TechSpot

Win7 Firefox links redirect; Comesis.A

By beaker4251
Dec 27, 2011
  1. Hello. While browsing websites using FireFox 9.0.1 I am often (seems random to my untrained eye) redirected to bogus search websites. I have Microsoft Security Essentials installed and it has detected and cleaned Comesis.A several times, but apparently this thing keeps coming back. I would like to clean Comesis.A off permanently and get my computer certified clean. I use NoScript FireFox add-on and when I block all scripts there are no redirects, but my suspicion is that I'm just treating the symptom and not the problem with that.

    --Here are the 4 log files from the 5-Step Preliminary Removal Instructions--

    MALWARE BYTES'
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122701

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 8.0.7601.17514

    12/27/2011 12:55:58 AM
    mbam-log-2011-12-27 (00-55-58).txt

    Scan type: Quick scan
    Objects scanned: 186846
    Time elapsed: 1 minute(s), 52 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    GMER
    It didn't detect anything, log file was blank.

    DDS.txt
    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
    Run by kikko at 1:22:28 on 2011-12-27
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4095.2576 [GMT -8:00]
    .
    AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Windows\system32\atiesrxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\atieclxx.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
    C:\Windows\SysWOW64\PnkBstrA.exe
    C:\Program Files\Cyberlink\Shared files\RichVideo64.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Program Files\Logitech\SetPointP\SetPoint.exe
    C:\Program Files\Logitech Gaming Software\LCore.exe
    C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
    C:\Windows\System32\spool\drivers\x64\3\E_IATI9LA.EXE
    C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-8.12.072\Applets\x86\LCDMedia.exe
    C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-8.12.072\Applets\x64\LCDClock.exe
    C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskhost.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uInternet Settings,ProxyOverride = *.local
    mWinlogon: Userinit=userinit.exe
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    uRun: [Google Update] "C:\Users\kikko\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [\\192.168.1.67\EPSON Stylus Photo R1800] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATI9LA.EXE /FU "C:\Windows\TEMP\E_SCB3C.tmp" /EF "HKCU"
    mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
    mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    StartupFolder: C:\Users\kikko\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
    mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{FC578E5E-7B78-4FF2-B181-B48EF0E54F08} : DhcpNameServer = 192.168.1.254
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    mRun-x64: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
    mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    Hosts: 217.23.4.166 www.google-analytics.com.
    Hosts: 217.23.4.166 ad-emea.doubleclick.net.
    Hosts: 217.23.4.166 www.statcounter.com.
    Hosts: 69.72.252.254 www.google-analytics.com.
    Hosts: 69.72.252.254 ad-emea.doubleclick.net.
    .
    Note: multiple HOSTS entries found. Please refer to Attach.txt
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\kikko\AppData\Roaming\Mozilla\Firefox\Profiles\z012xdg1.default\
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\ProgramData\id Software\QuakeLive\npquakezero.dll
    FF - plugin: C:\Users\kikko\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: C:\Users\kikko\AppData\Roaming\Mozilla\Firefox\Profiles\z012xdg1.default\extensions\2020Player@2020Technologies.com\plugins\NP2020Player.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
    R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
    R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-11-9 361984]
    R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2011-6-24 55424]
    R2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\Cyberlink\Shared files\RichVideo64.exe [2011-4-12 386344]
    R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
    R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
    R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
    R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\system32\drivers\LGBusEnum.sys --> C:\Windows\system32\drivers\LGBusEnum.sys [?]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\system32\drivers\LGVirHid.sys --> C:\Windows\system32\drivers\LGVirHid.sys [?]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
    R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
    R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
    R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
    R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
    R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S3 FlyUsb;FLY Fusion;C:\Windows\system32\DRIVERS\FlyUsb.sys --> C:\Windows\system32\DRIVERS\FlyUsb.sys [?]
    S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
    S3 VaneFltr;Lachesis Mouse Driver;C:\Windows\system32\drivers\Lachesis.sys --> C:\Windows\system32\drivers\Lachesis.sys [?]
    S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
    .
    =============== Created Last 30 ================
    .
    2011-12-27 09:20:57 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4D57A144-DA39-4E89-A606-19995709A3C2}\offreg.dll
    2011-12-27 09:20:54 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4D57A144-DA39-4E89-A606-19995709A3C2}\mpengine.dll
    2011-12-27 08:53:33 -------- d-----w- C:\Users\kikko\AppData\Roaming\Malwarebytes
    2011-12-27 08:53:28 -------- d-----w- C:\ProgramData\Malwarebytes
    2011-12-27 08:53:25 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2011-12-27 08:53:25 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
    2011-12-27 08:46:55 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
    2011-12-27 08:46:55 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
    2011-12-27 08:46:55 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
    2011-12-27 08:46:55 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
    2011-12-21 06:30:51 -------- d-----w- C:\Program Files (x86)\AMD APP
    2011-12-20 04:56:27 3145216 ----a-w- C:\Windows\System32\win32k.sys
    2011-12-11 00:56:34 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-12-10 04:22:08 -------- d-----w- C:\Program Files\Logitech Gaming Software
    2011-12-10 01:38:44 53248 ----a-r- C:\Users\kikko\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
    2011-12-10 01:38:28 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
    2011-12-10 01:37:13 -------- d-----w- C:\Users\kikko\AppData\Roaming\Logishrd
    2011-12-10 00:52:08 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{82E551DF-8562-49FB-A23D-9AE866DBCC72}\gapaengine.dll
    2011-12-10 00:50:36 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
    2011-12-10 00:50:26 -------- d-----w- C:\Program Files\Microsoft Security Client
    2011-12-09 11:41:54 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E7467E6B-8458-453F-82C4-29355A0CD48B}\mpengine.dll
    2011-12-03 00:34:46 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-12-02 22:00:56 -------- d-----w- C:\Windows\System32\SPReview
    2011-12-02 22:00:29 -------- d-----w- C:\Windows\System32\EventProviders
    2011-12-02 21:54:59 787968 ----a-w- C:\Windows\System32\d3d11.dll
    2011-12-02 21:53:59 98304 ----a-w- C:\Windows\System32\wudriver.dll
    2011-12-02 21:50:40 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
    2011-12-02 21:50:40 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
    2011-12-02 21:50:40 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
    2011-12-02 21:50:40 1225216 ----a-w- C:\Windows\System32\wbem\wbemcore.dll
    2011-12-02 21:50:22 244736 ----a-w- C:\Windows\System32\sqmapi.dll
    2011-12-02 21:50:21 933376 ----a-w- C:\Windows\System32\SmiEngine.dll
    2011-12-02 21:50:14 199168 ----a-w- C:\Windows\System32\PkgMgr.exe
    2011-12-02 21:50:05 422912 ----a-w- C:\Windows\System32\drvstore.dll
    2011-12-02 21:50:05 399872 ----a-w- C:\Windows\System32\dpx.dll
    2011-12-01 06:50:32 -------- d-----w- C:\Users\kikko\AppData\Local\Chromium
    2011-12-01 05:44:50 -------- d-----w- C:\ProgramData\Hi-Rez Studios
    2011-11-28 15:51:59 -------- d-----w- C:\ProgramData\Blizzard Entertainment
    2011-11-28 06:44:10 -------- d-----w- C:\Program Files (x86)\Common Files\Blizzard Entertainment
    2011-11-28 06:39:14 -------- d-----w- C:\ProgramData\Battle.net
    .
    ==================== Find3M ====================
    .
    2011-12-02 22:05:02 175616 ----a-w- C:\Windows\System32\msclmd.dll
    2011-12-02 22:05:02 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
    2011-11-10 06:39:50 69632 ----a-w- C:\Windows\System32\OpenVideo64.dll
    2011-11-10 06:39:44 59904 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
    2011-11-10 06:39:36 61952 ----a-w- C:\Windows\System32\OVDecode64.dll
    2011-11-10 06:39:32 54784 ----a-w- C:\Windows\SysWow64\OVDecode.dll
    2011-11-10 06:39:22 17442304 ----a-w- C:\Windows\System32\amdocl64.dll
    2011-11-10 06:38:40 14375936 ----a-w- C:\Windows\SysWow64\amdocl.dll
    2011-11-10 06:37:50 51200 ----a-w- C:\Windows\System32\OpenCL.dll
    2011-11-10 06:37:46 44032 ----a-w- C:\Windows\SysWow64\OpenCL.dll
    2011-11-10 03:45:30 10567680 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
    2011-11-10 03:20:50 25218048 ----a-w- C:\Windows\System32\atio6axx.dll
    2011-11-10 03:17:10 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
    2011-11-10 03:16:56 774656 ----a-w- C:\Windows\SysWow64\aticfx32.dll
    2011-11-10 03:15:20 927232 ----a-w- C:\Windows\System32\aticfx64.dll
    2011-11-10 03:12:24 466944 ----a-w- C:\Windows\System32\ATIDEMGX.dll
    2011-11-10 03:12:10 516608 ----a-w- C:\Windows\System32\atieclxx.exe
    2011-11-10 03:11:32 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
    2011-11-10 03:10:18 120320 ----a-w- C:\Windows\System32\atitmm64.dll
    2011-11-10 03:09:58 423424 ----a-w- C:\Windows\System32\atipdl64.dll
    2011-11-10 03:09:52 360448 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
    2011-11-10 03:09:40 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
    2011-11-10 03:09:34 21504 ----a-w- C:\Windows\System32\atimuixx.dll
    2011-11-10 03:09:30 59392 ----a-w- C:\Windows\System32\atiedu64.dll
    2011-11-10 03:09:24 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
    2011-11-10 03:06:20 6077952 ----a-w- C:\Windows\SysWow64\atidxx32.dll
    2011-11-10 02:58:20 18996224 ----a-w- C:\Windows\SysWow64\atioglxx.dll
    2011-11-10 02:51:18 7405056 ----a-w- C:\Windows\System32\atidxx64.dll
    2011-11-10 02:40:52 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
    2011-11-10 02:40:18 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
    2011-11-10 02:40:04 4061696 ----a-w- C:\Windows\System32\atiumd6a.dll
    2011-11-10 02:34:54 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
    2011-11-10 02:34:52 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
    2011-11-10 02:34:44 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
    2011-11-10 02:34:42 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
    2011-11-10 02:34:28 13552640 ----a-w- C:\Windows\System32\aticaldd64.dll
    2011-11-10 02:33:52 5852672 ----a-w- C:\Windows\SysWow64\atiumdag.dll
    2011-11-10 02:29:58 11300864 ----a-w- C:\Windows\SysWow64\aticaldd.dll
    2011-11-10 02:29:46 4200960 ----a-w- C:\Windows\SysWow64\atiumdva.dll
    2011-11-10 02:24:26 7439360 ----a-w- C:\Windows\System32\atiumd64.dll
    2011-11-10 02:18:44 58880 ----a-w- C:\Windows\System32\coinst.dll
    2011-11-10 02:13:32 494592 ----a-w- C:\Windows\System32\atiadlxx.dll
    2011-11-10 02:13:22 348160 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
    2011-11-10 02:13:08 17408 ----a-w- C:\Windows\System32\atig6pxx.dll
    2011-11-10 02:13:04 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
    2011-11-10 02:13:04 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
    2011-11-10 02:13:00 39936 ----a-w- C:\Windows\System32\atig6txx.dll
    2011-11-10 02:12:52 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
    2011-11-10 02:12:44 325632 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
    2011-11-10 02:11:54 41984 ----a-w- C:\Windows\System32\atiuxp64.dll
    2011-11-10 02:11:46 32256 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
    2011-11-10 02:11:40 39424 ----a-w- C:\Windows\System32\atiu9p64.dll
    2011-11-10 02:11:32 54784 ----a-w- C:\Windows\System32\atimpc64.dll
    2011-11-10 02:11:32 54784 ----a-w- C:\Windows\System32\amdpcom64.dll
    2011-11-10 02:11:32 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
    2011-11-10 02:11:26 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
    2011-11-10 02:11:26 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
    2011-11-10 02:10:54 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
    2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
    2011-11-05 05:32:50 2048 ----a-w- C:\Windows\System32\tzres.dll
    2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
    2011-11-05 04:26:03 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
    2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
    2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2011-10-26 05:21:40 66560 ----a-w- C:\Windows\System32\OVDecoder64.dll
    2011-10-26 05:21:34 56832 ----a-w- C:\Windows\SysWow64\OVDecoder.dll
    2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll
    2011-10-22 04:16:12 1843200 ----a-w- C:\Windows\SysWow64\SlotMaximizerBe.dll
    2011-10-22 04:15:46 104448 ----a-w- C:\Windows\SysWow64\SlotMaximizerAg.dll
    2011-10-22 04:12:32 2763264 ----a-w- C:\Windows\System32\SlotMaximizerBe.dll
    2011-10-22 04:07:42 125440 ----a-w- C:\Windows\System32\SlotMaximizerAg.dll
    2011-10-17 17:40:50 93712 ----a-w- C:\Windows\System32\drivers\AtihdW76.sys
    2011-10-15 06:31:56 723456 ----a-w- C:\Windows\System32\EncDec.dll
    2011-10-15 05:38:59 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
    2011-10-10 05:07:12 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
    2011-10-10 05:07:12 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
    2011-10-09 06:22:28 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
    2011-10-03 13:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
    2011-10-02 07:25:12 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
    2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    .
    ============= FINISH: 1:23:10.26 ===============

    Attach.txt
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows 7 Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 11/14/2010 10:06:13 PM
    System Uptime: 12/27/2011 1:18:42 AM (0 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | M4A88TD-M/USB3
    Processor: AMD Phenom(tm) II X2 555 Processor | AM3 | 2080/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 69 GiB total, 32.817 GiB free.
    D: is FIXED (NTFS) - 112 GiB total, 38.388 GiB free.
    E: is CDROM (CDFS)
    H: is FIXED (NTFS) - 1863 GiB total, 1754.395 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP195: 12/21/2011 2:05:19 AM - Scheduled Checkpoint
    RP196: 12/22/2011 9:07:14 PM - Windows Update
    RP197: 12/26/2011 9:07:04 PM - Windows Update
    .
    ==== Hosts File Hijack ======================
    .
    Hosts: 217.23.4.166 www.google-analytics.com.
    Hosts: 217.23.4.166 ad-emea.doubleclick.net.
    Hosts: 217.23.4.166 www.statcounter.com.
    Hosts: 69.72.252.254 www.google-analytics.com.
    Hosts: 69.72.252.254 ad-emea.doubleclick.net.
    Hosts: 69.72.252.254 www.statcounter.com.
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Adobe Flash Player 10 ActiveX
    Adobe Reader X (10.1.1)
    Air Video Server 2.4.3
    AMD VISION Engine Control Center
    Assassin's Creed Brotherhood
    Call of Duty: Black Ops
    Call of Duty: Black Ops - Multiplayer
    Catalyst Control Center - Branding
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center InstallProxy
    CCC Help English
    Counter-Strike: Source
    CyberLink PowerDirector
    CyberLink WaveEditor
    Deus Ex: Human Revolution
    eReg
    ESN Sonar
    Fallout: New Vegas
    FileZilla Client 3.4.0
    Fraps (remove only)
    Google Chrome
    Java Auto Updater
    Java(TM) 6 Update 29
    LeapFrog Connect
    LeapFrog Tag Plugin
    Malwarebytes' Anti-Malware version 1.51.2.1300
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
    Mozilla Firefox 9.0.1 (x86 en-US)
    NEC Electronics USB 3.0 Host Controller Driver
    NVIDIA PhysX
    Pazzles Inspiration Studio
    PC Probe II
    Portal 2
    PunkBuster Services
    PuTTY version 0.61
    Quake Live Mozilla Plugin
    Rainmeter
    Realtek Ethernet Controller Driver For Windows 7
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    SmartSound Quicktracks 5
    Spotify
    Steam
    The Elder Scrolls V: Skyrim
    The Witcher 2
    Ubisoft Game Launcher
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin)
    VirtualCloneDrive
    VLC media player 1.1.11
    Windows Media Player Firefox Plugin
    Yahoo! Detect
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/21/2011 2:04:54 AM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
    .
    ==== End Of File ===========================

    Thank you so much for taking the time to help me. I'll check this post from work tomorrow but I won't be able to take action until I get home in the evening time Pacific.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware.

    It is likely that recurring entries of the JS Trojan may have gotten into the Java cache- so let's clear that:

    This should help with clearing the Java cache:
    1. Click Start, and then click Control Panel.
    [​IMG]
    2. Click Programs, and then click the Java icon.
    [​IMG]
    If you are using Windows 7 and your View by is set to either Large icons or Small icons, then click the Java icon.
    [​IMG]
    ------------------>[​IMG]
    3. Click the General tab> Temporary Internet Files section> click Settings.
    4. Click Delete Files.
    5. In the Delete Temporary Files window, select all the check boxes, and then click OK.
    6. Click OK to close the Temporary Files Settings window.
    7. Click OK to close the Java Control Panel window.
    Images courtesy AOL Help
    ====================================
    The redirects are occuring because the Host files have been hijacked. We can remove those with HijackThis:
    • First, set up a Directory for HijackThis as follows:
      [o]Right click Taskbar> Explore> My Computer> Local Drive (C)
      [o]Then click on File> New> Folder> Name folder HijackThis
    • Exit Explorer
    You now have a folder C:\HijackThis
    -----------------------------------------
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    =====================================
    We need to check for additional malware entries:
    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
      ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =============================
    Please leave the logs from HijackThis and Combofix in your next reply. We'll go from there:
    ==============================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
     
  3. beaker4251

    beaker4251 TS Rookie Topic Starter

    Thanks Bobbye, you're fantastic.

    Note: HijackThis reported Hosts file was write protected. Should that app have been run with MS Security Essentials enabled or disabled? I believe I left it enabled. So I have a log from HJT but I don't believe it attempted to clean anything, I didn't instruct it to do so.

    ---- ComboFix.tx -----
    ComboFix 11-12-28.03 - kikko 12/28/2011 9:23.1.2 - x64
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4095.2544 [GMT -8:00]
    Running from: c:\users\kikko\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
    SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
    .
    .
    2011-12-28 17:26 . 2011-12-28 17:26 -------- d-----w- c:\users\Jessica\AppData\Local\temp
    2011-12-28 17:26 . 2011-12-28 17:26 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-12-28 17:14 . 2011-12-28 17:18 -------- d-----w- C:\HijackThis
    2011-12-28 09:24 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{89ED2466-EB02-45D5-AD74-5DFCDBEE2BAD}\mpengine.dll
    2011-12-27 10:07 . 2011-12-27 10:07 -------- d-----w- c:\programdata\id Software
    2011-12-27 08:53 . 2011-12-27 08:53 -------- d-----w- c:\users\kikko\AppData\Roaming\Malwarebytes
    2011-12-27 08:53 . 2011-12-27 08:53 -------- d-----w- c:\programdata\Malwarebytes
    2011-12-27 08:53 . 2011-12-27 08:53 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
    2011-12-27 08:53 . 2011-09-01 01:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-27 08:46 . 2011-12-27 08:46 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
    2011-12-27 08:46 . 2011-12-27 08:46 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
    2011-12-27 08:46 . 2011-12-27 08:46 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
    2011-12-27 08:46 . 2011-12-27 08:46 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
    2011-12-21 06:30 . 2011-12-21 06:30 -------- d-----w- c:\programdata\ATI
    2011-12-21 06:30 . 2011-12-21 06:30 -------- d-----w- c:\program files (x86)\AMD APP
    2011-12-20 04:56 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
    2011-12-11 00:56 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-12-10 04:22 . 2011-12-10 04:22 -------- d-----w- c:\program files\Logitech Gaming Software
    2011-12-10 01:38 . 2011-12-10 01:38 53248 ----a-r- c:\users\kikko\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
    2011-12-10 01:38 . 2011-12-10 01:38 -------- d-----w- c:\users\kikko\AppData\Roaming\Leadertech
    2011-12-10 01:38 . 2011-12-10 01:38 -------- d-----w- c:\program files (x86)\Common Files\LogiShrd
    2011-12-10 01:38 . 2011-12-10 01:38 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
    2011-12-10 01:38 . 2011-12-10 01:38 -------- d-----w- c:\programdata\Logishrd
    2011-12-10 01:37 . 2011-12-10 01:38 -------- d-----w- c:\program files\Common Files\LogiShrd
    2011-12-10 01:37 . 2011-12-10 01:39 -------- d-----w- c:\users\kikko\AppData\Roaming\Logitech
    2011-12-10 01:37 . 2011-12-10 01:37 -------- d-----w- c:\users\kikko\AppData\Roaming\Logishrd
    2011-12-10 00:52 . 2011-12-10 00:52 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{82E551DF-8562-49FB-A23D-9AE866DBCC72}\gapaengine.dll
    2011-12-10 00:50 . 2011-12-10 00:50 -------- d-----w- c:\program files (x86)\Microsoft Security Client
    2011-12-10 00:50 . 2011-12-10 00:50 -------- d-----w- c:\program files\Microsoft Security Client
    2011-12-09 11:41 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E7467E6B-8458-453F-82C4-29355A0CD48B}\mpengine.dll
    2011-12-03 00:34 . 2011-12-03 00:34 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2011-12-03 00:34 . 2011-12-03 00:34 -------- d-----w- c:\windows\system32\Macromed
    2011-12-02 22:00 . 2011-12-02 22:00 -------- d-----w- c:\windows\system32\SPReview
    2011-12-02 22:00 . 2011-12-02 22:00 -------- d-----w- c:\windows\system32\EventProviders
    2011-12-02 21:54 . 2010-11-20 13:27 444416 ----a-w- c:\windows\system32\winhttp.dll
    2011-12-02 21:53 . 2010-11-20 13:27 98304 ----a-w- c:\windows\system32\wudriver.dll
    2011-12-02 21:50 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2011-12-02 21:50 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
    2011-12-02 21:50 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
    2011-12-02 21:50 . 2010-11-20 13:27 244736 ----a-w- c:\program files\Windows Portable Devices\sqmapi.dll
    2011-12-02 21:50 . 2010-11-20 13:27 244736 ----a-w- c:\windows\system32\sqmapi.dll
    2011-12-02 21:50 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
    2011-12-02 21:50 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
    2011-12-02 21:50 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
    2011-12-02 21:50 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
    2011-12-02 21:23 . 2011-12-02 21:23 -------- d-----w- c:\program files (x86)\Common Files\Java
    2011-12-01 06:50 . 2011-12-01 06:50 -------- d-----w- c:\users\kikko\AppData\Local\Chromium
    2011-12-01 05:44 . 2011-12-20 04:53 -------- d-----w- c:\programdata\Hi-Rez Studios
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-12-02 22:05 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
    2011-12-02 22:05 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
    2011-11-11 22:54 . 2011-11-11 22:54 485576 ----a-w- c:\users\kikko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
    2011-11-10 06:39 . 2011-11-10 06:39 69632 ----a-w- c:\windows\system32\OpenVideo64.dll
    2011-11-10 06:39 . 2011-11-10 06:39 59904 ----a-w- c:\windows\SysWow64\OpenVideo.dll
    2011-11-10 06:39 . 2011-11-10 06:39 61952 ----a-w- c:\windows\system32\OVDecode64.dll
    2011-11-10 06:39 . 2011-11-10 06:39 54784 ----a-w- c:\windows\SysWow64\OVDecode.dll
    2011-11-10 06:39 . 2011-11-10 06:39 17442304 ----a-w- c:\windows\system32\amdocl64.dll
    2011-11-10 06:38 . 2011-11-10 06:38 14375936 ----a-w- c:\windows\SysWow64\amdocl.dll
    2011-11-10 06:37 . 2011-11-10 06:37 51200 ----a-w- c:\windows\system32\OpenCL.dll
    2011-11-10 06:37 . 2011-11-10 06:37 44032 ----a-w- c:\windows\SysWow64\OpenCL.dll
    2011-11-10 03:45 . 2011-11-10 03:45 10567680 ----a-w- c:\windows\system32\drivers\atikmdag.sys
    2011-11-10 03:20 . 2011-10-26 02:16 25218048 ----a-w- c:\windows\system32\atio6axx.dll
    2011-11-10 03:17 . 2011-11-10 03:17 159744 ----a-w- c:\windows\system32\atiapfxx.exe
    2011-11-10 03:16 . 2011-11-10 03:16 774656 ----a-w- c:\windows\SysWow64\aticfx32.dll
    2011-11-10 03:15 . 2011-01-27 05:59 927232 ----a-w- c:\windows\system32\aticfx64.dll
    2011-11-10 03:12 . 2011-10-26 02:01 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
    2011-11-10 03:12 . 2011-11-10 03:12 516608 ----a-w- c:\windows\system32\atieclxx.exe
    2011-11-10 03:11 . 2011-11-10 03:11 204288 ----a-w- c:\windows\system32\atiesrxx.exe
    2011-11-10 03:10 . 2011-11-10 03:10 120320 ----a-w- c:\windows\system32\atitmm64.dll
    2011-11-10 03:09 . 2011-11-10 03:09 423424 ----a-w- c:\windows\system32\atipdl64.dll
    2011-11-10 03:09 . 2011-11-10 03:09 360448 ----a-w- c:\windows\SysWow64\atipdlxx.dll
    2011-11-10 03:09 . 2011-11-10 03:09 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
    2011-11-10 03:09 . 2011-11-10 03:09 21504 ----a-w- c:\windows\system32\atimuixx.dll
    2011-11-10 03:09 . 2011-11-10 03:09 59392 ----a-w- c:\windows\system32\atiedu64.dll
    2011-11-10 03:09 . 2011-11-10 03:09 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
    2011-11-10 03:06 . 2011-11-10 03:06 6077952 ----a-w- c:\windows\SysWow64\atidxx32.dll
    2011-11-10 02:58 . 2011-11-10 02:58 18996224 ----a-w- c:\windows\SysWow64\atioglxx.dll
    2011-11-10 02:51 . 2011-01-27 05:40 7405056 ----a-w- c:\windows\system32\atidxx64.dll
    2011-11-10 02:40 . 2011-11-10 02:40 1113088 ----a-w- c:\windows\system32\atiumd6v.dll
    2011-11-10 02:40 . 2011-11-10 02:40 1828864 ----a-w- c:\windows\SysWow64\atiumdmv.dll
    2011-11-10 02:40 . 2011-10-26 01:43 4061696 ----a-w- c:\windows\system32\atiumd6a.dll
    2011-11-10 02:34 . 2011-11-10 02:34 51200 ----a-w- c:\windows\system32\aticalrt64.dll
    2011-11-10 02:34 . 2011-11-10 02:34 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
    2011-11-10 02:34 . 2011-11-10 02:34 44544 ----a-w- c:\windows\system32\aticalcl64.dll
    2011-11-10 02:34 . 2011-11-10 02:34 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
    2011-11-10 02:34 . 2011-11-10 02:34 13552640 ----a-w- c:\windows\system32\aticaldd64.dll
    2011-11-10 02:33 . 2011-11-10 02:33 5852672 ----a-w- c:\windows\SysWow64\atiumdag.dll
    2011-11-10 02:29 . 2011-11-10 02:29 11300864 ----a-w- c:\windows\SysWow64\aticaldd.dll
    2011-11-10 02:29 . 2011-11-10 02:29 4200960 ----a-w- c:\windows\SysWow64\atiumdva.dll
    2011-11-10 02:24 . 2011-10-26 01:29 7439360 ----a-w- c:\windows\system32\atiumd64.dll
    2011-11-10 02:18 . 2011-01-27 05:20 58880 ----a-w- c:\windows\system32\coinst.dll
    2011-11-10 02:13 . 2011-10-26 01:22 494592 ----a-w- c:\windows\system32\atiadlxx.dll
    2011-11-10 02:13 . 2011-11-10 02:13 348160 ----a-w- c:\windows\SysWow64\atiadlxy.dll
    2011-11-10 02:13 . 2011-10-26 01:22 17408 ----a-w- c:\windows\system32\atig6pxx.dll
    2011-11-10 02:13 . 2011-11-10 02:13 14336 ----a-w- c:\windows\SysWow64\atiglpxx.dll
    2011-11-10 02:13 . 2011-11-10 02:13 14336 ----a-w- c:\windows\system32\atiglpxx.dll
    2011-11-10 02:13 . 2011-10-26 01:22 39936 ----a-w- c:\windows\system32\atig6txx.dll
    2011-11-10 02:12 . 2011-11-10 02:12 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
    2011-11-10 02:12 . 2011-11-10 02:12 325632 ----a-w- c:\windows\system32\drivers\atikmpag.sys
    2011-11-10 02:11 . 2011-01-27 05:12 41984 ----a-w- c:\windows\system32\atiuxp64.dll
    2011-11-10 02:11 . 2011-11-10 02:11 32256 ----a-w- c:\windows\SysWow64\atiuxpag.dll
    2011-11-10 02:11 . 2011-10-26 01:21 39424 ----a-w- c:\windows\system32\atiu9p64.dll
    2011-11-10 02:11 . 2011-11-10 02:11 54784 ----a-w- c:\windows\system32\atimpc64.dll
    2011-11-10 02:11 . 2011-11-10 02:11 54784 ----a-w- c:\windows\system32\amdpcom64.dll
    2011-11-10 02:11 . 2011-11-10 02:11 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
    2011-11-10 02:11 . 2011-11-10 02:11 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
    2011-11-10 02:11 . 2011-11-10 02:11 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
    2011-11-10 02:10 . 2011-11-10 02:10 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
    2011-10-26 05:21 . 2011-10-26 05:21 66560 ----a-w- c:\windows\system32\OVDecoder64.dll
    2011-10-26 05:21 . 2011-10-26 05:21 56832 ----a-w- c:\windows\SysWow64\OVDecoder.dll
    2011-10-22 04:16 . 2011-10-22 04:16 1843200 ----a-w- c:\windows\SysWow64\SlotMaximizerBe.dll
    2011-10-22 04:15 . 2011-10-22 04:15 104448 ----a-w- c:\windows\SysWow64\SlotMaximizerAg.dll
    2011-10-22 04:12 . 2011-10-22 04:12 2763264 ----a-w- c:\windows\system32\SlotMaximizerBe.dll
    2011-10-22 04:07 . 2011-10-22 04:07 125440 ----a-w- c:\windows\system32\SlotMaximizerAg.dll
    2011-10-17 17:40 . 2011-10-17 17:40 93712 ----a-w- c:\windows\system32\drivers\AtihdW76.sys
    2011-10-10 05:07 . 2010-11-17 08:32 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
    2011-10-10 05:07 . 2010-11-17 08:05 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
    2011-10-09 06:22 . 2010-11-17 08:05 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
    2011-10-03 13:06 . 2011-04-05 02:25 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
    2011-10-02 07:25 . 2010-11-17 08:05 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "\\192.168.1.67\EPSON Stylus Photo R1800"="c:\windows\system32\spool\DRIVERS\x64\3\E_IATI9LA.EXE" [2007-01-12 211968]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-03-30 113296]
    "Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
    "VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 343168]
    .
    c:\users\kikko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2011-2-6 100352]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
    R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [x]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [x]
    R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
    R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
    R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-28 288272]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 VaneFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [x]
    S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [x]
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-11-10 361984]
    S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2011-06-24 55424]
    S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\Cyberlink\Shared files\RichVideo64.exe [2010-08-20 386344]
    S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
    S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
    S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
    S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
    S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [x]
    S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
    S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
    S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
    S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3686450549-117384506-567555741-1000Core.job
    - c:\users\kikko\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-16 05:20]
    .
    2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3686450549-117384506-567555741-1000UA.job
    - c:\users\kikko\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-16 05:20]
    .
    2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3686450549-117384506-567555741-1003Core.job
    - c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-16 03:54]
    .
    2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3686450549-117384506-567555741-1003UA.job
    - c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-16 03:54]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
    "EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
    "Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2011-09-29 110360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x0
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\users\kikko\AppData\Roaming\Mozilla\Firefox\Profiles\z012xdg1.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-ESN Sonar-0.70.0 - c:\program files (x86)\Battlelog Web Plugins\Sonar\esnsonar_uninstall.exe
    .
    .
    "ImagePath"="\"c:\program files\Cyberlink\Shared files\RichVideo64.exe\"\00Z
    [\]^_d\01\00e\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~d\01\00e\00\00\00\00e\00\00\00\00\00\00\00\00‘’“"
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3686450549-117384506-567555741-1000\Software\SecuROM\License information*]
    "datasecu"=hex:19,d7,a2,b1,02,5b,e2,24,24,f0,c8,7d,1c,82,0d,ed,bc,d2,a8,67,bf,
    a4,e9,1d,e0,43,64,af,fd,f5,17,4b,cc,d6,df,21,49,c0,bd,e9,98,86,0b,ac,3f,4d,\
    "rkeysecu"=hex:2d,1e,8e,63,a8,fc,43,96,57,58,34,f8,d6,2f,f9,0d
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files (x86)\Bonjour\mDNSResponder.exe
    c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
    c:\windows\SysWOW64\PnkBstrA.exe
    .
    **************************************************************************
    .
    Completion time: 2011-12-28 09:31:02 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-12-28 17:31
    .
    Pre-Run: 33,913,073,664 bytes free
    Post-Run: 34,186,932,224 bytes free
    .
    - - End Of File - - 3FE4EF40E379AABA8CF54101487437C3

    ----- hijackthis.log -----
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 9:18:33 AM, on 12/28/2011
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v8.00 (8.00.7601.17514)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-8.12.072\Applets\x86\LCDMedia.exe
    C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\Program Files (x86)\Internet Explorer\IELowutil.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 217.23.4.166 www.google-analytics.com.
    O1 - Hosts: 217.23.4.166 ad-emea.doubleclick.net.
    O1 - Hosts: 217.23.4.166 www.statcounter.com.
    O1 - Hosts: 69.72.252.254 www.google-analytics.com.
    O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
    O1 - Hosts: 69.72.252.254 www.statcounter.com.
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    O4 - HKLM\..\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
    O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKCU\..\Run: [Google Update] "C:\Users\kikko\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [\\192.168.1.67\EPSON Stylus Photo R1800] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATI9LA.EXE /FU "C:\Windows\TEMP\E_SCB3C.tmp" /EF "HKCU"
    O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
    O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Cyberlink RichVideo64 Service(CRVS) (RichVideo64) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo64.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 7819 bytes
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome!

    Let me know if HJT gives you any problem removing these:
    Please reopen HijackThis to 'do system scan only,' Check eaxh of the following, if present:

    O1 - Hosts: 217.23.4.166 www.google-analytics.com.
    O1 - Hosts: 217.23.4.166 ad-emea.doubleclick.net.
    O1 - Hosts: 217.23.4.166 www.statcounter.com.
    O1 - Hosts: 69.72.252.254 www.google-analytics.com.
    O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
    O1 - Hosts: 69.72.252.254 www.statcounter.com.


    Close all Windows except HijackThis and click on "Fix Checked."
    ====================================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:
    1. Open the ESETOnlineScan
    2. Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
    3. Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
    4. Continue with the directions.
    5. Check 'Yes I accept terms of use.'
    6. Click Start button
    7. Accept any security warnings from your browser.
      [​IMG]
    8. Uncheck 'Remove found threats'
    9. Check 'Scan archives/
    10. Leave remaining settings as is.
    11. Press the Start button.
    12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    13. When the scan completes, press List of found threats
    14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    15. Push the Back button, then Finish
    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
    =================================
    Although you have some extra processes running I see in Combofix, they aren't malware. But I'd like to run this also:

    Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
     
  5. beaker4251

    beaker4251 TS Rookie Topic Starter

    ESET scan didn't find anything, no log generated.

    HijackThis still reported Hosts file was write protected. The scan did not list the O1 host file items this time though. I opened the hosts file itself and all it had in it was the localhost set to the loopback ip address. Log below.

    Malwarebyte's Anti-Malware also reported 0 threats. Log below.

    - - - - Hijackthis Log - - - -

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:36:46 PM, on 12/29/2011
    Platform: Windows 7 SP1 (WinNT 6.00.3505)
    MSIE: Internet Explorer v8.00 (8.00.7601.17514)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
    C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-8.12.072\Applets\x86\LCDMedia.exe
    C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    C:\Program Files (x86)\Internet Explorer\IELowutil.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
    O4 - HKLM\..\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
    O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKCU\..\Run: [\\192.168.1.67\EPSON Stylus Photo R1800] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATI9LA.EXE /FU "C:\Windows\TEMP\E_SCB3C.tmp" /EF "HKCU"
    O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
    O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Cyberlink RichVideo64 Service(CRVS) (RichVideo64) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo64.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 7086 bytes


    - - - - MB Anti-Malware - - - -
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 911122701

    Windows 6.1.7601 Service Pack 1
    Internet Explorer 8.0.7601.17514

    12/29/2011 11:58:29 AM
    mbam-log-2011-12-29 (11-58-29).txt

    Scan type: Full scan (C:\|D:\|H:\|)
    Objects scanned: 343184
    Time elapsed: 25 minute(s), 53 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Are you still being redirected?

    New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
     
  7. beaker4251

    beaker4251 TS Rookie Topic Starter

    Hey Bobbye, I haven't noticed any redirects today but I haven't been using my computer more than an hour or so. I think I'm in the clear, but can we keep the thread open through the weekend?
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay. Please use the system or a couple of days and make sure the redirect has been resolved. The logs look good> we need to handle the following:

    Replacing Hosts files- Links::
    Download: hosts.zip

    How To: Download and Extract the HOSTS files

    HOSTS File - Frequently Asked Questions

    Text version for determining possible unwanted connections

    Get notified when the MVPS HOSTS file is updated
    -----------------------
    Install a Site Advisor
    Web of Trust (WOT)[/b] add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

    Every time you do a search and the screen comes up with the sites, they will have the rating light:
    Green (2 shades)> Good to go.
    Amber/Yellow> use Caution,
    Red> not advised.
     
  9. beaker4251

    beaker4251 TS Rookie Topic Starter

    Hey Bobbye, thank you so much.

    I haven't noticed any redirects this week at all. Very nice.

    I've replaced my hosts file with the epic MVPS hosts file. It never occurred to me that you could block access to unwanted servers by redirecting to localhost, fantastic. I was a little hesitant when I read it could slow your machine down, but I'll use the registry work around of limiting the time the DNS cache is saved if I notice slowness. I can't disable DNS Client because I use Network Discovery. I also subscribed to the feed so I'll receive update notices about the MVPS hosts file.

    I'm grabbing the WoT firefox add-on now.

    I think that covers it. Am I all set?
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're very welcome for the help.

    Hijacking the host files is a favorite malware action- the one thing that helps us is that we can see the hijcaked hosts. So you're not actually blocking those unwanted servers> you are actually removing the damage the malware did.
    =========================================
    The system looks good. You can just install WOT on the OS itself- it will cover the browser you use. I have to do a lot of searching at times to identify unknown file. I am always amazed that most of the site I see come up RED in WOT- I don't go near those sites and it has served me well.
    ==========================================
    Let's clean up and then I'll leave some tips to help you stay that way:
    Remove all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
      [o] Click START> then RUN
      [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
      [o] Double click OTCleanIt.exe.
      [o] Click the CleanUp! button.
      [o] If you are prompted to Reboot during the cleanup, select Yes.
      [o]The tool will delete itself once it finishes.
      Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
      Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    • Set a new, clean Restore Point
      [o] Click on Start> right click on Computer> Properties
      [o] Select System Protection
      [o] Click on the Create button (near bottom)
      [o] Type a name for the Restore Point
      [o] Click on Create again to save the restore point.
    • Deleting all but the most recent System Protection point in Windows 7
      [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
      [o] Click Disk Cleanup from there.
      [​IMG]
      [o] Click Clean up system files
      This restarts Disk Cleanup to run in elevated mode.
      [o] Click the More Options tab
      [​IMG]
      [o] Click the Clean up under System Restore and Shadow Copies.
      [o] Click OK.
      [o] You will get a confirmation screen> Just click Delete.
      [o] Click OK on the Disk Cleanup Screen.
      [o] Click Delete Files on the Confirmation screen.
    [​IMG]
    This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
    Images courtesy lytebyte.

    Empty the Recycle Bin
    ==================================
    Tips for added security and safer browsing: (Links are in Bold Blue)
    1. Browser Security
      [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
      [o] ZonedOut. This manages the Zones in Internet Explorer. (Browser, version and OS dependent 7)
      [o] Replace the Host Files
      [o] Google Toolbar Pop Up Blocker
      [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
    2. Have layered Security:
      [o]Antivirus :(only one):Both of the following programs are free and known to be good:
      [o]Avira-AntiVir-Personal-Free-Antivirus
      [o]Avast-Free Antivirus
      [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    3. Antimalware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
      [o]Spybot Search & Destroy
    4. Updates: Stay current:
      [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
      [o]Adobe Reader Install current, uninstall old.
      [o]Java Updates Install current, uninstall old.
    5. Tracking Cookies
      Reset Cookie:
      [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
      [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
      I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
      AdBlock Plus
      Easy List
      [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
    6. Do regular Maintenance
      Clean the temporary internet files often:
      [o] Temporary File Cleaner]
      or
      [o] ATF Cleaner by Atribune
    7. Restore Points:
      [o]See System Restore Guide
    8. Safe Email Handling
      [o] Don't open email from anyone you don't know.
      [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
      [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
    Please let me know if you find any bad link.

    You might want to note #3 and add antimalware and I highly recommend the 2 addons for Firefox at the end of #5.
     
  11. beaker4251

    beaker4251 TS Rookie Topic Starter

    Thanks dude. removed Combofix, ran OTCleanit, did the restore point and removed all old ones, etc.

    ABP add-on was already installed along with NoScript, I subscribed to the EasyList list for ABP.

    A question about firewall/antimalware/antivirus apps: I'm running Microsoft's Security Essentials. I shouldn't install another anti-virus or anti-malware while I'm using that right, because they can interfere with each other? What about a firewall, can I run Zone Alarm in tandem with Microsoft Security Essentials?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There are some who think that having MSE is all the security needed to protect a system. I am not one of those people. MS represents MSE as full protection but I find it is really 'only' an antivirus program. To protect a system fully there should be:

    You need one antivirus> yes in MSE
    You need one firewall> Noe in MSE.
    A software firewall should be added. The Windows firewall is not sufficient
    You need at least 2 antimalware programs. Preferably ones that protect the system differently. MSE has some protection in this area. But I'd add:
    Spywareblaster
    Spybot Search & Destroy.

    For even better security, use a router. It will have a hardware firewall. I ran ZoneAlarm for years. Then I got a router> kept ZA running with router (1 software firewall and a hardware firewall are okay) I ran the 2 for 3 months and there were no hits in the ZA log. I removed ZA and use the router.

    The concept you want to understand is that when you have 2 (or more) programs that are trying to do the same thing, that's the source of conflict. AV looks for virus/Trojan, etc. footprints. FW listens at ports> bidirectional FW like ZA listens to both incoming and outgoing ports. Antimalware programs can be combined as different types of protection.

    Does that help? FYI, I have Nod32 AV, router, Spywareblaster, Spybot S&D.I also use Secunia. I prefer the free-standing programs rather than the suites. and I also usually get the paid version for the AV because if I need help with anything, the paid is a bit better than the free versions.
     
  13. beaker4251

    beaker4251 TS Rookie Topic Starter

    Thanks dude. I'm all set. I appreciate all your help!
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome. Closing thread.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...