Inactive Multi Iexplore.exe and malicious URL

Status
Not open for further replies.
L

Lashire

Posts: 26   +0
A couple days ago, I got the "Windows Vista Repair" virus. I went through several steps provided by bleepingcomputer.com. The warnings and the fake errors are gone, but now I am left with Avast constantly telling me that there is a Malicious URL Redirect from object 64.111.211.158 along with several processes of iexplore.exe running just from start up. When I turn them off, they came back within a few minutes even when I do not touch Internet Explorer.

Below I have posted the logs asked for in the sticky. Gmer was blank after the scan.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7021

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19088

7/4/2011 1:34:36 PM
mbam-log-2011-07-04 (13-34-36).txt

Scan type: Quick scan
Objects scanned: 185450
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


.
DDS (Ver_2011-06-23.01) - NTFSAMD64 NETWORK
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_20
Run by user at 14:05:58 on 2011-07-04
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2625 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - C:\Program Files (x86)\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRunOnce: [GrpConv] grpconv -o
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Sothink SWF Catcher - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.4.16.0.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2298D81A-FAAF-42F0-B73D-A17A0E560C26} : DhcpNameServer = 192.168.0.1
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Winamp Toolbar Loader: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO-X64: Winamp Toolbar Loader - No File
BHO-X64: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO-X64: Canon Easy-WebPrint EX BHO - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: Yahoo! IE Services Button: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files (x86)\Yahoo!\Common\yiesrvc.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn2\yt.dll
TB-X64: Veoh Browser Plug-in: {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files (x86)\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
TB-X64: Veoh Web Player Video Finder: {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files (x86)\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
TB-X64: Winamp Toolbar: {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB-X64: DAEMON Tools Toolbar: {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB-X64: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
mRunOnce-x64: [GrpConv] grpconv -o
IE-X64: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
============= SERVICES / DRIVERS ===============
.
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-5-4 128384]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;C:\Windows\system32\DRIVERS\l160x64.sys --> C:\Windows\system32\DRIVERS\l160x64.sys [?]
S1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
S1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
S1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
S1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
S2 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2011-2-9 401920]
S2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
S2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
S2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-6-8 42184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-7-17 133104]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);C:\Program Files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-3-20 1153368]
S2 StarWindServiceAE;StarWind AE Service;C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-5-28 275968]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-2-23 378984]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-7-17 133104]
S3 LiveTurbineMessageService;Turbine Message Service - Live;C:\Program Files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-9-20 267760]
S3 LiveTurbineNetworkService;Turbine Network Service - Live;C:\Program Files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-9-20 218608]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 TFsExDisk;TFsExDisk;C:\Windows\System32\drivers\TFsExDisk.Sys [2011-4-13 16392]
S3 WinRing0_1_1_1;WinRing0_1_1_1;C:\Program Files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-7-6 13520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-10 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-06-09 00:45:55 -------- d-----w- C:\ProgramData\Alwil Software
2011-07-04 19:59:23 -------- d-----w- C:\ProgramData\PrevxCSI
2011-07-04 19:42:32 -------- d-sh--w- C:\$RECYCLE.BIN
2011-07-04 19:40:00 -------- d-----w- C:\Users\user\AppData\Local\Apple
2011-07-04 18:21:28 -------- d-----w- C:\ComboFix
2011-07-04 01:14:34 -------- d-----w- C:\Users\user\AppData\Roaming\SUPERAntiSpyware.com
2011-07-04 01:14:34 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2011-07-04 01:14:27 -------- d-----w- C:\ProgramData\!SASCORE
2011-07-04 01:14:24 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2011-07-03 23:22:12 98816 ----a-w- C:\Windows\sed.exe
2011-07-03 23:22:12 518144 ----a-w- C:\Windows\SWREG.exe
2011-07-03 23:22:12 256000 ----a-w- C:\Windows\PEV.exe
2011-07-03 23:22:12 208896 ----a-w- C:\Windows\MBR.exe
2011-07-03 20:38:08 -------- d-----w- C:\ProgramData\PC Tools
2011-07-01 12:52:41 8873296 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{11A3DB4A-D082-40E0-909C-77E1D53E576F}\mpengine.dll
2011-06-28 23:34:04 344576 ----a-w- C:\Windows\System32\schannel.dll
2011-06-28 23:34:03 276992 ----a-w- C:\Windows\SysWow64\schannel.dll
2011-06-15 01:30:30 176128 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-06-15 01:30:30 145920 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-06-15 01:30:26 847360 ----a-w- C:\Windows\System32\oleaut32.dll
2011-06-15 01:30:26 563712 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2011-06-15 01:30:20 405504 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-06-15 01:30:17 758784 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll
2011-06-15 01:30:16 1027584 ----a-w- C:\Program Files\Common Files\Microsoft Shared\vgx\VGX.dll
2011-06-15 01:30:14 275456 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-15 01:30:13 135680 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-06-15 01:30:13 107008 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-06-15 01:30:10 2762752 ----a-w- C:\Windows\System32\win32k.sys
.
==================== Find3M ====================
.
2011-05-29 16:11:30 39984 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 16:11:20 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-05-28 06:28:00 1147904 ----a-w- C:\Windows\System32\wininet.dll
2011-05-28 06:24:04 56832 ----a-w- C:\Windows\System32\licmgr10.dll
2011-05-28 06:23:47 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-05-28 06:23:30 132096 ----a-w- C:\Windows\System32\iesysprep.dll
2011-05-28 06:23:29 77312 ----a-w- C:\Windows\System32\iesetup.dll
2011-05-28 06:08:58 916480 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-05-28 06:04:30 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2011-05-28 06:04:17 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-05-28 06:04:03 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
2011-05-28 06:04:03 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2011-05-28 05:33:37 479232 ----a-w- C:\Windows\System32\html.iec
2011-05-28 05:10:26 385024 ----a-w- C:\Windows\SysWow64\html.iec
2011-05-28 04:53:37 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
2011-05-28 04:52:18 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-05-28 04:33:03 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2011-05-28 04:31:44 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-05-25 02:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-05-10 12:10:59 40112 ----a-w- C:\Windows\avastSS.scr
2011-05-10 12:04:08 600920 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-05-10 11:59:48 64344 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-05-02 17:16:14 739328 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-05-02 17:13:21 975360 ----a-w- C:\Windows\System32\inetcomm.dll
2011-04-14 15:14:19 97792 ----a-w- C:\Windows\System32\drivers\dfsc.sys
.
============= FINISH: 14:14:59.34 ===============
 
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 6/25/2008 4:19:41 PM
System Uptime: 7/4/2011 1:06:04 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5KPL-VM
Processor: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz | Socket 775 | 2997/333mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 100.629 GiB free.
D: is CDROM ()
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96b-e325-11ce-bfc1-08002be10318}
Description: Standard PS/2 Keyboard
Device ID: ACPI\PNP0303\4&2E2B2FDC&0
Manufacturer: (Standard keyboards)
Name: Standard PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&2E2B2FDC&0
Service: i8042prt
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&2E2B2FDC&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&2E2B2FDC&0
Service: i8042prt
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
.
Update for Microsoft Office 2007 (KB2508958)
µTorrent
2007 Microsoft Office system
3DMark06
50 FREE MP3s +1 Free Audiobook!
7-Zip 4.65
ABC Amber LIT Converter
AC3Filter 1.63b
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 Professional
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop 7.0
Adobe Reader 9.4.4
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AdVantage (Powering DAEMON Tools)
Age of Conan - Hyborian Adventures
Amazon Games & Software Downloader
Apple Application Support
Apple Software Update
AutocompletePro
avast! Free Antivirus
AVS Update Manager 1.0
AVS Video Converter 6
AVS4YOU Software Navigator 1.4
Baldur's Gate Tutu
Baldur's Gate(TM) II - Shadows of Amn(TM) Bonus CD
Baldur's Gate(TM) II - Throne of Bhaal (TM)
Basic Webcam
Big Fish Games Client
Black & White® 2
Caesar IV
Canon Easy-WebPrint EX
Canon MP Navigator EX 3.0
Canon MP250 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
CCleaner
Champions Online
Comcast High-Speed Internet Install Wizard
Connect
Core FTP LE 2.1
DAEMON Tools Lite
DAEMON Tools Toolbar
Delicious - Emily's Tea Garden
DH Driver Cleaner Professional Edition
Diner Dash: Hometown Hero
Divinity II - DKS
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
Download Manager 2.3.6
Dragon Age II
Dragon Age Toolset
Dragon Age: Origins
Dragon Age: Origins Character Creator
Driver Sweeper 1.5.5
e-PDF To HTML Converter
EA Download Manager
EA Installer
EA Shared Game Component: Activation
Easy PDF to HTML Converter v2.0
EverQuest II (US English)
Facebook Plug-In
FileZilla Client 3.3.5.1
Free Natural Text to Speech Reader 2008
Free Realms Installer
GameHouse
GanttProject
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GPL MPEG-1/2 DirectShow Decoder Filter
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
ICatch (VI) PC Camera
Icewind Dale
Icewind Dale - Heart of Winter
Icewind Dale II
ImgBurn
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) 6 Update 4
Java(TM) 6 Update 7
kuler
LimeWire 5.3.6
Malwarebytes' Anti-Malware version 1.51.0.1200
Maxthon2
MediaCentre
MediaCentre (C:\Program Files (x86)\MediaCentre\)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (BWDATOOLSET)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Setup Support Files (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works 6-9 Converter
Microsoft WSE 3.0 Runtime
MOV to WMV 1.1
Move Media Player
Mozilla Firefox (3.6.15)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MySQL Connector/ODBC 3.51
Neverwinter Nights
Neverwinter Nights 2
NVIDIA nTune
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
NWN2 - Dark Waters
NWN2 - Dark Waters 1
oggcodecs 0.71.0946
OpenOffice.org 2.4
PDF Settings CS4
Photoshop Camera Raw
Pirates of the Burning Sea
Pixel Bender Toolkit
Power Sound Editor Free
Powerbullet Presenter
QuickTime
RAD Video Tools
Ranch Rush
RE: Alistair++ 1
Restaurant Empire
Restaurant Empire 2
RollerCoaster Tycoon 3
Safari
SAMSUNG Mobile USB Device
Samsung New PC Studio
Samsung New PC Studio USB Driver Installer
SANYO Screen Capture 1.1
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2509488)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft Office 2007 System (KB2541012)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2541007)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Sibelius Scorch (Firefox, Opera, Netscape only)
SimCity 4 Deluxe
Sims2Pack Clean Installer
Sothink SWF Quicker
SpeedFan (remove only)
SPORE™
Spybot - Search & Destroy
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
Star Wars®: Knights of the Old Republic (TM)
Steam
Suite Shared Configuration CS4
System Requirements Lab
System Requirements Lab CYRI
The Movies(TM)
The Movies(TM) Stunts & Effects
THE SETTLERS - Rise of an Empire
The Sims 2
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Apartment Life
The Sims™ 2 Bon Voyage
The Sims™ 2 FreeTime
The Sims™ 2 Seasons
The Witcher Enhanced Edition
Timeline Maker Professional 2.1
Tropico 3: Steam Special Edition
Turbine Download Manager - Live
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Outlook 2007 (KB2509470)
Update for Outlook 2007 Junk Email Filter (KB2536413)
Vampire - The Masquerade Bloodlines
VC80CRTRedist - 8.0.50727.4053
Veoh Web Player
VeohTV BETA
ViiKii Desktop Plug-in
VLC media player 1.0.5
Winamp
Winamp Detector Plug-in
Winamp Toolbar
Windows Live OneCare safety scanner
Windows Media Player Firefox Plugin
WinRAR archiver
Wonderburg
World of Warcraft
Xfire (remove only)
Xvid 1.2.1 final uninstall
Yahoo! Browser Services
Yahoo! BrowserPlus 2.9.8
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar
Zoo Tycoon 2
.
==== Event Viewer Messages From Past Week ========
.
7/4/2011 12:48:40 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Beep
7/4/2011 12:09:38 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
7/4/2011 12:07:07 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
7/4/2011 11:16:06 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 1.1 SP1 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 for x64-based Systems (KB2416447).
7/4/2011 1:31:16 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service NVSvc with arguments "" in order to run the server: {DCAB0989-1301-4319-BE5F-ADE89F88581C}
7/4/2011 1:09:15 PM, Error: Service Control Manager [7001] - The PnP-X IP Bus Enumerator service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
7/4/2011 1:08:12 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi Beep i8042prt SASDIFSV SASKUTIL spldr Wanarpv6
7/4/2011 1:08:12 PM, Error: Service Control Manager [7001] - The Windows Media Center Extender Service service depends on the Function Discovery Provider Host service which failed to start because of the following error: The dependency service or group failed to start.
7/4/2011 1:08:12 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
7/4/2011 1:08:01 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
7/4/2011 1:07:58 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
7/4/2011 1:07:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/4/2011 1:07:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
7/4/2011 1:07:15 PM, Error: Microsoft-Windows-TerminalServices-LocalSessionManager [1048] - Terminal Service start failed. The relevant status code was This service cannot be started in Safe Mode .
7/4/2011 1:07:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}
7/3/2011 7:34:56 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi i8042prt SASDIFSV SASKUTIL spldr Wanarpv6
7/3/2011 7:33:55 PM, Error: EventLog [6008] - The previous system shutdown at 7:30:50 PM on 7/3/2011 was unexpected.
7/3/2011 7:27:50 PM, Error: EventLog [6008] - The previous system shutdown at 7:24:49 PM on 7/3/2011 was unexpected.
7/3/2011 4:35:22 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: aswSnx aswSP aswTdi i8042prt spldr Wanarpv6
7/3/2011 1:54:09 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}
7/2/2011 2:53:33 PM, Error: EventLog [6008] - The previous system shutdown at 2:51:24 PM on 7/2/2011 was unexpected.
7/2/2011 2:01:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service BITS with arguments "" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097}
7/2/2011 10:31:29 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
7/2/2011 10:26:05 AM, Error: EventLog [6008] - The previous system shutdown at 7:37:49 AM on 7/2/2011 was unexpected.
6/29/2011 5:16:42 AM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer PDF-XChange 3.0 with shared resource name PDF-XChange 3.0. Error 2114. The printer cannot be used by others on the network.
6/28/2011 1:24:16 PM, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Canon MP250 series Printer with shared resource name Canon MP250 series Printer. Error 2114. The printer cannot be used by others on the network.
.
==== End Of File ===========================
 
Welcome to TechSpot! I'll help you sort this out.
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.
If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
Multiple iexplore.exe processes are normal in IE8. However, malware can hide behind the names of most processes.

The IP 64.111.211.158 belongs to a hosting site that carries warning or fraudulent. Are you actually getting redirected or just being warned? Do you have a firewall?

Let's check further to see what, if any, entries are left from the previous malware:
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==============================================
I'd like you to also run this online virus scan:
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

Please leave logs in your next reply.
 
Thank you, Bobbye, for your assistance.

You asked if I was being redirected or just warned. Whenever I try to click on a link (IE or Firefox) usually in an attempt to find something to help me with the virus (I am using another household computer at the moment) I am redirected to some random link and then usually to a Stopzilla link when that won't load. Blondie.ausbone.net being one of the many random links it attempts to send me to. However, it will warn me of the attempt to redirect even though the computer is not in use. I have Windows Defender and Avast turned on at all times, except a couple days ago when I got the virus and my registration for Avast ran out.

I ran the Combofix uninstall, and below is my log that I received after it was reinstalled.

ComboFix 11-07-04.02 - user 07/04/2011 23:15:50.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.1940 [GMT -7:00]
Running from: c:\users\user\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-05 to 2011-07-05 )))))))))))))))))))))))))))))))
.
.
2012-06-09 00:45 . 2010-06-09 05:41 -------- d-----w- c:\programdata\Alwil Software
2011-07-05 06:46 . 2011-07-05 06:46 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-05 06:46 . 2011-07-05 06:46 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-07-05 06:46 . 2011-07-05 06:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-05 06:02 . 2011-07-05 06:06 -------- d-----w- C:\32788R22FWJFW
2011-07-04 19:59 . 2011-07-04 20:13 -------- d-----w- c:\programdata\PrevxCSI
2011-07-04 19:40 . 2011-07-04 19:40 -------- d-----w- c:\users\user\AppData\Local\Apple
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\users\user\AppData\Roaming\SUPERAntiSpyware.com
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\!SASCORE
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-03 20:38 . 2011-07-03 20:38 -------- d-----w- c:\programdata\PC Tools
2011-07-03 20:29 . 2011-07-03 20:29 -------- d-----w- c:\users\Public\Beck's Stories
2011-07-01 12:52 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{11A3DB4A-D082-40E0-909C-77E1D53E576F}\mpengine.dll
2011-06-28 23:34 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
2011-06-28 23:34 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
2011-06-15 01:30 . 2011-04-29 13:41 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 01:30 . 2011-04-29 13:40 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 01:30 . 2010-12-20 16:59 847360 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 01:30 . 2010-12-20 16:35 563712 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-06-15 01:30 . 2011-04-21 14:20 405504 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 01:30 . 2011-04-30 06:09 758784 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll
2011-06-15 01:30 . 2011-04-30 06:22 1027584 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2011-06-15 01:30 . 2011-04-29 13:39 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 01:30 . 2011-04-29 13:39 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 01:30 . 2011-04-29 13:39 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 01:30 . 2011-05-18 13:56 2762752 ----a-w- c:\windows\system32\win32k.sys
2011-06-09 21:30 . 2011-06-09 21:30 -------- d-----w- c:\program files\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 16:11 . 2010-03-04 23:53 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2010-03-04 23:53 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 02:14 . 2009-10-02 22:20 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-10 12:10 . 2011-03-22 01:30 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2010-06-09 05:41 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-05-10 12:10 . 2011-03-22 01:30 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:04 . 2011-03-22 01:30 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:04 . 2010-06-09 05:41 287576 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2010-06-09 05:41 53592 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 11:59 . 2010-06-09 05:41 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2010-06-09 05:41 64344 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-05-10 11:59 . 2010-06-09 05:41 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files (x86)\Winamp Toolbar\winamptb.dll" [2009-05-06 1262888]
.
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-09 39408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-09-20 267760]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-09-20 218608]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
R3 WinRing0_1_1_1;WinRing0_1_1_1;c:\program files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-01-28 13520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
S2 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-02-23 378984]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-30 153624]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-30 225816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-30 199704]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-Activation Assistant for the 2007 Microsoft Office suites - c:\programdata\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-AdVantage_DAEM - c:\program files (x86)\AdVantage\AdVUninst.exe
AddRemove-AutocompletePro3_is1 - c:\program files (x86)\AutocompletePro\unins000.exe
AddRemove-NWN2DW - g:\nwn2\modules\DWUninstall.exe
AddRemove-NWN2DW1 - c:\users\user\Documents\Neverwinter Nights 2\modules\DW1Uninstall.exe
AddRemove-Yahoo! Mail - c:\windows\system32\regsvr32
AddRemove-YInstHelper - c:\windows\system32\regsvr32
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:94,28,83,73,ba,0c,cc,44,2a,a3,5a,be,5b,46,10,cc,8f,ec,e2,4d,e8,e1,54,
11,d8,db,82,7e,1b,57,70,1c,03,06,db,08,31,26,6b,41,06,44,97,3d,00,fe,8e,7e,\
"??"=hex:71,7a,e4,82,c8,87,c8,f7,49,a6,c4,3c,0c,e1,c7,54
.
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:e9,6c,f9,2d,57,d7,09,c6,e7,6a,59,e1,99,df,c6,56,b4,95,f9,7f,5e,
62,1d,76,c0,40,37,db,2d,35,35,3c,21,3d,33,a8,fa,f8,1f,30,50,db,14,07,c5,89,\
"rkeysecu"=hex:d2,9c,3b,97,4c,80,dc,0c,1f,ac,a6,07,6d,4d,64,30
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
.
**************************************************************************
.
Completion time: 2011-07-05 00:16:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-05 07:16
ComboFix2.txt 2011-07-04 19:41
.
Pre-Run: 110,218,985,472 bytes free
Post-Run: 110,105,227,264 bytes free
.
- - End Of File - - 0D0F296B8CF0F408C4DAB2BCA66B36B9
 
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\27e8c01-259d6d3d a variant of Java/TrojanDownloader.OpenStream.NBF trojan
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\16\26dcc390-12668507 multiple threats
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\b3f2d83-56c7e48a multiple threats
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\190c8233-1299c07b multiple threats
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\3f054e06-6ad6be8d multiple threats
C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\59fdafbd-63155b25 multiple threats
C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE_v4.exe probably a variant of Win32/Agent.KSZVEEK trojan
C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE\Setup-RE.exe probably a variant of Win32/Agent.KSZVEEK trojan
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab multiple threats
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab a variant of Win32/Adware.OneStep.Y application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab a variant of Win32/Adware.OneStep.R application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab a variant of Win32/Adware.OneStep.X application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab a variant of Win32/Adware.OneStep.T application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab a variant of Win32/Adware.OneStep.S application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab a variant of Win32/Adware.OneStep.AB application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab a variant of Win32/Adware.OneStep.S application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab a variant of Win32/Adware.OneStep.R application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab multiple threats
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab a variant of Win32/Adware.OneStep.Y application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab a variant of Win32/Adware.OneStep.R application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab a variant of Win32/Adware.OneStep.X application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab a variant of Win32/Adware.OneStep.T application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab a variant of Win32/Adware.OneStep.S application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab a variant of Win32/Adware.OneStep.AB application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab a variant of Win32/Adware.OneStep.S application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab a variant of Win32/Adware.OneStep.T application
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab a variant of Win32/Adware.OneStep.R application
 
Reviewing the logs, I note several entries for the Winamp Toolbar. Please check their Privacy Policies here: http://www.winamp.com/legal/privacy

With your permission, I'd like to include it in the script your will run through Combofix. My recommendation is to remove this.
============================================
There are 2 soueces of infection in the Eset Log. The first is in to Java cache> to remove:
  1. . Click Start > Control Panel.
  2. . Double-click the Java icon
    java.png
    in the cControl Panel.
  3. . Click Settings under Temporary Internet Files.
    http://www.java.com/en/img/download/5000020303.jpg[/b]
    There are three options on this window to clear the cache.(Version dependent)
    [o]. Delete Files
    [o]. View Applications
    [o]. View Applets
    [*]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [*]. Click OK on Temporary Files Settings window. [/list]
    =============================================
    [b]The second is in temporary internet files:[/b]

    Please download [url=http://oldtimer.geekstogo.com/OTM.exe][b][color=blue]OTMovit by Old Timer[/b][/color][/url] and save to your desktop.
    [list]
    [*] Double-click [b]OTMoveIt3.exe[/b] to run it. (Vista users, please right click on [b]OTMoveit3.exe[/b] and select "Run as an [b]Administrator[/b]")
    [*][b]Copy the file paths below to the clipboard[/b] by highlighting [b]ALL[/b] of them and [b]pressing CTRL + C[/b] (or, after highlighting, right-click and choose [b]Copy[/b]):
    [CODE]
    :Files
    C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE_v4.exe
    C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE\Setup-RE.exe
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab
    C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot][/CODE]
    [*] Return to OTMoveIt3, right click in the [b]"Paste Instructions for Items to be Moved"[/b] window and choose [b]Paste[/b].
    [*]Click the red [b]Moveit![/b] button.
    [*]A log of files and folders moved will be created in the [b]c:\_OTMoveIt\MovedFiles[/b] folder in the form of Date and Time ([b]mmddyyyy_hhmmss.log[/b]). Please open this log in Notepad and post its contents in your next reply.
    [*]Close [b]OTMoveIt3[/b]
    [/list]If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose [b]Yes.[/b]
    ====================================================
    [B]Regading Java: I'm seeing a lot of infected Java cache files[/B]. Every log I see with this has outdated Java versions> you have 3> Java(TM) 6 Update 20, Java(TM) 6 Update 4, Java(TM) 6 Update 7These are all sources of vulnerabilities to the system. Please run the following to remove all of the Java on the system, thne get the current update for v6u26:
    [b]You have multiple old versions of Java [/b]and do not have the current version. The best way to handle that is to run the following: [b][color=red]Note: I do not want this log![/b][/color]

    Please download [url=http://downloads.sourceforge.net/project/javara/javara/JavaRa/JavaRa.zip?r=http%3A%2F%2Fraproducts.org%2Fwordpress%2Fsoftware&ts=1284657086&use_mirror=softlayer][b][color=blue]JavaRa[/b][/color][/url] and unzip it to your desktop.

    [b]Important![/b]***Please close any instances of Internet Explorer before continuing!***
    [list]
    [*] Double-click on [B]JavaRa[/B].exe to start the program.
    [*] From the drop-down menu, choose [B]English[/B] and click on [B]Select.[/B]
    [*] JavaRa will open; click on [B]Remove Older Versions[/B] to remove the older versions of Java installed on your computer.
    [*] Click [B]Yes [/B]when prompted. When JavaRa is done, a notice will appear that
    a logfile has been produced. Click OK.
    [*] A logfile will pop up. Please save it to a convenient location.[b][color=red]Note: Do not leave this log.[/b][/color][/list]
    Download and install then most current version and update of Java RuntimeEnvironment (JRE)[url=https://www.techspot.com/downloads/6463-java-se.html][b][color=blue] HERE[/b][/color][/url].
    ===========================================
 
More on the Winamp Toolbar:
{57BCA5FA-5DBB-45a2-B558-1755C3F6253B} Winamp Search Class winamptb.dll Winamp Toolbar - see Privacy Policy

The following Internet Connection was established:
Server Name>> download.newaol.com
Server Port>> 80
Connect as User Connection Password
[*] The data identified by the following URLs was then requested from the remote web server:
o http://aoltoolbar.122.2o7.net/b/ ss/aoltoolbar/1/G.9-Pd-R/49?t=11/19/2007 20:59:29& pageName=tlb_winamp : status : active - tb50win&ch =us.toolbar&c1=tlb : tb50win&c2=tlb : status&c16=d efault&c17=11-19-2007&c18=&c20=5.1.14.2&c19=5.1.14..
o localhost

This could be a cause of the multiple iexplore.exe
================================================
Please remove the following from the Trusted Zone. Security is lower in that zone and nothing needs t be in the Trusted Zone:
Access Internet Options>Security tab> Trusted Sites> Sites> find each of the following Click to highlight> Remove:
*. clonewarsadventures.com
*. freerealms.com
*.soe.com
*.sony.com
Apply> OK and Exit when finished.
===================================
Waiting on Winam Toolbar decision to give script to run.
 
Bobbye said:
More on the Winamp Toolbar:
Waiting on Winam Toolbar decision to give script to run.
Click to expand...

Absolutely, whatever you believe to be necessary. Thank you. I honestly don't ever remember downloading it to begin with and therefore do not use it.
 
When I run the JavaRa it says that all files have been deleted, but when I actually check the folder they are still there along with all the .dlls and etc. I didn't want to do anything else like install the new version or anything until you gave me the go ahead. Also, no log is created. *UPDATE: Got it to work in safe mode.

As for OTMoveIt, the program crashed when it tried to empty temp files, so I ran it again, therefore I got two logs which I will post.

First attempt:

Files moved on Reboot...
C:\Users\user\AppData\Local\Temp\~DFE5BA.tmp moved successfully.
C:\Users\user\AppData\Local\Temp\~DFE670.tmp moved successfully.
C:\Users\user\AppData\Local\Temp\~DFE6FD.tmp moved successfully.
C:\Users\user\AppData\Local\Temp\~DFE738.tmp moved successfully.
C:\Users\user\AppData\Local\Temp\~DFE7A0.tmp moved successfully.
C:\Users\user\AppData\Local\Temp\~DFE88C.tmp moved successfully.
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\100649643@Bottom3[1].htm not found!
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\1347734882[1].htm not found!
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\aceUACping[1].htm not found!
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\ai_realmedia_com[1].htm not found!
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\ai_realmedia_com[2].htm not found!
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\emily[3].html not found!
File move failed. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\fw-nonplayer-banner[1].htm scheduled to be moved on reboot.
File move failed. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\fw-nonplayer-banner[2].htm scheduled to be moved on reboot.
File move failed. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\fw-nonplayer-banner[3].htm scheduled to be moved on reboot.
File move failed. C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CN4X9FQ9\blink-182-new-album-metallica-monopoly-and[1].htm scheduled to be moved on reboot.
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CM7VERFM\client_restserver[1].htm moved successfully.

Registry entries deleted on Reboot...

Second Attempt:

All processes killed
========== FILES ==========
File/Folder C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE_v4.exe not found.
File/Folder C:\Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE\Setup-RE.exe not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab not found.
File/Folder C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[1].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[2].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\2U9M35IT\upgrade[3].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\B3Y2TS15\upgrade[1].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\CGG8FSVE\upgrade[1].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\F5QMSLOK\upgrade[1].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[1].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\M5M8VNOQ\upgrade[2].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[1].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UGFI3ED2\upgrade[2].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[1].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\UHXXFROW\upgrade[2].cab not found.
File/Folder C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\YIO042TE\upgrade[1].cab not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mcx1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: user
->Temp folder emptied: 148992 bytes
->Temporary Internet Files folder emptied: 17046813 bytes
->Java cache emptied: 3625057 bytes
->FireFox cache emptied: 46823646 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1958774 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 467696 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 8630083 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 75.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 07082011_184732

Files moved on Reboot...
File C:\Users\user\AppData\Local\Temp\~DF6E7E.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF6E86.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF6EE2.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF6EEA.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF6F2B.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF6F33.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DFA5F5.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DFAD1D.tmp not found!
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\;ord=1449612181[1].htm moved successfully.
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\aceUACping[1].htm moved successfully.
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\emily[1].html moved successfully.
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\fw-nonplayer-banner[1].htm not found!
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OKKUZRPN\fw-nonplayer-banner[2].htm not found!
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CN4X9FQ9\550533233@Bottom3[1].htm not found!
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CN4X9FQ9\fw-nonplayer-banner[1].htm not found!
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CM7VERFM\channels[1].htm moved successfully.
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CM7VERFM\client_restserver[1].htm moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

I removed everything from the trusted sites as well. Thank you for your help thus far, I really appreciate it.
 
Glad to help.

I can't tell the total files cleaned in OTM but I do see that the account named User user was very full:
User: user
->Temp folder emptied: 148992 bytes
->Temporary Internet Files folder emptied: 17046813 bytes
->Java cache emptied: 3625057 bytes
->FireFox cache emptied: 46823646 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1958774 bytes
============================================
It looks like you may not have done much cleaning up! Most of what was is OTM waa in tempporary internet files. There is on one figure for the 2 logs for Total Files Cleaner: 75mb, but it was much more than that.
========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
Folder::
c:\users\Mcx1\AppData\Local\temp
c:\users\Default\AppData\Local\temp
DDS::
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
IE: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
BHO-X64: 0x1 - No File
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Winamp Toolbar Loader: {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO-X64: Winamp Toolbar Loader - No File
TB-X64: Winamp Toolbar: {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"=-
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
RegLock::
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
A note for you: As long as you continue to use file sharing programs like uTorrent and LimeWire, you will geet malware.
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall both for the following reasons:
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.
 
I ran the combofix in safe mode, I don't know if that was the incorrect thing to do, I should have asked and didn't think if that was appropriate until after it was done.

However, it kept complaining about not being able access due to not being run as administrator. I didn't want to run again until I was given the go ahead by you. It is also still running two or more iexplore.exe without Internet Explorer being in use. Here is the log that it produced.

ComboFix 11-07-09.02 - user 07/09/2011 15:48:47.3.2 - x64 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2679 [GMT -7:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Winamp Toolbar\winamptb.dll
c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
c:\users\Default\AppData\Local\temp
c:\users\Mcx1\AppData\Local\temp
.
.
((((((((((((((((((((((((( Files Created from 2011-06-09 to 2011-07-09 )))))))))))))))))))))))))))))))
.
.
2012-06-09 00:45 . 2010-06-09 05:41 -------- d-----w- c:\programdata\Alwil Software
2011-07-09 23:19 . 2011-07-09 23:19 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-09 18:34 . 2011-07-09 18:33 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-09 18:33 . 2011-07-09 18:33 -------- d-----w- c:\program files\Java
2011-07-09 01:40 . 2011-07-09 01:40 -------- d-----w- C:\_OTM
2011-07-09 01:38 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBE8C931-D29C-4665-9874-8AC4F1B36CF3}\mpengine.dll
2011-07-05 07:23 . 2011-07-05 07:23 -------- d-----w- c:\program files (x86)\ESET
2011-07-04 19:59 . 2011-07-04 20:13 -------- d-----w- c:\programdata\PrevxCSI
2011-07-04 19:40 . 2011-07-04 19:40 -------- d-----w- c:\users\user\AppData\Local\Apple
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\users\user\AppData\Roaming\SUPERAntiSpyware.com
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\!SASCORE
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-03 20:38 . 2011-07-03 20:38 -------- d-----w- c:\programdata\PC Tools
2011-07-03 20:29 . 2011-07-03 20:29 -------- d-----w- c:\users\Public\Beck's Stories
2011-06-28 23:34 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
2011-06-28 23:34 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
2011-06-15 01:30 . 2011-04-29 13:41 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 01:30 . 2011-04-29 13:40 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 01:30 . 2010-12-20 16:59 847360 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 01:30 . 2010-12-20 16:35 563712 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-06-15 01:30 . 2011-04-21 14:20 405504 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 01:30 . 2011-04-30 06:09 758784 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll
2011-06-15 01:30 . 2011-04-30 06:22 1027584 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2011-06-15 01:30 . 2011-04-29 13:39 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 01:30 . 2011-04-29 13:39 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 01:30 . 2011-04-29 13:39 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 01:30 . 2011-05-18 13:56 2762752 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-04 11:43 . 2011-03-22 01:30 40112 ----a-w- c:\windows\avastSS.scr
2011-07-04 11:43 . 2010-06-09 05:41 199304 ----a-w- c:\windows\SysWow64\aswBoot.exe
2011-07-04 11:43 . 2011-03-22 01:30 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-04 11:36 . 2011-03-22 01:30 600920 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-04 11:36 . 2010-06-09 05:41 288088 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-04 11:35 . 2010-06-09 05:41 45400 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-04 11:32 . 2010-06-09 05:41 31064 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-04 11:32 . 2010-06-09 05:41 64856 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-07-04 11:32 . 2010-06-09 05:41 22360 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-29 16:11 . 2010-03-04 23:53 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2010-03-04 23:53 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 02:14 . 2009-10-02 22:20 270720 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-05_06.51.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-07-05 06:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-09 23:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-09 23:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-05 06:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-09 23:22 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-05 06:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-07-09 23:24 77800 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-25 23:28 . 2011-07-09 23:24 17186 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3060227821-3039954082-2317688156-1000_UserData.bin
+ 2008-06-25 23:26 . 2011-07-09 22:18 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-25 23:26 . 2011-07-05 06:06 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-25 23:26 . 2011-07-09 22:18 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-25 23:26 . 2011-07-09 22:18 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-06-04 00:34 . 2011-07-09 23:22 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-06-04 00:34 . 2011-07-05 06:49 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-04 00:34 . 2011-07-09 23:22 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-06-04 00:34 . 2011-07-09 23:22 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-05 19:17 . 2011-07-09 23:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-05 19:17 . 2011-07-09 23:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-09 23:22 . 2011-07-09 23:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-09 23:22 . 2011-07-09 23:22 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 15:45 . 2011-07-09 23:24 264720 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2011-07-09 18:34 . 2011-07-09 18:33 190752 c:\windows\system32\javaws.exe
+ 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\javaw.exe
+ 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\java.exe
+ 2011-07-09 18:33 . 2011-07-09 18:33 680960 c:\windows\Installer\4db25.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-09 39408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-09-20 267760]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-09-20 218608]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
R3 WinRing0_1_1_1;WinRing0_1_1_1;c:\program files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-01-28 13520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
S2 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-02-23 378984]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
.
2011-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-07-04 11:43 134384 ----a-w- c:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-30 153624]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-30 225816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-30 199704]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:94,28,83,73,ba,0c,cc,44,2a,a3,5a,be,5b,46,10,cc,8f,ec,e2,4d,e8,e1,54,
11,d8,db,82,7e,1b,57,70,1c,03,06,db,08,31,26,6b,41,06,44,97,3d,00,fe,8e,7e,\
"??"=hex:71,7a,e4,82,c8,87,c8,f7,49,a6,c4,3c,0c,e1,c7,54
.
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:e9,6c,f9,2d,57,d7,09,c6,e7,6a,59,e1,99,df,c6,56,b4,95,f9,7f,5e,
62,1d,76,c0,40,37,db,2d,35,35,3c,21,3d,33,a8,fa,f8,1f,30,50,db,14,07,c5,89,\
"rkeysecu"=hex:d2,9c,3b,97,4c,80,dc,0c,1f,ac,a6,07,6d,4d,64,30
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
.
**************************************************************************
.
Completion time: 2011-07-09 16:50:59 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-09 23:50
ComboFix2.txt 2011-07-04 19:41
.
Pre-Run: 109,023,105,024 bytes free
Post-Run: 107,547,123,712 bytes free
.
- - End Of File - - 9E852A1A46F2E3AC6A0B0546AD90A683
 
Uness instructed otherwise, or unless Normal Mode isn't available, scans should be run in Normal Mode.

Direction for Combofic and CF Fix are to disable security programs before starting the scan: These were running:
AV: avast! Antivirus *Enabled
SP: avast! Antivirus *Enabled
SP: Windows Defender *Enabled
[*].Click on Yes, to continue scanning for malware
[*].If Combofix asks you to update the program, allow
[*].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click to expand...
=======================================
Combofix:
You need to be logged in as the administrator and then double click the file. Malware can create an environment that requires Administrative rights.
======================================
So: Please run the following script through Combofix in Normal Mode, under Administrative logon with the security disabled:

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
RegNull::
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
Then run This again: Also in Normal Mode:

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files 
c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===============================================
Redoing the scan in Normal Mode under the Administrative logs in is to show me if the full program ran and all of the removals were handled.
================================================
Are you still having any of the original problems?

Note: IF you did you a flash drive between the 2 computes we're working on now, then it should be disinfected.
 
Still have iexplore.exe running 2 or more times when I do not have IE open, then an additional two open when I do have it open. Thank you so much for your help thus far.

ComboFix 11-07-10.03 - user 07/10/2011 13:13:00.3.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2079 [GMT -7:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-10 to 2011-07-10 )))))))))))))))))))))))))))))))
.
.
2012-06-09 00:45 . 2010-06-09 05:41 -------- d-----w- c:\programdata\Alwil Software
2011-07-10 20:43 . 2011-07-10 20:43 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-10 20:43 . 2011-07-10 20:43 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-07-10 20:43 . 2011-07-10 20:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-09 18:34 . 2011-07-09 18:33 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-09 18:33 . 2011-07-09 18:33 -------- d-----w- c:\program files\Java
2011-07-09 01:40 . 2011-07-09 01:40 -------- d-----w- C:\_OTM
2011-07-09 01:38 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBE8C931-D29C-4665-9874-8AC4F1B36CF3}\mpengine.dll
2011-07-05 07:23 . 2011-07-05 07:23 -------- d-----w- c:\program files (x86)\ESET
2011-07-04 19:59 . 2011-07-04 20:13 -------- d-----w- c:\programdata\PrevxCSI
2011-07-04 19:40 . 2011-07-04 19:40 -------- d-----w- c:\users\user\AppData\Local\Apple
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\users\user\AppData\Roaming\SUPERAntiSpyware.com
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\!SASCORE
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-03 20:38 . 2011-07-03 20:38 -------- d-----w- c:\programdata\PC Tools
2011-07-03 20:29 . 2011-07-03 20:29 -------- d-----w- c:\users\Public\Beck's Stories
2011-06-28 23:34 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
2011-06-28 23:34 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
2011-06-15 01:30 . 2011-04-29 13:41 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-15 01:30 . 2011-04-29 13:40 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-15 01:30 . 2010-12-20 16:59 847360 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-15 01:30 . 2010-12-20 16:35 563712 ----a-w- c:\windows\SysWow64\oleaut32.dll
2011-06-15 01:30 . 2011-04-21 14:20 405504 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-15 01:30 . 2011-04-30 06:09 758784 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\vgx\VGX.dll
2011-06-15 01:30 . 2011-04-30 06:22 1027584 ----a-w- c:\program files\Common Files\Microsoft Shared\vgx\VGX.dll
2011-06-15 01:30 . 2011-04-29 13:39 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-15 01:30 . 2011-04-29 13:39 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-15 01:30 . 2011-04-29 13:39 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-15 01:30 . 2011-05-18 13:56 2762752 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-04 11:43 . 2011-03-22 01:30 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-29 16:11 . 2010-03-04 23:53 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2010-03-04 23:53 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-25 02:14 . 2009-10-02 22:20 270720 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-05_06.51.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-07-05 06:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-10 19:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-10 19:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-05 06:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-10 19:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-05 06:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-07-10 20:48 77966 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-25 23:28 . 2011-07-10 20:48 17186 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3060227821-3039954082-2317688156-1000_UserData.bin
- 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-25 23:26 . 2011-07-10 20:11 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-25 23:26 . 2011-07-05 06:06 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-25 23:26 . 2011-07-10 20:11 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-25 23:26 . 2011-07-10 20:11 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-06-04 00:34 . 2011-07-10 20:46 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-06-04 00:34 . 2011-07-05 06:49 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-04 00:34 . 2011-07-10 20:46 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-04 00:34 . 2011-07-10 20:46 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-05 19:17 . 2011-07-10 20:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-05 19:17 . 2011-07-10 20:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-10 20:46 . 2011-07-10 20:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-10 20:46 . 2011-07-10 20:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 15:45 . 2011-07-10 20:48 264720 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2011-07-09 18:34 . 2011-07-09 18:33 190752 c:\windows\system32\javaws.exe
+ 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\javaw.exe
+ 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\java.exe
- 2010-08-12 17:40 . 2011-07-04 21:49 262144 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2010-08-12 17:40 . 2011-07-10 20:11 262144 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2011-07-09 18:33 . 2011-07-09 18:33 680960 c:\windows\Installer\4db25.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-09 39408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-09-20 267760]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-09-20 218608]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
R3 WinRing0_1_1_1;WinRing0_1_1_1;c:\program files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-01-28 13520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
S2 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-02-23 378984]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
.
2011-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-30 153624]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-30 225816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-30 199704]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:94,28,83,73,ba,0c,cc,44,2a,a3,5a,be,5b,46,10,cc,8f,ec,e2,4d,e8,e1,54,
11,d8,db,82,7e,1b,57,70,1c,03,06,db,08,31,26,6b,41,06,44,97,3d,00,fe,8e,7e,\
"??"=hex:71,7a,e4,82,c8,87,c8,f7,49,a6,c4,3c,0c,e1,c7,54
.
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:e9,6c,f9,2d,57,d7,09,c6,e7,6a,59,e1,99,df,c6,56,b4,95,f9,7f,5e,
62,1d,76,c0,40,37,db,2d,35,35,3c,21,3d,33,a8,fa,f8,1f,30,50,db,14,07,c5,89,\
"rkeysecu"=hex:d2,9c,3b,97,4c,80,dc,0c,1f,ac,a6,07,6d,4d,64,30
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
.
**************************************************************************
.
Completion time: 2011-07-10 14:07:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-10 21:07
ComboFix2.txt 2011-07-09 23:51
ComboFix3.txt 2011-07-04 19:41
.
Pre-Run: 110,105,583,616 bytes free
Post-Run: 110,854,270,976 bytes free
.
- - End Of File - - 76CA3F77FA928FBE36DEB5EFD59B29E7



All processes killed
========== FILES ==========
File/Folder c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Mcx1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: user
->Temp folder emptied: 216064 bytes
->Temporary Internet Files folder emptied: 6122668 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 807 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 6.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 07102011_141109

Files moved on Reboot...
File C:\Users\user\AppData\Local\Temp\~DF2601.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF2606.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF264B.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF2650.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF2676.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF267B.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF415E.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DF4DEE.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DFAF9E.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DFAFA4.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DFAFEE.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DFAFF4.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DFB01A.tmp not found!
File C:\Users\user\AppData\Local\Temp\~DFB01F.tmp not found!
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J14OM03C\client_restserver[1].htm moved successfully.
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EPS75EWU\fw-nonplayer-banner[1].htm moved successfully.
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EPS75EWU\fw-nonplayer-banner[2].htm moved successfully.
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EPS75EWU\xd_receiver[1].htm not found!
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AU1DH1ND\ad[1].htm moved successfully.
File C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AU1DH1ND\channels[1].htm not found!
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AU1DH1ND\emily[2].html moved successfully.
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AU1DH1ND\login_status[1].htm moved successfully.

Registry entries deleted on Reboot...
 
Glad to help!

I put this together soon after IE8 first came out. You might find it 'enlightening!'
IE8: What Are They Thinking?> https://www.techspot.com/vb/topic124001.html
============================================
I'd like to remove or reset you default search page, homepage and default search engine in Firefox.
This is what I'm seeing:
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
Click to expand...

The Daemon Tools Toolbar is a package of several useful gadgets that sit on your browser. The main feature of the toolbar is a search function that lets you search the web without leaving the web page you are on. The gadgets also include a weather feature, a world clock and a translation tool. Although these features are functional, they take up space on your browser and resources on your computer. If you are not using them, it is recommended that you remove the toolbar.
Click to expand...

Then I'll have you remove the Damon Search Bar in Add/Remove Programs.

Please let me know if this is okay. (I can do this with script through Combofix)
 
I have not forgotten you. I have been spending time traveling the internet re the following> what you referred to s a "malicious URL."

IP 64.111.211.158 belongs to ISPrime, which is a hosting site. Please read up on this in my reference below:
http://research.microsoft.com/en-us/um/redmond/projects/strider/searchranger/
See #3>>> ISPs against Spammers:

ISPrine took actions around March 19, 2007, and the spammer moved to 67.15.239.42 (and near-by IP addresses) – see http://whois.domaintools.com/67.15.239.42
================================================
I note you have both Safari and Firefox on the system. And also IE8. I would like you to do the following> you can change back later if you want:
Open Firefox> Tools> Options> Advanced> System Defaults> Check 'always check to see if Firefox is the default> Check now> If it already the default, exit. If it isn't and you get the question 'do you want to make it the default> Check Yes> Exit.

Open Internet Options in either IE Tools or the Control Panel> Select Programs tab> at the bottom of that screen uncheck 'IE should check to see if it's the default> Exit.

In Safari, I am not familiar with those settings, but it should have a default entry like those above. You will want to uncheck that.
=====================================
Reboot the computer
====================================
Run Please download ATF Cleaner by Atribune
Please download ATF Cleaner[/url ]by Atribune
This program is for XP, Vista and Windows 2000 only

  • [1] Double-click ATF-Cleaner.exe to run the program.
    [2] Under Main choose: Select All
    [3] Click the Empty Selected button.

    If you use Firefox browser
    [1] Click Firefox at the top and choose:Select All
    [2] Click the Empty Selected button.
    [3] NOTE: If you would like to keep your saved passwords, please click No at the prompt.

===============================================
We need to temporarily disable the CD Emulation> Daemon Tools and Alcohol. (If there are any other programs of this type, please include them also because the can affect the scans:

To disable CD Emulation programs using DeFogger please perform these steps:
  1. . Please download DeFogger to your desktop.
    Link: http://download.bleepingcomputer.com/jpshortstuff/Defogger.exe
  2. . Once downloaded, double-click on the DeFogger icon to start the tool.
  3. . The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
  4. . When it prompts you whether or not you want to continue, please click on the Yes button to continue
  5. . When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
  6. . If CD Emulation programs are present and have been disabled,

DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.
==========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::

DDS::
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
Extra::
File::
Firefox::
Firefox-: - Profile - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
Firefox-: - prefs.js- Search.DefaultURL
Firefox-: - prefs.js- Homepage.DefaultURL

RegNull::
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\License information*]
Save this as CFScript.txt, in the same location as ComboFix.exe


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
==================================================
Repepat the Eset online virus scan.

Do not use IE for any of the above.

Logs and results in next reply.
 
I am sorry that it took so long to respond. Thank you so far for your help. I had a couple problems while running the scans you asked for.

1. After I set Firefox to default and restarted then ran the CFScript, when I started Firefox again to run the scan, it informed me that it was not the default browser. Even though I followed your instructions and checked them twice.

2. When I ran a search in yahoo to find out how to make Safari default, so I could learn how to ensure that was turned off when I hit the tab for every site with the yahoo redirect it would send me to sites like http://www.shopica.com when I was clicking on an ehow.com link. So, it seems like the redirect is now happening.

Below are the reports requested:

ComboFix 11-07-18.04 - user 07/18/2011 18:08:13.4.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2212 [GMT -7:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-19 to 2011-07-19 )))))))))))))))))))))))))))))))
.
.
2012-06-09 00:45 . 2010-06-09 05:41 -------- d-----w- c:\programdata\Alwil Software
2011-07-19 01:38 . 2011-07-19 01:38 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-07-19 01:38 . 2011-07-19 01:38 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-07-19 01:38 . 2011-07-19 01:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-19 00:48 . 2011-07-19 00:48 -------- d-----w- c:\users\user\AppData\Local\Apple
2011-07-16 13:40 . 2011-06-02 13:50 2764288 ----a-w- c:\windows\system32\win32k.sys
2011-07-16 13:40 . 2011-04-20 16:03 451072 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 13:40 . 2011-04-20 15:58 85504 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-09 18:34 . 2011-07-09 18:33 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-09 18:33 . 2011-07-09 18:33 -------- d-----w- c:\program files\Java
2011-07-09 01:40 . 2011-07-09 01:40 -------- d-----w- C:\_OTM
2011-07-09 01:38 . 2011-06-07 17:10 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBE8C931-D29C-4665-9874-8AC4F1B36CF3}\mpengine.dll
2011-07-05 07:23 . 2011-07-05 07:23 -------- d-----w- c:\program files (x86)\ESET
2011-07-04 19:59 . 2011-07-04 20:13 -------- d-----w- c:\programdata\PrevxCSI
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\users\user\AppData\Roaming\SUPERAntiSpyware.com
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\programdata\!SASCORE
2011-07-04 01:14 . 2011-07-04 01:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-07-03 20:38 . 2011-07-03 20:38 -------- d-----w- c:\programdata\PC Tools
2011-07-03 20:29 . 2011-07-03 20:29 -------- d-----w- c:\users\Public\Beck's Stories
2011-06-28 23:34 . 2011-04-29 16:15 344576 ----a-w- c:\windows\system32\schannel.dll
2011-06-28 23:34 . 2011-04-29 15:59 276992 ----a-w- c:\windows\SysWow64\schannel.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-04 11:43 . 2011-03-22 01:30 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-29 16:11 . 2010-03-04 23:53 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2010-03-04 23:53 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-28 06:28 . 2011-06-15 01:29 1147904 ----a-w- c:\windows\system32\wininet.dll
2011-05-28 06:24 . 2011-06-15 01:29 56832 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-28 06:23 . 2011-06-15 01:29 1538560 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-28 06:23 . 2011-06-15 01:29 132096 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-28 06:23 . 2011-06-15 01:29 77312 ----a-w- c:\windows\system32\iesetup.dll
2011-05-28 06:08 . 2011-06-15 01:29 916480 ----a-w- c:\windows\SysWow64\wininet.dll
2011-05-28 06:04 . 2011-06-15 01:29 43520 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-05-28 06:04 . 2011-06-15 01:29 1469440 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-05-28 06:04 . 2011-06-15 01:29 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-05-28 06:04 . 2011-06-15 01:29 71680 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-05-28 05:33 . 2011-06-15 01:29 479232 ----a-w- c:\windows\system32\html.iec
2011-05-28 05:10 . 2011-06-15 01:29 385024 ----a-w- c:\windows\SysWow64\html.iec
2011-05-28 04:53 . 2011-06-15 01:29 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-28 04:52 . 2011-06-15 01:29 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-28 04:33 . 2011-06-15 01:29 133632 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-05-28 04:31 . 2011-06-15 01:29 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-05-25 02:14 . 2009-10-02 22:20 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-05-02 17:16 . 2011-06-15 01:29 739328 ----a-w- c:\windows\SysWow64\inetcomm.dll
2011-05-02 17:13 . 2011-06-15 01:29 975360 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 13:41 . 2011-06-15 01:30 176128 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-29 13:40 . 2011-06-15 01:30 145920 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-29 13:39 . 2011-06-15 01:30 275456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-29 13:39 . 2011-06-15 01:30 135680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 13:39 . 2011-06-15 01:30 107008 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-21 14:20 . 2011-06-15 01:30 405504 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-05_06.51.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 03:20 . 2011-07-10 19:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2011-07-05 06:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2011-07-05 06:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-10 19:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-07-19 01:42 78104 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-25 23:28 . 2011-07-19 01:42 17742 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3060227821-3039954082-2317688156-1000_UserData.bin
+ 2011-07-16 13:40 . 2009-06-17 10:37 35328 c:\windows\system32\DriverStore\FileRepository\bth.inf_204106c4\BTHUSB.SYS
+ 2009-09-11 00:12 . 2009-04-11 05:39 26112 c:\windows\system32\DriverStore\FileRepository\bth.inf_204106c4\bthenum.sys
+ 2008-06-25 23:26 . 2011-07-18 13:15 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-06-25 23:26 . 2011-07-05 06:06 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-07-12 12:41 . 2011-07-18 13:15 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-25 23:26 . 2011-07-05 06:06 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-25 23:26 . 2011-07-18 13:15 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-06-04 00:34 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-07-03 20:11 . 2011-07-19 00:39 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2011-07-03 20:11 . 2011-07-03 20:11 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2011-07-03 20:11 . 2011-07-19 00:39 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
- 2011-07-03 20:11 . 2011-07-03 20:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
- 2011-07-03 20:11 . 2011-07-03 20:11 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2011-07-03 20:11 . 2011-07-19 00:39 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2009-06-04 00:34 . 2011-07-19 01:40 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-04 00:34 . 2011-07-05 06:49 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-04 00:34 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-04 00:34 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-05 19:17 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-05 19:17 . 2011-07-05 06:49 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-05 19:17 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-26 00:18 . 2011-07-17 13:53 35088 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-06-26 00:18 . 2011-06-15 12:39 35088 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-06-26 00:18 . 2011-07-17 13:53 18704 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-06-26 00:18 . 2011-06-15 12:39 18704 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-06-26 00:18 . 2011-07-17 13:53 20240 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-06-26 00:18 . 2011-06-15 12:39 20240 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\cagicon.exe
+ 2006-11-02 12:40 . 2011-07-17 14:27 86016 c:\windows\inf\infstor.dat
- 2006-11-02 12:40 . 2011-04-28 23:04 86016 c:\windows\inf\infstor.dat
- 2006-11-02 12:40 . 2011-04-28 23:04 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 12:40 . 2011-07-17 14:27 51200 c:\windows\inf\infpub.dat
- 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-07-19 01:40 . 2011-07-19 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-07-05 06:49 . 2011-07-05 06:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-07-19 01:40 . 2011-07-19 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 15:45 . 2011-07-19 01:42 264720 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2011-07-09 18:34 . 2011-07-09 18:33 190752 c:\windows\system32\javaws.exe
+ 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\javaw.exe
+ 2011-07-09 18:34 . 2011-07-09 18:33 171808 c:\windows\system32\java.exe
+ 2006-11-02 15:21 . 2011-07-18 13:09 474544 c:\windows\system32\FNTCACHE.DAT
- 2006-11-02 15:21 . 2011-06-16 00:38 474544 c:\windows\system32\FNTCACHE.DAT
+ 2009-09-11 00:13 . 2009-04-11 07:10 204288 c:\windows\system32\DriverStore\FileRepository\bth.inf_204106c4\fsquirt.exe
+ 2011-07-16 13:40 . 2011-04-21 14:17 695296 c:\windows\system32\DriverStore\FileRepository\bth.inf_204106c4\bthport.sys
- 2010-08-12 17:40 . 2011-07-04 21:49 262144 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2010-08-12 17:40 . 2011-07-10 20:11 262144 c:\windows\system32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2011-07-09 18:33 . 2011-07-09 18:33 680960 c:\windows\Installer\4db25.msi
- 2008-06-26 00:18 . 2011-06-15 12:39 888080 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-06-26 00:18 . 2011-07-17 13:53 888080 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-06-26 00:18 . 2011-06-15 12:39 272648 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-06-26 00:18 . 2011-07-17 13:53 272648 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pubs.exe
- 2008-06-26 00:18 . 2011-06-15 12:39 922384 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-06-26 00:18 . 2011-07-17 13:53 922384 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-06-26 00:18 . 2011-07-17 13:53 845584 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe
- 2008-06-26 00:18 . 2011-06-15 12:39 845584 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-06-26 00:18 . 2011-07-17 13:53 217864 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\misc.exe
- 2008-06-26 00:18 . 2011-06-15 12:39 217864 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\misc.exe
- 2006-11-02 12:40 . 2011-04-28 23:04 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 12:40 . 2011-07-17 14:27 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 12:40 . 2009-09-11 00:37 665600 c:\windows\inf\drvindex.dat
+ 2006-11-02 12:40 . 2011-07-17 14:27 665600 c:\windows\inf\drvindex.dat
+ 2011-06-21 19:01 . 2011-06-21 19:01 4991488 c:\windows\Installer\475d1.msp
+ 2008-06-26 00:18 . 2011-07-17 13:53 1172240 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-06-26 00:18 . 2011-06-15 12:39 1172240 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-06-26 00:18 . 2011-07-17 13:53 1165584 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\accicons.exe
- 2008-06-26 00:18 . 2011-06-15 12:39 1165584 c:\windows\Installer\{91120000-0031-0000-0000-0000000FF1CE}\accicons.exe
+ 2006-11-02 12:33 . 2011-07-17 14:27 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2006-11-02 12:33 . 2011-06-29 12:41 11010048 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2006-11-02 12:35 . 2011-07-17 13:53 50867144 c:\windows\system32\mrt.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-09 39408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-09-20 267760]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-09-20 218608]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
R3 WinRing0_1_1_1;WinRing0_1_1_1;c:\program files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-01-28 13520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
S2 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-02-23 378984]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-30 153624]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-30 225816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-30 199704]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Veoh Browser Plug-in: videofinder@veoh.com - c:\program files (x86)\Veoh Networks\Veoh\Plugins\noreg\VideoFinder4
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\user\AppData\Roaming\Move Networks
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
.
**************************************************************************
.
Completion time: 2011-07-18 19:01:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-19 02:01
ComboFix2.txt 2011-07-10 21:07
ComboFix3.txt 2011-07-09 23:51
ComboFix4.txt 2011-07-04 19:41
.
Pre-Run: 107,742,191,616 bytes free
Post-Run: 107,689,209,856 bytes free
.
- - End Of File - - BE2292A6CA3063693CA0B694AB7F472E

Eset Scan:

C:\_OTM\MovedFiles\07082011_184016\C_Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE_v4.exe probably a variant of Win32/Agent.KSZVEEK trojan
C:\_OTM\MovedFiles\07082011_184016\C_Users\user\Desktop\Game Folders\BG2 Folder\BG NPC2\RE\Setup-RE.exe probably a variant of Win32/Agent.KSZVEEK trojan
 
For Safari: The selection can be changed in the Safari Preferences->General pane.

Please give me an update on how the system is running. Did you read the information link I left for IE8?
 
1. Yes, I did. Should I simply upgrade it to IE9 or see about uninstalling it completely?

2. It seems no one uses Safari, so I would like to uninstall that if I get the go ahead from you.

3. Whenever on any browser I use any type of redirecting link for instance on yahoo searches when you click on a link and it uses the yahoo redirect, it then sends me to a different page then what what I clicked on.

4. Every time I open up Firefox, it sends me to both my start up page and the Daemon search page. I would like it not to do the latter. Does not do it in IE.
 
1. Yes, I did. Should I simply upgrade it to IE9 or see about uninstalling it completely? Neither at this time.
2. It seems no one uses Safari, so I would like to uninstall that if I get the go ahead from you. Go ahead and uninstall.
3. Okay, thanks.
4. Resetting Firefox with scritp below:
==============================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
DDS::
uURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
mURLSearchHooks: Winamp Search Class: {57bca5fa-5dbb-45a2-b558-1755c3f6253b} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - C:\Program Files (x86)\Winamp Toolbar\winamptb.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
Extra::
File::
Firefox::
Firefox-: - Profile-c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
Firefox-: - prefs.js- Search.DefaultURL
Firefox-: - prefs.js- Homepage.DefaultURL
RegNull::
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
[HKEY_USERS\S-1-5-21-3060227821-3039954082-2317688156-1000\Software\SecuROM\License information*]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
==========================================
If Daemon still shows in FF Home page: Tools> Options> Main section> Set only the one homepage you want> Click 'use current.' Be sure 'use bookmark' isn't checked'
 
ComboFix 11-08-08.02 - user 08/08/2011 14:42:55.5.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3582.2053 [GMT -7:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\DAEMON Tools Toolbar\DTToolbar.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-07-08 to 2011-08-08 )))))))))))))))))))))))))))))))
.
.
2012-06-09 00:45 . 2010-06-09 05:41 -------- d-----w- c:\programdata\Alwil Software
2011-08-08 22:14 . 2011-08-08 22:14 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-08-08 22:14 . 2011-08-08 22:14 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-08-08 22:14 . 2011-08-08 22:14 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2011-08-08 22:14 . 2011-08-08 22:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-19 00:48 . 2011-07-19 00:48 -------- d-----w- c:\users\user\AppData\Local\Apple
2011-07-16 13:40 . 2011-06-02 13:50 2764288 ----a-w- c:\windows\system32\win32k.sys
2011-07-16 13:40 . 2011-04-20 16:03 451072 ----a-w- c:\windows\system32\winsrv.dll
2011-07-16 13:40 . 2011-04-20 15:58 85504 ----a-w- c:\windows\system32\csrsrv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-09 18:33 . 2011-07-09 18:34 525544 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-04 11:43 . 2011-03-22 01:30 253888 ----a-w- c:\windows\system32\aswBoot.exe
2011-06-07 17:10 . 2011-07-09 01:38 8873296 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FBE8C931-D29C-4665-9874-8AC4F1B36CF3}\mpengine.dll
2011-05-29 16:11 . 2010-03-04 23:53 39984 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-05-29 16:11 . 2010-03-04 23:53 25912 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-28 06:28 . 2011-06-15 01:29 1147904 ----a-w- c:\windows\system32\wininet.dll
2011-05-28 06:24 . 2011-06-15 01:29 56832 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-28 06:23 . 2011-06-15 01:29 1538560 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-28 06:23 . 2011-06-15 01:29 132096 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-28 06:23 . 2011-06-15 01:29 77312 ----a-w- c:\windows\system32\iesetup.dll
2011-05-28 06:08 . 2011-06-15 01:29 916480 ----a-w- c:\windows\SysWow64\wininet.dll
2011-05-28 06:04 . 2011-06-15 01:29 43520 ----a-w- c:\windows\SysWow64\licmgr10.dll
2011-05-28 06:04 . 2011-06-15 01:29 1469440 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2011-05-28 06:04 . 2011-06-15 01:29 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll
2011-05-28 06:04 . 2011-06-15 01:29 71680 ----a-w- c:\windows\SysWow64\iesetup.dll
2011-05-28 05:33 . 2011-06-15 01:29 479232 ----a-w- c:\windows\system32\html.iec
2011-05-28 05:10 . 2011-06-15 01:29 385024 ----a-w- c:\windows\SysWow64\html.iec
2011-05-28 04:53 . 2011-06-15 01:29 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-28 04:52 . 2011-06-15 01:29 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-28 04:33 . 2011-06-15 01:29 133632 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2011-05-28 04:31 . 2011-06-15 01:29 1638912 ----a-w- c:\windows\SysWow64\mshtml.tlb
2011-05-25 02:14 . 2009-10-02 22:20 270720 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2011-07-19_01.42.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2011-07-10 19:35 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2011-07-20 13:10 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-07-20 13:10 . 2011-07-20 13:10 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2011-07-10 19:35 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2011-07-20 13:10 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2011-08-08 21:15 78340 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-06-25 23:28 . 2011-08-08 21:15 17906 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3060227821-3039954082-2317688156-1000_UserData.bin
- 2008-06-25 23:26 . 2011-07-18 13:15 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-06-25 23:26 . 2011-08-08 12:29 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-07-12 12:41 . 2011-07-18 13:15 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-07-12 12:41 . 2011-08-08 12:29 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-06-25 23:26 . 2011-07-18 13:15 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-06-25 23:26 . 2011-08-08 12:29 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-04 00:34 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-04 00:34 . 2011-08-08 22:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-07-03 20:11 . 2011-08-08 21:13 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2011-07-03 20:11 . 2011-07-19 00:39 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2011-07-03 20:11 . 2011-08-08 21:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
- 2011-07-03 20:11 . 2011-07-19 00:39 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
- 2011-07-03 20:11 . 2011-07-19 00:39 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2011-07-03 20:11 . 2011-08-08 21:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2009-06-04 00:34 . 2011-08-08 22:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-04 00:34 . 2011-07-19 01:40 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-04 00:34 . 2011-08-08 22:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-04 00:34 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-05 19:17 . 2011-08-08 22:17 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-05 19:17 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-05 19:17 . 2011-07-19 01:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-05 19:17 . 2011-08-08 22:17 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-08 21:23 . 2011-08-08 21:23 22016 c:\windows\Installer\50382.msi
- 2011-07-19 01:40 . 2011-07-19 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-08-08 22:17 . 2011-08-08 22:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-08-08 22:17 . 2011-08-08 22:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-07-19 01:40 . 2011-07-19 01:40 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 15:45 . 2011-08-08 21:15 265168 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files (x86)\Yahoo!\Companion\Installs\cpn3\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-06-09 39408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate1ca075d9f4d654a;Google Update Service (gupdate1ca075d9f4d654a);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 133104]
R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe [2009-09-20 267760]
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe [2009-09-20 218608]
R3 TFsExDisk;TFsExDisk;c:\windows\System32\Drivers\TFsExDisk.sys [2009-11-02 16392]
R3 WinRing0_1_1_1;WinRing0_1_1_1;c:\program files (x86)\RealTemp_2.60\WinRing0x64.sys [2008-01-28 13520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
S2 Amazon Download Agent;Amazon Download Agent;c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2009-10-23 401920]
S2 MSSQL$BWDATOOLSET;SQL Server (BWDATOOLSET);c:\program files (x86)\Dragon Age\tools\toolssql\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-02-23 378984]
S3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\DRIVERS\l160x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
.
2011-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-18 04:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-30 153624]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-30 225816]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-30 199704]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 2185032]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-09-04 767312]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
IE: Sothink SWF Catcher - c:\program files (x86)\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
TCP: DhcpNameServer = 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Veoh Browser Plug-in: videofinder@veoh.com - c:\program files (x86)\Veoh Networks\Veoh\Plugins\noreg\VideoFinder4
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\user\AppData\Roaming\Move Networks
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10o.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
.
**************************************************************************
.
Completion time: 2011-08-08 15:44:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-08 22:43
ComboFix2.txt 2011-07-19 02:02
ComboFix3.txt 2011-07-10 21:07
ComboFix4.txt 2011-07-09 23:51
ComboFix5.txt 2011-08-08 21:26
.
Pre-Run: 107,811,287,040 bytes free
Post-Run: 109,924,392,960 bytes free
.
- - End Of File - - 83DBCF05ABC55FE217C4B83679517AEC

It is still redirecting whenever a redirect link is being used but not when you type in the URL.
 
Checking my list to make sure everything previously given has been:
1. Disable Daemon?
2. Did you run Java Ra, the update to current v6u26, then empty Java cache?
3. These are file sharing programs. I recommend uninstalling them for the safety of the system:Torrent, LimeWire The reasons:
  • Note: Even if you are using a "safe" P2P program, it is only the program that is safe.
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.
Please read the information on P2P Warning to help you better understand these dangers.
---------------------
4. Update Mozilla Firefox (3.6.15)>> at least v3.6.18 or upgrade to v4 or v5
5. Spybot - Search & Destroy Tea Timer off?/:
  • Right click the TeaTimer icon in the system Tray
    MHoTT005.gif
  • Then click Exit Spybot-S&D Resident
  • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe
------------------
6. Updates? Only Office No Windows updates?
7. "However, it will warn me of the attempt to redirect even though the computer is not in use" >> What warns you? Stopzilla?
8. Recommend you uninstall StopzillaI use the WOT Site Advisoe which rates sites as Green=okay, Amber=be careful and Red=major problems. The home site for Stopzilla rated RED in all 4 categories of Vendor Reliability, Trustworthiness, Child Safety, Privacy home site is rated red in Vendor Reliability, If their home site fails all 4, you do not want the program on the system. Comments:
So-so performance protecting a clean system; allowed several rootkits and Trojan horses to install. Phishing protection is significantly less effective than what's built into IE and Firefox. Bottom Line>> STOPzilla has a cute name, but it costs more than the best standalone antispyware programs and does less. It offers some bonus features for Internet Explorer, but they're things that IE already does...and does better.
Click to expand...
---------------------
9. 4 Registry entries for Yahoo Companion Assist, frequently bundled in the a program you download. The entire package includes the Recuva/Piriform file recovery. These may have been prechecked on a download screen or may just have been bundles without your knowledge or permission: I can remove the registry entries with script.
-------------------
10. Start page set to blank page?
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com
mLocal Page = c:\windows\SysWOW64\blank.htm
Click to expand...
11. Firefox: Did you set the following:
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com

If you will address these please, we should be able to finish up.
 
Bobbye said:
Checking my list to make sure everything previously given has been:
1. Disable Daemon?
Click to expand...
I couldn't find a way to disable it in firefox. I did discover that the reason the page was opening was because it was set to do that in my start up options.

Bobbye said:
2. Did you run Java Ra, the update to current v6u26, then empty Java cache?
Click to expand...
Yes

Bobbye said:
3. These are file sharing programs. I recommend uninstalling them for the safety of the system:Torrent, LimeWire
Click to expand...
Uninstalled.

Bobbye said:
4. Update Mozilla Firefox (3.6.15)>> at least v3.6.18 or upgrade to v4 or v5
Click to expand...
Updated and now Firefox crashes whenever I start it up. Updated it, then uninstalled, then tried a fresh install and it still crashes.

Bobbye said:
5. Spybot - Search & Destroy Tea Timer off?/:
  • Right click the TeaTimer icon in the system Tray
    MHoTT005.gif
  • Then click Exit Spybot-S&D Resident
  • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe
Click to expand...
It was already off.

Bobbye said:
6. Updates? Only Office No Windows updates?
Click to expand...
Every time I try to run an update for the computer, it fails saying it couldn't download them.

Bobbye said:
7. "However, it will warn me of the attempt to redirect even though the computer is not in use" >> What warns you? Stopzilla?
Click to expand...
It was Avast that for some reason is no longer installed on this computer.

Bobbye said:
8. Recommend you uninstall StopzillaI use the WOT Site Advisoe which rates sites as Green=okay, Amber=be careful and Red=major problems. The home site for Stopzilla rated RED in all 4 categories of Vendor Reliability, Trustworthiness, Child Safety, Privacy home site is rated red in Vendor Reliability, If their home site fails all 4, you do not want the program on the system.
Click to expand...
Can not find Stopzilla anywhere on this computer to remove it.

---------------------
Bobbye said:
9. 4 Registry entries for Yahoo Companion Assist, frequently bundled in the a program you download. The entire package includes the Recuva/Piriform file recovery. These may have been prechecked on a download screen or may just have been bundles without your knowledge or permission: I can remove the registry entries with script.
Click to expand...
Alright.

Bobbye said:
10. Start page set to blank page?

11. Firefox: Did you set the following:
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://my.daemon-search.com/startpage|http://www.yahoo.com

If you will address these please, we should be able to finish up.
Click to expand...

I am not certain what I am meant to do with the last two here. Thank you for your help.
 
#10/11: Did you set any browser homepage to open as a blank page?
Did you set DAEMON Search to be the selected Firefox search engine?
-------------------------------------
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
c:\windows\system32\winsrv.dll
FileLook::
c:\windows\system32\csrsrv.dll
Folder::
c:\windows\system32\config\systemprofile\AppData\Local\temp
c:\users\Public\AppData\Local\temp
c:\users\Mcx1\AppData\Local\temp
c:\users\Default\AppData\Local\temp
Extra::
File::
Firefox::
Firefox-: -Profile -c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\idpn5cct.default\
Firefox-:- prefs.js - Starup.HomepageURL
Firefox-: prefs.js- Search.DefaultURL
Firefox-: prefs.js- Browser.Search.SelectedEngine 
Registry::
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Download Security Check by screen317 from one of these links:
Link1
Link 2
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
==================================================
I am concerned about the lack of security updates: Vista: Installed 3 years ago, 2008
Updates only for MS Office 2007
NET Framework
No SP
==============================================
I am also concerned by the lengthy pauses between posts. If the computer is being used during these times, it can means that the previous logs and/or instructions are no longer appropriate. I have given you several scripts to run, so this may be the last, unless we start over. I found a new entry which is of concern.
============================================
Please update and run Malwarebytes again and leave a new log.

Logs to leave:
New Combofix
Security Check
Malwarebytes
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
785
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A

Latest posts

Back