TechSpot

Unwanted Google redirects

By Chadh90
Dec 27, 2011
  1. MBAM

    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122703

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    12/27/2011 8:33:52 AM
    mbam-log-2011-12-27 (08-33-52).txt

    Scan type: Quick scan
    Objects scanned: 173417
    Time elapsed: 4 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    Nothing Returned from GME

    DDS Logs

    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
    Run by Chad at 9:27:46 on 2011-12-27
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2008.965 [GMT -8:00]
    .
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\STacSV64.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
    C:\Windows\system32\WLANExt.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
    C:\Program Files (x86)\Dell\DellComms\bin\sprtsvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
    C:\Windows\system32\svchost.exe -k HPService
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\IDT\WDM\sttray64.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files (x86)\WhatPulse\WhatPulse.exe
    C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
    C:\Program Files (x86)\Dell\DellComms\bin\sprtcmd.exe
    C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
    C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
    C:\Program Files (x86)\dcmsvc\dcmsvc.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Roxio\Roxio Burn\Roxio Burn.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
    c:\Program Files\Zune\ZuneNss.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\SysWOW64\NOTEPAD.EXE
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Windows\SysWOW64\ping.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: H - No File
    mWinlogon: Userinit=userinit.exe,
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
    uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
    uRun: [WhatPulse] C:\Program Files (x86)\WhatPulse\WhatPulse.exe
    uRun: [Google Update] "C:\Users\Chad\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    mRun: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
    mRun: [DellComms] "C:\Program Files (x86)\Dell\DellComms\bin\sprtcmd.exe" /P DellComms
    mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    mRun: [<NO NAME>]
    mRun: [dcmsvc] C:\Program Files (x86)\dcmsvc\dcmsvc.exe
    StartupFolder: C:\Users\Chad\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\WARNER~1.LNK - C:\Program Files (x86)\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe
    StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
    uPolicies-explorer: HideSCAHealth = 1 (0x1)
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - C:\PROGRA~2\MIF5BA~1\Office14\ONBttnIE.dll/105
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
    IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    LSP: mswsock.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
    TCP: DhcpNameServer = 68.87.69.150 68.87.85.102
    TCP: Interfaces\{016372CE-E178-48ED-8FA8-C50958B36FFB} : DhcpNameServer = 192.168.2.1
    TCP: Interfaces\{C987CAC3-15E8-46BB-A23C-3F411D5C7654} : DhcpNameServer = 68.87.69.150 68.87.85.102
    TCP: Interfaces\{C987CAC3-15E8-46BB-A23C-3F411D5C7654}\157756374775966496 : DhcpNameServer = 192.168.9.1 64.134.255.2 64.134.255.10
    TCP: Interfaces\{C987CAC3-15E8-46BB-A23C-3F411D5C7654}\35072796E64702D49664962323030302641393 : DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{C987CAC3-15E8-46BB-A23C-3F411D5C7654}\C416E6E6160264275656027596026496 : DhcpNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{C987CAC3-15E8-46BB-A23C-3F411D5C7654}\D61627B686561647865627 : DhcpNameServer = 68.87.69.150 68.87.85.102
    TCP: Interfaces\{EAE63EA9-3B1D-4B44-915B-CC50EB7539CA} : DhcpNameServer = 192.168.42.129
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
    Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
    SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
    BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO-X64: 0x1 - No File
    BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
    BHO-X64: HP Print Enhancer - No File
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
    BHO-X64: URLRedirectionBHO - No File
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    BHO-X64: HP Smart BHO Class - No File
    TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
    mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    mRun-x64: [Desktop Disc Tool] "c:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
    mRun-x64: [DellComms] "C:\Program Files (x86)\Dell\DellComms\bin\sprtcmd.exe" /P DellComms
    mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
    mRun-x64: [(Default)]
    mRun-x64: [dcmsvc] C:\Program Files (x86)\dcmsvc\dcmsvc.exe
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\rq3ekd22.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPAUTHZ.DLL
    FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Users\Chad\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: C:\Users\Chad\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
    FF - plugin: C:\Users\Chad\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
    R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
    R2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [2010-5-31 89600]
    R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
    R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
    R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-9-14 508264]
    R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-6-30 660800]
    R2 sprtsvc_DellComms;SupportSoft Sprocket Service (DellComms);C:\Program Files (x86)\Dell\DellComms\bin\sprtsvc.exe [2009-5-5 206064]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
    R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
    R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
    R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
    R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
    R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-9-14 219496]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-18 169312]
    S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2010-11-11 306416]
    S3 WSDPrintDevice;WSD Print Support via UMB;C:\Windows\system32\DRIVERS\WSDPrint.sys --> C:\Windows\system32\DRIVERS\WSDPrint.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-12-27 14:37:17 -------- d-----w- C:\ProgramData\PC Tools
    2011-12-27 14:17:59 2 --shatr- C:\Windows\winstart.bat
    2011-12-27 14:17:54 -------- d-----w- C:\Program Files (x86)\UnHackMe
    2011-12-13 23:34:54 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2011-12-13 23:34:54 2048 ----a-w- C:\Windows\System32\tzres.dll
    2011-12-12 18:45:07 555992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
    2011-12-12 18:45:07 486360 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
    2011-12-12 18:45:07 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
    2011-12-12 18:45:06 633816 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
    2011-12-08 18:35:32 -------- d-----w- C:\Users\Chad\AppData\Roaming\Malwarebytes
    2011-12-08 18:29:46 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-12-08 18:29:42 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-12-08 18:29:41 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-12-08 14:44:32 -------- d-----we C:\Windows\system64
    .
    ==================== Find3M ====================
    .
    2011-11-24 05:00:47 3141632 ----a-w- C:\Windows\System32\win32k.sys
    2011-11-05 05:26:29 1197568 ----a-w- C:\Windows\System32\wininet.dll
    2011-11-05 05:23:10 57856 ----a-w- C:\Windows\System32\licmgr10.dll
    2011-11-05 04:35:50 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-11-05 04:34:15 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
    2011-11-05 04:07:32 482816 ----a-w- C:\Windows\System32\html.iec
    2011-11-05 03:28:41 386048 ----a-w- C:\Windows\SysWow64\html.iec
    2011-11-05 03:25:44 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-11-05 02:55:38 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-10-30 19:35:43 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-10-26 05:19:07 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2011-10-26 00:53:25 1409 ----a-w- C:\Windows\SysWow64\tmpF0E42.FOT
    2011-10-26 00:53:25 1409 ----a-w- C:\Windows\SysWow64\tmpD5E42.FOT
    2011-10-26 00:53:25 1409 ----a-w- C:\Windows\SysWow64\tmp37D42.FOT
    2011-10-26 00:53:25 1409 ----a-w- C:\Windows\SysWow64\tmp1CD42.FOT
    2011-10-26 00:53:24 1409 ----a-w- C:\Windows\SysWow64\tmpA7C42.FOT
    2011-10-26 00:53:24 1409 ----a-w- C:\Windows\SysWow64\tmp8CC42.FOT
    2011-10-15 06:25:12 723456 ----a-w- C:\Windows\System32\EncDec.dll
    2011-10-15 05:48:52 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
    2011-09-29 16:24:44 1897328 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    .
    ============= FINISH: 9:28:21.62 ===============


    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/21/2010 4:42:28 PM
    System Uptime: 12/27/2011 8:25:14 AM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 0G848F
    Processor: Pentium(R) Dual-Core CPU T4500 @ 2.30GHz | Microprocessor | 1196/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 218 GiB total, 151.325 GiB free.
    D: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID:
    Description: Photosmart C4700 series
    Device ID: ROOT\MULTIFUNCTION\0000
    Manufacturer:
    Name: Photosmart C4700 series
    PNP Device ID: ROOT\MULTIFUNCTION\0000
    Service:
    .
    Class GUID:
    Description: Photosmart C4700 series
    Device ID: ROOT\MULTIFUNCTION\0001
    Manufacturer:
    Name: Photosmart C4700 series
    PNP Device ID: ROOT\MULTIFUNCTION\0001
    Service:
    .
    Class GUID:
    Description: Photosmart C4700 series
    Device ID: ROOT\MULTIFUNCTION\0002
    Manufacturer:
    Name: Photosmart C4700 series
    PNP Device ID: ROOT\MULTIFUNCTION\0002
    Service:
    .
    Class GUID:
    Description: Photosmart C4700 series
    Device ID: ROOT\MULTIFUNCTION\0003
    Manufacturer:
    Name: Photosmart C4700 series
    PNP Device ID: ROOT\MULTIFUNCTION\0003
    Service:
    .
    Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
    Description: Photosmart C4700 series
    Device ID: ROOT\MULTIFUNCTION\0004
    Manufacturer: HP
    Name: Photosmart C4700 series
    PNP Device ID: ROOT\MULTIFUNCTION\0004
    Service:
    .
    ==== System Restore Points ===================
    .
    RP190: 10/26/2011 3:00:22 AM - Windows Update
    RP191: 11/7/2011 8:27:11 PM - Scheduled Checkpoint
    RP192: 11/9/2011 3:00:13 AM - Windows Update
    RP193: 11/11/2011 3:00:15 AM - Windows Update
    RP194: 12/7/2011 7:42:02 AM - Scheduled Checkpoint
    RP195: 12/8/2011 6:38:49 AM - Windows Update
    RP196: 12/14/2011 7:54:25 AM - Windows Update
    RP197: 12/23/2011 10:54:28 PM - Scheduled Checkpoint
    RP198: 12/27/2011 7:05:39 AM - Removed Apple Application Support
    RP199: 12/27/2011 7:08:29 AM - Removed Apple Mobile Device Support
    RP200: 12/27/2011 7:09:34 AM - Removed Apple Software Update
    RP201: 12/27/2011 7:38:00 AM - Removed Warner Bros. Digital Copy Manager
    .
    ==== Installed Programs ======================
    .
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Photoshop Elements 8.0
    Adobe Reader 9.1.2
    Boxee
    BufferChm
    C4700
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Consumer In-Home Service Agreement
    Coupon Printer for Windows
    Cozi
    dcmsvc 1.0
    Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Dell Communications (Support Software)
    Dell DataSafe Local Backup
    Dell DataSafe Local Backup - Support Software
    Dell Dock
    Dell Getting Started Guide
    Dell Support Center (Support Software)
    Destinations
    DeviceDiscovery
    Google Chrome
    Google Talk Plugin
    GoToAssist 8.0.0.514
    GPBaseService2
    HP Photo Creations
    HP Update
    HPDiagnosticAlert
    HPPhotoGadget
    HPProductAssistant
    Java Auto Updater
    Java(TM) 6 Update 24
    Junk Mail filter update
    Malwarebytes' Anti-Malware version 1.51.2.1300
    MarketResearch
    Microsoft Choice Guard
    Microsoft Office 2010 Service Pack 1 (SP1)
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Click-to-Run 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Home and Student 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Single Image 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Mozilla Firefox 9.0 (x86 en-US)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    PolarClock3 Screen Saver
    PowerDVD DX
    PS_AIO_06_C4700_SW_Min
    QuickTransfer
    Roxio Burn
    Scan
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft Office 2010 (KB2553091)
    Security Update for Microsoft Office 2010 (KB2553096)
    Security Update for Microsoft Office 2010 (KB2553353) 32-Bit Edition
    Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
    Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
    Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
    SmartWebPrinting
    SolutionCenter
    SRW Algebra and Trig 2e
    Status
    Toolbox
    TrayApp
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2494150)
    Update for Microsoft Office 2010 (KB2553065)
    Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2553455) 32-Bit Edition
    Update for Microsoft Office 2010 (KB2566458)
    Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
    Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
    Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
    Update for Microsoft Outlook Social Connector (KB2583935)
    VLC media player 1.1.7
    WebReg
    WhatPulse 1.7
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Movie Maker
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Player Firefox Plugin
    Xilisoft DVD Ripper Ultimate SE
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/27/2011 9:20:12 AM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
    12/27/2011 8:26:57 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1} and APPID {344ED43D-D086-4961-86A6-1106F4ACAD9B} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    12/27/2011 8:26:15 AM, Error: Service Control Manager [7024] - The HomeGroup Listener service terminated with service-specific error %%-2147023143.
    12/27/2011 8:25:49 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
    12/27/2011 8:25:49 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
    12/27/2011 8:25:46 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
    12/27/2011 7:08:51 AM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/27/2011 7:01:03 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    12/27/2011 6:59:03 AM, Error: Service Control Manager [7031] - The Windows Update service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/27/2011 6:59:03 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/27/2011 6:59:03 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/27/2011 6:59:03 AM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/27/2011 6:59:03 AM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/27/2011 6:59:03 AM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/27/2011 6:59:03 AM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/27/2011 6:59:03 AM, Error: Service Control Manager [7031] - The Multimedia Class Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/27/2011 6:59:02 AM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/27/2011 6:59:02 AM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/27/2011 6:59:02 AM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    12/27/2011 6:59:02 AM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/27/2011 6:59:02 AM, Error: Service Control Manager [7031] - The Application Experience service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/24/2011 5:53:51 PM, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x0000000000000004, 0x0000000000000258, 0xfffffa8001845680, 0xfffff800042744d0). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 122411-23540-01.
    12/24/2011 5:51:34 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
    12/24/2011 5:51:04 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
    12/24/2011 5:50:04 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
    12/24/2011 5:42:34 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AudioEndpointBuilder service.
    12/24/2011 5:39:34 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.
    .
    ==== End Of File ===========================
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware.

    We will begin with Combofix:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ======================================
    Follow with Download Security Check by screen317 from one of these links:
    Link1
    Link 2
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ===================================
    There are 4 entries for this on same date, same time. I suspect they are from malware, but just want to make sure you didn't create them
    2011-10-26 00:53:24 1409 ----a-w- C:\Windows\SysWow64\tmp8CC42.FOT
    The FOT file type is primarily associated with 'Installed TrueType Font'.
    =================================
    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    We will clear the Java cache with script you'll run in Combofix.
    ==========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. Chadh90

    Chadh90 TS Rookie Topic Starter

    First off, I do not believe that I created those four entries from 10/26. At least not intentionally, so I am led to believe you are correct in assuming that they are malware/spyware.

    ComboFix Results

    ComboFix 11-12-27.01 - Chad 12/27/2011 10:20:19.1.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2008.263 [GMT -8:00]
    Running from: c:\users\Chad\Downloads\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Public\invokesi.exe
    c:\windows\system32\consrv.dll
    c:\windows\system32\java.exe
    c:\windows\System64
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-27 to 2011-12-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-27 18:39 . 2011-12-27 18:39 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-27 14:37 . 2011-12-27 15:44 -------- d-----w- c:\programdata\PC Tools
    2011-12-27 14:17 . 2011-12-27 14:17 2 --shatr- c:\windows\winstart.bat
    2011-12-27 14:17 . 2011-12-27 15:41 -------- d-----w- c:\program files (x86)\UnHackMe
    2011-12-13 23:34 . 2011-11-05 05:17 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-13 23:34 . 2011-11-05 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-12 18:45 . 2011-12-12 18:45 555992 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
    2011-12-12 18:45 . 2011-12-12 18:45 486360 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
    2011-12-12 18:45 . 2011-12-12 18:45 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
    2011-12-12 18:45 . 2011-12-12 18:45 633816 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
    2011-12-08 18:35 . 2011-12-08 18:35 -------- d-----w- c:\users\Chad\AppData\Roaming\Malwarebytes
    2011-12-08 18:29 . 2011-12-08 18:29 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-08 18:29 . 2011-09-01 01:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-08 18:29 . 2011-12-08 18:29 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-07 00:21 . 2010-08-26 00:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-10-30 19:35 . 2011-05-19 13:32 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-10-26 10:24 . 2010-08-26 00:57 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2011-10-26 10:24 . 2010-09-21 00:47 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2011-10-26 10:24 . 2010-09-21 00:47 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2011-10-26 10:24 . 2010-09-21 00:47 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    2011-10-26 00:53 . 2011-10-26 00:53 1409 ----a-w- c:\windows\SysWow64\tmpF0E42.FOT
    2011-10-26 00:53 . 2011-10-26 00:53 1409 ----a-w- c:\windows\SysWow64\tmpD5E42.FOT
    2011-10-26 00:53 . 2011-10-26 00:53 1409 ----a-w- c:\windows\SysWow64\tmp37D42.FOT
    2011-10-26 00:53 . 2011-10-26 00:53 1409 ----a-w- c:\windows\SysWow64\tmp1CD42.FOT
    2011-10-26 00:53 . 2011-10-26 00:53 1409 ----a-w- c:\windows\SysWow64\tmpA7C42.FOT
    2011-10-26 00:53 . 2011-10-26 00:53 1409 ----a-w- c:\windows\SysWow64\tmp8CC42.FOT
    2011-09-29 16:24 . 2011-11-09 07:36 1897328 ----a-w- c:\windows\system32\drivers\tcpip.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WhatPulse"="c:\program files (x86)\WhatPulse\WhatPulse.exe" [2010-08-09 2922496]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
    "Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
    "DellComms"="c:\program files (x86)\Dell\DellComms\bin\sprtcmd.exe" [2009-05-05 206064]
    "DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-19 54576]
    "dcmsvc"="c:\program files (x86)\dcmsvc\dcmsvc.exe" [2009-04-07 30440]
    .
    c:\users\Chad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Warner Bros.lnk - c:\program files (x86)\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe [N/A]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 306416]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [2009-03-02 89600]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
    S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-02-11 660800]
    S2 sprtsvc_DellComms;SupportSoft Sprocket Service (DellComms);c:\program files (x86)\Dell\DellComms\bin\sprtsvc.exe [2009-05-05 206064]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4179072596-716505633-1435280639-1001Core.job
    - c:\users\Chad\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 00:07]
    .
    2011-12-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4179072596-716505633-1435280639-1001UA.job
    - c:\users\Chad\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 00:07]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-06 384296]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-02-25 487424]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-21 165912]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-21 387608]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-21 365592]
    "Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
    "QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2009-07-02 3180624]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 163568]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    "combofix"="c:\combofix\CF7975.3XE" [2009-07-14 344576]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 68.87.69.150 68.87.85.102
    FF - ProfilePath - c:\users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\rq3ekd22.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Toolbar-Locked - (no file)
    AddRemove-PolarClock3 - c:\windows\system32\PolarClock3.scr
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\program files (x86)\Roxio\Roxio Burn\Roxio Burn.exe
    c:\program files (x86)\Dell Support Center\bin\sprtsvc.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-27 11:06:22 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-27 19:06
    .
    Pre-Run: 162,656,813,056 bytes free
    Post-Run: 162,055,983,104 bytes free
    .
    - - End Of File - - B4C612D2591A41FE99E6C5777124DC70

    Security Check Results

    Results of screen317's Security Check version 0.99.30
    Windows 7 x64 (UAC is disabled!)
    Internet Explorer 8 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 24
    Java version out of date!
    Adobe Flash Player 11.0.1.152
    Adobe Reader 9 Adobe Reader out of date!
    Mozilla Firefox (9.0.)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    ``````````End of Log````````````
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, some comments and questions:

    1. There is no antivirus on the system. Please put one of the following on now: Both of the following programs are free and known to be good:
    [o]Avira-AntiVir-Personal-Free-Antivirus
    [o]Avast-Free Antivirus
    Reboot the system after installing the AV.
    --------------------------------------------
    2. There is no antimalware program on the system.

    3. Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    4. Strongly advise removing this plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll

    5. Did you set this up?
    2011-12-27 14:17 2 --shatr- c:\windows\winstart.bat>> Winstart.bat is a batch File which was used on older Windows Operating Systems like 9x and ME every time the computer was booted.

    6. Are you intentionally running this?
    c:\program files (x86)\WhatPulse\WhatPulse.exe" [2010-08-09 2922496]
    WhatPulse sends statistics on how much you type on your computer and ranks you based on that. It does not log your keystrokes, but only the counts of them.

    7. Did you set these pages to come up blank?
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm

    8. Please disable Unhackme while I am helping you.

    9. The malware on the system can cause system problems other than a redirect. Are you noticing any other problems?
    ===========================================
    Please run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    ======================================
    Please leave the Eset log in your next reply.
    I will give you some script to run through Combofix when we have resolved the above.
     
  5. Chadh90

    Chadh90 TS Rookie Topic Starter

    Ok first off here is from ESET

    C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.E trojan
    C:\Users\Chad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\3703f461-40529591 a variant of Win32/Kryptik.XEH trojan
    C:\Windows\assembly\temp\U\80000032.@ probably a variant of Win32/Olmarik.AVQ trojan


    1. I installed AVAST

    3. Updated Java

    4. Not sure how to get rid of that FireFox Extension

    5. I did not set that up.

    6. I am intentionally running Whatpulse

    7. No I did not set those pages to come up blank. Not intentionally at least, if I did, it was by mistake.

    8. I thought I uninstalled it prior to starting your help, but maybe I didn't get rid of all of it fully.

    9. I haven't noticed any other strange functioning of my computer.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    2. I will give you some suggestions for antimalware programs when we finish.
    4. Open Firefox> Tools> Addons> Extensions and/or Plugins> If you're using Admin Account click on Uninstall Click Potato. If other account, click on Disable
    7. Please open your browser> Navigate to the page you would like to make your Homepage>
    Click on Tools> Options in Firefox or Internet Options in Internet Explorer> General or Main tab> Click on "use this page" as my Homepage> Apply> OK (on IE) or Close with OK on Firefox.
    8. Please go to Add/Remove Programs and uninstall UnhackMe.
    Then use Windows Explorer to access Computer> Local Drive> Programs> do a right click> Delete on the program folder for UnhackMe.
    =======================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Users\Chad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\3703f461-40529591 
      C:\Windows\assembly\temp\U\80000032.@
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reoot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\windows\winstart.bat
    C:\Windows\assembly\temp\U\80000032.@ 
    c:\windows\SysWow64\tmpF0E42.FOT
    c:\windows\SysWow64\tmpD5E42.FOT
    c:\windows\SysWow64\tmp37D42.FOT
    c:\windows\SysWow64\tmp1CD42.FOT
    c:\windows\SysWow64\tmpA7C42.FOT
    c:\windows\SysWow64\tmp8CC42.FOT
    Folder::
    c:\program files (x86)\UnHackMe
    Registry::
    [HKEY_LOCAL_MACHINE\software\McAfee]
    "SymbolicLinkValue"=-
    Clearjavacache::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Using Windows Explore> navigate to computer> Local Drive> Windows> look for c:\windows\winstart.bat> if found, do a right click> Delete
    If not found:
    Show Hidden Files and Folders in Windows Vista and Windows 7:
    • Click on the Start button and select Computer
    • Press the Alt key on your keyboard and click on Tools
    • Select Folder Options
    • Click the View tab and make sure that Show hidden files and folders is selected under Hidden files and folders
    • Next, uncheck the box next to Hide protected operating system files (Recommended)
    • Then, uncheck the box next to Hide extensions for known filetypes
    • Click Apply then click OK
    Follow path to winstart.bat and delete.
    Rehide the files and folders.
    =================================
    Please update the Adobe Reader: Visit this Adobe Reader site Get the current update. Uninstall any earlier updates as they are vulnerabilities.
    ===================
    When you have completed the above, reboot the computer.
    Update and rescan with the Eset Online Virus Scan.

    Logs in next reply please.
    ---------------------------------------
    New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
     
  7. Chadh90

    Chadh90 TS Rookie Topic Starter

    I am on the step where you tell me to navigate to and delete the file c:\windows\winstart.bat>

    I was not able to locate the file in the Windows folder, however after performing a search a similar file showed up in C:\Qoobox\Quarantine\C\Windows

    It is named winstart.bat.vir
    Do I delete this file?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Chad, if you posted this on the thread, why did you send the same thing in 2 PMs?
     
  9. Chadh90

    Chadh90 TS Rookie Topic Starter

    Because I wasn't sure if you were an actual member of staff and I haven't made ten posts or 15 or whatever the amount is to be able to PM other members.
     
  10. Chadh90

    Chadh90 TS Rookie Topic Starter

    Still not seeing anything that goes by the name of Click Potato in the Firefox Add-ons or plugins.

    I also followed the instructions in #7 and #8

    OTMovit

    All processes killed
    ========== FILES ==========
    C:\Users\Chad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\3703f461-40529591 moved successfully.
    C:\Windows\assembly\temp\U\80000032.@ moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Chad
    ->Temp folder emptied: 1980426 bytes
    ->Temporary Internet Files folder emptied: 2378435 bytes
    ->Java cache emptied: 1555138 bytes
    ->FireFox cache emptied: 47396916 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 56973 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56475 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 654870 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 101956 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 749 bytes
    RecycleBin emptied: 2919559 bytes

    Total Files Cleaned = 54.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 01022012_064818

    Files moved on Reboot...
    C:\Users\Chad\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...


    ComboFix

    ComboFix 11-12-27.01 - Chad 01/02/2012 7:03.2.2 - x64
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2008.1080 [GMT -8:00]
    Running from: c:\users\Chad\Downloads\ComboFix.exe
    Command switches used :: c:\users\Chad\Downloads\CFScript.txt
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    * Created a new restore point
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    FILE ::
    "c:\windows\assembly\temp\U\80000032.@"
    "c:\windows\SysWow64\tmp1CD42.FOT"
    "c:\windows\SysWow64\tmp37D42.FOT"
    "c:\windows\SysWow64\tmp8CC42.FOT"
    "c:\windows\SysWow64\tmpA7C42.FOT"
    "c:\windows\SysWow64\tmpD5E42.FOT"
    "c:\windows\SysWow64\tmpF0E42.FOT"
    "c:\windows\winstart.bat"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\SysWow64\tmp1CD42.FOT
    c:\windows\SysWow64\tmp37D42.FOT
    c:\windows\SysWow64\tmp8CC42.FOT
    c:\windows\SysWow64\tmpA7C42.FOT
    c:\windows\SysWow64\tmpD5E42.FOT
    c:\windows\SysWow64\tmpF0E42.FOT
    c:\windows\winstart.bat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-02 15:05 . 2012-01-02 15:05 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-01-02 14:48 . 2012-01-02 14:48 -------- d-----w- C:\_OTM
    2011-12-30 00:52 . 2011-12-30 00:52 -------- d-----w- c:\program files (x86)\ESET
    2011-12-30 00:42 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-12-30 00:42 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-12-30 00:42 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-12-30 00:42 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-12-30 00:42 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-12-30 00:42 . 2011-11-28 18:01 256960 ----a-w- c:\windows\system32\aswBoot.exe
    2011-12-30 00:42 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-12-30 00:41 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
    2011-12-30 00:41 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
    2011-12-30 00:41 . 2011-12-30 00:41 -------- d-----w- c:\programdata\AVAST Software
    2011-12-30 00:41 . 2011-12-30 00:41 -------- d-----w- c:\program files\AVAST Software
    2011-12-27 20:43 . 2011-12-27 20:43 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-12-27 20:43 . 2011-12-27 20:43 476904 ----a-w- c:\program files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-12-27 20:43 . 2011-12-27 20:43 -------- d-----w- c:\program files (x86)\Java
    2011-12-27 14:37 . 2011-12-27 15:44 -------- d-----w- c:\programdata\PC Tools
    2011-12-13 23:34 . 2011-11-05 05:17 2048 ----a-w- c:\windows\system32\tzres.dll
    2011-12-13 23:34 . 2011-11-05 04:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
    2011-12-12 18:45 . 2011-12-12 18:45 555992 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
    2011-12-12 18:45 . 2011-12-12 18:45 486360 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
    2011-12-12 18:45 . 2011-12-12 18:45 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
    2011-12-12 18:45 . 2011-12-12 18:45 633816 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
    2011-12-08 18:35 . 2011-12-08 18:35 -------- d-----w- c:\users\Chad\AppData\Roaming\Malwarebytes
    2011-12-08 18:29 . 2011-12-08 18:29 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-08 18:29 . 2011-09-01 01:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-08 18:29 . 2011-12-08 18:29 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-27 20:43 . 2010-06-30 18:24 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-12-07 00:21 . 2010-08-26 00:56 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
    2011-10-30 19:35 . 2011-05-19 13:32 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-10-26 10:24 . 2010-08-26 00:57 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
    2011-10-26 10:24 . 2010-09-21 00:47 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
    2011-10-26 10:24 . 2010-09-21 00:47 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
    2011-10-26 10:24 . 2010-09-21 00:47 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-12-27_18.42.54 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2011-02-20 07:03 . 2011-02-20 07:03 51024 c:\windows\SysWOW64\vcomp100.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 51024 c:\windows\SysWOW64\vcomp100.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 81744 c:\windows\SysWOW64\mfcm100u.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 81744 c:\windows\SysWOW64\mfcm100u.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 81744 c:\windows\SysWOW64\mfcm100.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 81744 c:\windows\SysWOW64\mfcm100.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 60752 c:\windows\SysWOW64\mfc100rus.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 60752 c:\windows\SysWOW64\mfc100rus.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 43344 c:\windows\SysWOW64\mfc100kor.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 43344 c:\windows\SysWOW64\mfc100kor.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 43856 c:\windows\SysWOW64\mfc100jpn.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 43856 c:\windows\SysWOW64\mfc100jpn.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 62288 c:\windows\SysWOW64\mfc100ita.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 62288 c:\windows\SysWOW64\mfc100ita.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 64336 c:\windows\SysWOW64\mfc100fra.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 64336 c:\windows\SysWOW64\mfc100fra.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 63824 c:\windows\SysWOW64\mfc100esn.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 63824 c:\windows\SysWOW64\mfc100esn.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 55120 c:\windows\SysWOW64\mfc100enu.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 55120 c:\windows\SysWOW64\mfc100enu.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 64336 c:\windows\SysWOW64\mfc100deu.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 64336 c:\windows\SysWOW64\mfc100deu.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 36176 c:\windows\SysWOW64\mfc100cht.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 36176 c:\windows\SysWOW64\mfc100cht.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 36176 c:\windows\SysWOW64\mfc100chs.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 36176 c:\windows\SysWOW64\mfc100chs.dll
    + 2012-01-02 14:49 . 2012-01-02 14:49 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    - 2011-12-27 18:41 . 2011-12-27 18:41 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
    + 2009-07-14 05:10 . 2012-01-02 14:53 44202 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
    + 2010-08-22 03:21 . 2012-01-02 14:53 18730 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4179072596-716505633-1435280639-1001_UserData.bin
    + 2010-08-21 23:43 . 2012-01-02 14:52 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-08-21 23:43 . 2011-12-27 18:42 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    - 2010-08-21 23:43 . 2011-12-27 18:42 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2012-01-02 14:52 . 2012-01-02 14:52 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2009-07-14 04:54 . 2011-12-27 18:42 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2009-07-14 04:54 . 2012-01-02 14:52 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-08-22 02:57 . 2011-12-27 18:42 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-08-22 02:57 . 2012-01-02 14:53 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:46 . 2011-12-30 20:35 80352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
    - 2010-10-02 20:41 . 2011-12-27 15:33 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    + 2010-10-02 20:41 . 2011-12-27 18:45 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
    - 2010-10-02 20:41 . 2011-12-27 15:33 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
    + 2010-10-02 20:41 . 2011-12-27 18:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
    + 2010-10-02 20:41 . 2011-12-27 18:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
    - 2010-10-02 20:41 . 2011-12-27 15:33 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
    + 2010-08-22 02:57 . 2012-01-02 14:53 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    - 2010-08-22 02:57 . 2011-12-27 18:42 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2010-08-22 02:57 . 2012-01-02 14:53 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-08-22 02:57 . 2011-12-27 18:42 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-08-22 01:02 . 2011-12-27 18:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-08-22 01:02 . 2012-01-02 14:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2010-08-22 01:02 . 2012-01-02 14:54 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2010-08-22 01:02 . 2011-12-27 18:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    + 2010-08-25 19:34 . 2012-01-02 14:49 3032 c:\windows\system32\wdi\ERCQueuedResolutions.dat
    + 2012-01-02 14:51 . 2012-01-02 14:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    - 2011-12-27 18:41 . 2011-12-27 18:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
    + 2012-01-02 14:51 . 2012-01-02 14:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-12-27 18:41 . 2011-12-27 18:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
    - 2011-02-19 08:40 . 2011-02-19 08:40 773968 c:\windows\SysWOW64\msvcr100.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 773968 c:\windows\SysWOW64\msvcr100.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 421200 c:\windows\SysWOW64\msvcp100.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 421200 c:\windows\SysWOW64\msvcp100.dll
    - 2011-02-18 03:02 . 2011-02-03 05:40 157472 c:\windows\SysWOW64\javaws.exe
    + 2011-12-27 20:43 . 2011-12-27 20:43 157472 c:\windows\SysWOW64\javaws.exe
    + 2011-12-27 20:43 . 2011-12-27 20:43 149280 c:\windows\SysWOW64\javaw.exe
    + 2011-12-27 20:43 . 2011-12-27 20:43 149280 c:\windows\SysWOW64\java.exe
    - 2009-07-14 04:54 . 2011-12-27 18:42 475136 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2009-07-14 04:54 . 2012-01-02 14:54 475136 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    + 2011-06-11 09:58 . 2011-06-11 09:58 138056 c:\windows\SysWOW64\atl100.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 138056 c:\windows\SysWOW64\atl100.dll
    + 2010-08-22 02:24 . 2011-12-30 20:25 266790 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
    - 2009-07-14 02:36 . 2011-12-27 16:33 624622 c:\windows\system32\perfh009.dat
    + 2009-07-14 02:36 . 2012-01-02 14:57 624622 c:\windows\system32\perfh009.dat
    - 2009-07-14 02:36 . 2011-12-27 16:33 106708 c:\windows\system32\perfc009.dat
    + 2009-07-14 02:36 . 2012-01-02 14:57 106708 c:\windows\system32\perfc009.dat
    - 2009-07-14 05:12 . 2011-12-27 18:42 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    + 2009-07-14 05:12 . 2012-01-02 14:52 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    - 2009-07-14 05:01 . 2011-12-27 18:41 322828 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-14 05:01 . 2011-12-30 00:45 322828 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
    + 2009-07-12 20:16 . 2009-07-12 20:16 223232 c:\windows\Installer\b96bf3b.msi
    + 2011-12-27 20:43 . 2011-12-27 20:43 207360 c:\windows\Installer\69813b.msi
    + 2011-12-27 20:42 . 2011-12-27 20:42 907264 c:\windows\Installer\698135.msi
    + 2011-06-11 09:58 . 2011-06-11 09:58 4422992 c:\windows\SysWOW64\mfc100u.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 4422992 c:\windows\SysWOW64\mfc100u.dll
    - 2011-02-20 07:03 . 2011-02-20 07:03 4397384 c:\windows\SysWOW64\mfc100.dll
    + 2011-06-11 09:58 . 2011-06-11 09:58 4397384 c:\windows\SysWOW64\mfc100.dll
    - 2009-07-14 04:54 . 2011-12-27 18:42 4030464 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-01-02 14:54 4030464 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    + 2009-07-14 04:54 . 2012-01-02 14:54 3276800 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:54 . 2011-12-27 18:42 3276800 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    - 2009-07-14 04:45 . 2011-12-24 03:17 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2009-07-14 04:45 . 2011-12-30 00:50 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
    + 2011-02-19 19:18 . 2011-12-30 00:45 1282108 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4179072596-716505633-1435280639-1001-12288.dat
    - 2011-02-19 19:18 . 2011-12-27 18:41 1282108 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4179072596-716505633-1435280639-1001-12288.dat
    + 2011-06-29 05:27 . 2011-06-29 05:27 4028928 c:\windows\Installer\3806531.msp
    - 2009-07-14 02:34 . 2011-12-27 16:39 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
    + 2009-07-14 02:34 . 2012-01-02 15:05 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WhatPulse"="c:\program files (x86)\WhatPulse\WhatPulse.exe" [2010-08-09 2922496]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
    "PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
    "Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
    "DellComms"="c:\program files (x86)\Dell\DellComms\bin\sprtcmd.exe" [2009-05-05 206064]
    "DellSupportCenter"="c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
    "HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-19 54576]
    "dcmsvc"="c:\program files (x86)\dcmsvc\dcmsvc.exe" [2009-04-07 30440]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
    .
    c:\users\Chad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Warner Bros.lnk - c:\program files (x86)\Warner Bros. Digital Copy Manager\Warner Bros. Digital Copy Manager.exe [N/A]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
    .
    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-18 169312]
    R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-11-11 306416]
    R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_7f58c91b65c73836\AESTSr64.exe [2009-03-02 89600]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-10-20 821664]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
    S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-09-14 508264]
    S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-02-11 660800]
    S2 sprtsvc_DellComms;SupportSoft Sprocket Service (DellComms);c:\program files (x86)\Dell\DellComms\bin\sprtsvc.exe [2009-05-05 206064]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
    S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
    S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
    S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
    S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
    S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-09-14 219496]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4179072596-716505633-1435280639-1001Core.job
    - c:\users\Chad\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 00:07]
    .
    2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4179072596-716505633-1435280639-1001UA.job
    - c:\users\Chad\AppData\Local\Google\Update\GoogleUpdate.exe [2011-01-09 00:07]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-04-06 384296]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-02-25 487424]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-21 165912]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-21 387608]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-21 365592]
    "Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
    "IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 163568]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MIF5BA~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 68.87.69.150 68.87.85.102
    FF - ProfilePath - c:\users\Chad\AppData\Roaming\Mozilla\Firefox\Profiles\rq3ekd22.default\
    FF - prefs.js: browser.startup.homepage - www.google.com
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\McAfee]
    "SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2012-01-02 07:07:37
    ComboFix-quarantined-files.txt 2012-01-02 15:07
    ComboFix2.txt 2011-12-27 19:06
    .
    Pre-Run: 161,241,796,608 bytes free
    Post-Run: 161,210,163,200 bytes free
    .
    - - End Of File - - 8326BAC424110FF7324D55887F75FC10


    ESET

    C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.E trojan
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, looking good. Nothing new in the Eset scan.
    About the windows.bat file- look like Combofix took care of that for you- nothing for you to do. I used script that you ran in Combofix to remove it and the Qoobox is where Combofix sends the quarantined files. I just wanted to make sure there was nothing left.
    ================================
    My guess is that ClickPotato was bundled with the Coupon Printer. Didn't you have to download an Active X entry to run the Coupon Printer. It would be a good idea to check the IE addons to make sure it's not in there either. Some info for you:
    Once installed, Adware:Win32/ClickPotato can be seen as a shortcut on an Internet Explorer toolbar, as seen in the image below:
    [​IMG]
    (Images courtesy Microsoft)

    The adware's presence can also be see in the 'Manage Add-ons' window, as seen in the image below:
    [​IMG]
    Adware:Win32/ClickPotato may be distributed bundled with known free downloads and it displays in multiple browsers .
    =======================================
    There is a registry entry for McAfee. You don't have any McAfee do you? It's a locked key that I'd like to remove so let me know and I'll set it up.
    =======================================
    Have the redirects stopped? Are there any other related problem?
     
  12. Chadh90

    Chadh90 TS Rookie Topic Starter

    Alright, looks like I'm not getting any more redirects thankfully.

    Surprisingly I do not see that Click Potato thing in the Internet Explorer addons. I went exactly where you directed me to.

    I also don't have McAfee either.

    Thank you so much for your help.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry- taking time off during the holidays cost me! I may not catch up until Easter.

    At some point, McAfee was on the system. I removed the registry entry, but it's back. Try and run the uninstaller:McAfee Removal
    ==================================
    Please update the Adobe Reader: Adobe ReaderUpdate site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

    Make sure Java is current: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
    =====================================
    Since the problems have been resolved:You can remove all of the tools we used and the files and folders they created:
    • Uninstall ComboFix and all Backups of the files it deleted
      [o] Click START> then RUN
      [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
      [o] Double click OTCleanIt.exe.
      [o] Click the CleanUp! button.
      [o] If you are prompted to Reboot during the cleanup, select Yes.
      [o]The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • Set a new, clean Restore Point
      [o] Click on Start> right click on Computer> Properties
      [o] Select System Protection
      [o] Click on the Create button (near bottom)
      [o] Type a name for the Restore Point
      [o] Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
      [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
      [o] Click Disk Cleanup from there.
      [​IMG]
      [o] Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
      [o] Click the More Options tab
      [​IMG]
      [o] Click the Clean up under System Restore and Shadow Copies.
      [o] Click OK.
      [o] You will get a confirmation screen> Just click Delete.
      [o] Click OK on the Disk Cleanup Screen.
      [o] Click Delete Files on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin
    =====================================
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (For IE7 and IE8, Windows 2000 thru Vista. No Windows 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.

    Let me know if you have any questions.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...