w- c:\windows\SysWow64\inetcpl.cpl
    2011-05-28 06:04 . 2011-06-15 01:29 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll
    2011-05-28 06:04 . 2011-06-15 01:29 71680 ----a-w- c:\windows\SysWow64\iesetup.dll
    2011-05-28 05:33 . 2011-06-15 01:29 479232 ----a-w- c:\windows\system32\html.iec
    2011-05-28 05:10 . 2011-06-15 01:29 385024 ----a-w- c:\windows\SysWow64\html.iec
    2011-05-28 04:53 . 2011-06-15 01:29 162816 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-05-28 04:52 . 2011-06-15 01:29 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-05-28 04:33 . 2011-06-15 01:29 133632 ----a-w- c:\windows\SysWow64\ieUnatt.exe
    2011-05-28 04:31 . 2011-06-15 01:29 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2011-05-25 02:14 . 2009-10-02 22:20 270720 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((( SnapShot_2011-07-19_01.42.46 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-21 03:20 . 2011-07-10 19:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-01-21 03:20 . 2011-07-20 13:10 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-07-20 13:10 . 2011-07-20 13:10 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-01-21 03:20 . 2011-07-10 19:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 03:20 . 2011-07-20 13:10 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-01-21 02:23 . 2011-08-08 21:15 78340 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
    + 2008-06-25 23:28 . 2011-08-08 21:15 17906 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3060227821-3039954082-2317688156-1000_UserData.bin
    - 2008-06-25 23:26 . 2011-07-18 13:15 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2008-06-25 23:26 . 2011-08-08 12:29 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2011-07-12 12:41 . 2011-07-18 13:15 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2011-07-12 12:41 . 2011-08-08 12:29 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2008-06-25 23:26 . 2011-07-18 13:15 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-06-25 23:26 . 2011-08-08 12:29 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-06-04 00:34 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-06-04 00:34 . 2011-08-08 22:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-07-03 20:11 . 2011-08-08 21:13 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2011-07-03 20:11 . 2011-07-19 00:39 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    + 2011-07-03 20:11 . 2011-08-08 21:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
    - 2011-07-03 20:11 . 2011-07-19 00:39 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
    - 2011-07-03 20:11 . 2011-07-19 00:39 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
    + 2011-07-03 20:11 . 2011-08-08 21:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
    + 2009-06-04 00:34 . 2011-08-08 22:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-06-04 00:34 . 2011-07-19 01:40 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-06-04 00:34 . 2011-08-08 22:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-06-04 00:34 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-09-05 19:17 . 2011-08-08 22:17 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-09-05 19:17 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2008-09-05 19:17 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2008-09-05 19:17 . 2011-08-08 22:17 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2011-08-08 21:23 . 2011-08-08 21:23 22016 c:\windows\Installer\50382.msi
    - 2011-07-19 01:40 . 2011-07-19 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-08-08 22:17 . 2011-08-08 22:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2011-08-08 22:17 . 2011-08-08 22:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-07-19 01:40 . 2011-07-19 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    + 2006-11-02 15:45 . 2011-08-08 21:15 265168 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn3\YTNavAssist.dll" [2011-03-16 214840]
    .
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-09 39408]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
    R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
    R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
    R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-09-20 267760]
    R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-09-20 218608]
    R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
    R3 WinRing0_1_1_1;WinRing0_1_1_1;c:\program files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-01-28 13520]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
    S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
    S2 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
    S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-02-23 378984]
    S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
    .
    2011-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-30 153624]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-30 225816]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-30 199704]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.yahoo.com/
    mStart Page = hxxp://www.yahoo.com
    mLocal Page = c:\windows\SysWOW64\blank.htm
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
    IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    TCP: DhcpNameServer = 192.168.0.1
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - DAEMON Search
    FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Veoh Browser Plug-in: videofinder@veoh.com - c:\program files (x86)\Veoh Networks\Veoh\Plugins\noreg\VideoFinder4
    FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\user\AppData\Roaming\Move Networks
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-08 15:44:03 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-08 22:43
    ComboFix2.txt 2011-07-19 02:02
    ComboFix3.txt 2011-07-10 21:07
    ComboFix4.txt 2011-07-09 23:51
    ComboFix5.txt 2011-08-08 21:26
    .
    Pre-Run: 107,811,287,040 bytes free
    Post-Run: 109,924,392,960 bytes free
    .
    - - End Of File - - 83DBCF05ABC55FE217C4B83679517AEC

    It is still redirecting whenever a redirect link is being used but not when you type in the URL.
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Checking my list to make sure everything previously given has been:
    1. Disable Daemon?
    2. Did you run Java Ra, the update to current v6u26, then empty Java cache?
    3. These are file sharing programs. I recommend uninstalling them for the safety of the system:Torrent, LimeWire The reasons:
    • Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.
    Please read the information on P2P Warning to help you better understand these dangers.
    ---------------------
    4. Update Mozilla Firefox (3.6.15)>> at least v3.6.18 or upgrade to v4 or v5
    5. Spybot - Search & Destroy Tea Timer off?/:
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe
    ------------------
    6. Updates? Only Office No Windows updates?
    7. "However, it will warn me of the attempt to redirect even though the computer is not in use" >> What warns you? Stopzilla?
    8. Recommend you uninstall StopzillaI use the WOT Site Advisoe which rates sites as Green=okay, Amber=be careful and Red=major problems. The home site for Stopzilla rated RED in all 4 categories of Vendor Reliability, Trustworthiness, Child Safety, Privacy home site is rated red in Vendor Reliability, If their home site fails all 4, you do not want the program on the system. Comments:
    ---------------------
    9. 4 Registry entries for Yahoo Companion Assist, frequently bundled in the a program you download. The entire package includes the Recuva/Piriform file recovery. These may have been prechecked on a download screen or may just have been bundles without your knowledge or permission: I can remove the registry entries with script.
    -------------------
    10. Start page set to blank page?
    11. Firefox: Did you set the following:
    FF - prefs.js: browser.search.selectedEngine - DAEMON Search
    FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com

    If you will address these please, we should be able to finish up.
  24. Lashire

    Lashire Newcomer, in training Topic Starter Posts: 26

    I couldn't find a way to disable it in firefox. I did discover that the reason the page was opening was because it was set to do that in my start up options.

    Yes

    Uninstalled.

    Updated and now Firefox crashes whenever I start it up. Updated it, then uninstalled, then tried a fresh install and it still crashes.

    It was already off.

    Every time I try to run an update for the computer, it fails saying it couldn't download them.

    It was Avast that for some reason is no longer installed on this computer.

    Can not find Stopzilla anywhere on this computer to remove it.

    ---------------------
    Alright.

    I am not certain what I am meant to do with the last two here. Thank you for your help.
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    #10/11: Did you set any browser homepage to open as a blank page?
    Did you set DAEMON Search to be the selected Firefox search engine?
    -------------------------------------
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\winsrv.dll
    FileLook::
    c:\windows\system32\csrsrv.dll
    Folder::
    c:\windows\system32\config\systemprofile\AppData\Local\temp
    c:\users\Public\AppData\Local\temp
    c:\users\Mcx1\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    Extra::
    File::
    Firefox::
    Firefox-: -Profile -c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
    Firefox-:- prefs.js - Starup.HomepageURL
    Firefox-: prefs.js- Search.DefaultURL
    Firefox-: prefs.js- Browser.Search.SelectedEngine 
    Registry::
    [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
    [HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
    [HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Download Security Check by screen317 from one of these links:
    Link1
    Link 2
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ==================================================
    I am concerned about the lack of security updates: Vista: Installed 3 years ago, 2008
    Updates only for MS Office 2007
    NET Framework
    No SP
    ==============================================
    I am also concerned by the lengthy pauses between posts. If the computer is being used during these times, it can means that the previous logs and/or instructions are no longer appropriate. I have given you several scripts to run, so this may be the last, unless we start over. I found a new entry which is of concern.
    ============================================
    Please update and run Malwarebytes again and leave a new log.

    Logs to leave:
    New Combofix
    Security Check
    Malwarebytes
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.