Inactive Please help: Search results redirected by malware

S

Seanj

Hello all,

My firefox 9.0.01 search results are being redirected through webplains then click to get answers and finally a page filled with advertisements such as click sour. This happens in google, yahoo, and bing.

Internet explorer appears to be working fine. I am running windows vista which came with McAfee antivirus software. McAfee can't locate the infection. Per your instructions here are my first two logs

Malwarebytes AntiMalware log

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.27.04

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Charles McGehee :: CHARLESMCGEH-PC [administrator]

Protection: Disabled

1/27/2012 12:07:57 PM
mbam-log-2012-01-27 (12-07-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216735
Time elapsed: 11 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Here is my Gamer Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-27 12:57:28
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320320AS rev.DE05
Running: 1khzznhi.exe; Driver: C:\Users\CHARLE~1\AppData\Local\Temp\kwrcrkod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x83043498]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x830434C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x830434AE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x83043484]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

DDS LOGS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Charles McGehee at 13:08:20 on 2012-01-27
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3030.1966 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: STOPzilla Anti-Spyware *Enabled/Updated* {B2E69928-50DC-94CA-6A80-AAB054008761}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\STacSV.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\aestsrv.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Workspace\offSyncService.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\program files\common files\protexis\license service\psiservice_2.exe
C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Workspace\workspaceupdate.exe
C:\Program Files\Workspace\wben.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://google.com/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4081225
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:80
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://start.facemoods.com/?a=grupo&s={searchTerms}&f=4
uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: CescrtHlpr Object: {64182481-4f71-486b-a045-b233bd0da8fc} - c:\program files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111220184827.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile: {d5233fcd-d258-4903-89b8-fb1568e7413d} - mscoree.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [AdobeBridge]
uRun: [Adobe Acrobat Synchronizer] "c:\program files\adobe\acrobat 10.0\acrobat\AdobeCollabSync.exe"
uRun: [Starfield Updater] "c:\program files\workspace\workspaceupdate.exe"
uRun: [wben] "c:\program files\workspace\wben.exe"
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Act.Outlook.Service] "c:\program files\act\act for windows\Act.Outlook.Service.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [facemoods] "c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\users\charle~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: Web-Based Email Tools - hxxp://email06.secureserver.net/Download.CAB
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D9E80164-02E5-4747-BB86-F87C6E450FDF} : DhcpNameServer = 192.168.15.1
TCP: Interfaces\{DDA19515-77C5-47EA-A9D8-0B1064CC34E2} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - c:\program files\sft\guardedid\gidi.exe /v
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\charles mcgehee\appdata\roaming\mozilla\firefox\profiles\iad8cnbd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20111231123641249&tb_oid=31-12-2011&tb_mrud=31-12-2011
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20111231123641249&tb_oid=31-12-2011&tb_mrud=31-12-2011&query=
FF - prefs.js: network.proxy.ftp_port - 90
FF - prefs.js: network.proxy.gopher_port - 90
FF - prefs.js: network.proxy.http_port - 90
FF - prefs.js: network.proxy.socks_port - 90
FF - prefs.js: network.proxy.ssl_port - 90
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\program files\photodex presenter\npPxPlay.dll
FF - plugin: c:\program files\screen sharing plug-in\npcnwplugin.dll
FF - plugin: c:\users\charles mcgehee\appdata\roaming\mozilla\plugins\npoff.dll
FF - plugin: c:\users\charles mcgehee\appdata\roaming\mozilla\plugins\npoff.dll
FF - plugin: c:\users\charles mcgehee\appdata\roaming\mozilla\plugins\npwbe.dll
FF - plugin: c:\users\charles mcgehee\appdata\roaming\mozilla\plugins\npwbe.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-14 464176]
R1 GIDv2;GIDv2;c:\windows\system32\drivers\gidv2.sys [2011-11-25 25232]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-8-14 64880]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-8-14 165680]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_f091b975\AEstSrv.exe [2008-12-25 73728]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
R2 File Backup;File Backup Service;c:\program files\workspace\offSyncService.exe [2011-9-20 1187600]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-27 652872]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-14 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-14 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-8-14 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-14 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-14 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-14 150856]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-14 57600]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-12-25 113664]
R3 itecir;ITECIR Infrared Receiver;c:\windows\system32\drivers\itecir.sys [2010-3-8 62496]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2008-12-25 203264]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-27 20464]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-14 180816]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-14 338176]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2009-3-6 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2009-3-8 280096]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-14 59456]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-14 87656]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\comcastspywarescan\ComcastAntiSpyService.exe [2009-6-17 616408]
.
=============== Created Last 30 ================
.
2012-01-27 18:04:57 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-27 18:04:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-26 16:52:26 -------- d-----w- c:\program files\Muse
2012-01-21 05:40:30 -------- d-----w- c:\program files\RSS Submit
2012-01-13 01:21:29 278528 ----a-w- c:\windows\system32\schannel.dll
2012-01-13 01:21:16 440192 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-01-13 01:21:01 1259008 ----a-w- c:\windows\system32\lsasrv.dll
2012-01-13 01:20:53 377344 ----a-w- c:\windows\system32\winhttp.dll
2012-01-13 01:20:35 72704 ----a-w- c:\windows\system32\secur32.dll
2012-01-13 01:20:23 9728 ----a-w- c:\windows\system32\lsass.exe
2012-01-11 13:48:51 189952 ----a-w- c:\windows\system32\winmm.dll
2012-01-11 13:48:38 23552 ----a-w- c:\windows\system32\mciseq.dll
2012-01-11 13:48:10 1205064 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 13:47:54 66560 ----a-w- c:\windows\system32\packager.dll
2012-01-11 13:47:38 376320 ----a-w- c:\windows\system32\winsrv.dll
2012-01-11 13:47:29 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-01-11 13:47:07 1314816 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 13:46:54 497152 ----a-w- c:\windows\system32\qdvd.dll
2012-01-09 15:59:28 -------- d-----w- c:\program files\facemoods.com
2012-01-02 04:50:54 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-01-02 04:50:53 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-02 04:50:53 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-02 04:50:53 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2011-12-31 12:37:19 -------- d-----w- c:\programdata\AIM Toolbar
2011-12-31 12:37:19 -------- d-----w- c:\program files\AIM Toolbar
2011-12-31 12:37:10 -------- d-----w- c:\users\charles mcgehee\appdata\local\AIM
2011-12-31 12:37:09 -------- d-----w- c:\users\charles mcgehee\appdata\local\AOL
2011-12-31 12:36:46 -------- d-----w- c:\program files\common files\Software Update Utility
2011-12-31 12:36:27 -------- d-----w- c:\programdata\AIM
2011-12-31 12:36:13 -------- d-----w- c:\program files\AIM
2011-12-31 12:36:06 -------- d-----w- c:\program files\common files\AOL
2011-12-30 02:17:35 677136 ----a-w- c:\programdata\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
.
==================== Find3M ====================
.
2011-12-02 20:15:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37:27 2043904 ----a-w- c:\windows\system32\win32k.sys
2011-11-08 14:42:19 2048 ----a-w- c:\windows\system32\tzres.dll
2011-11-04 10:00:38 348160 ----a-w- c:\windows\system32\3ef99b402a2af762a8f33445e8ae1013.szcpf
2011-11-04 04:23:03 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-11-03 22:47:42 1798144 ----a-w- c:\windows\system32\jscript9.dll
2011-11-03 22:40:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-03 22:39:47 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-11-03 22:31:57 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 13:09:23.71 ===============


DD Attach Log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 12/25/2008 8:21:32 AM
System Uptime: 1/27/2012 10:47:45 AM (3 hours ago)
.
Motherboard: Dell Inc. | | 0P173H
Processor: Intel(R) Core(TM)2 Duo CPU T5800 @ 2.00GHz | U2E1 | 2000/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 288 GiB total, 94.306 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 4.222 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e97b-e325-11ce-bfc1-08002be10318}
Description: MagicISO SCSI Host Controller
Device ID: ROOT\SCSIADAPTER\0000
Manufacturer: MagicISO, Inc.
Name: MagicISO SCSI Host Controller
PNP Device ID: ROOT\SCSIADAPTER\0000
Service: mcdbus
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
1.3.0.1
7-Zip 9.20
ACT! by Sage 2008 (10.0)
Adobe Acrobat X Pro - English, Français, Deutsch
Adobe After Effects CS4
Adobe After Effects CS4 Presets
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe Anchor Service CS4
Adobe Audition CS5.5
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles AE CS4
Adobe Color Video Profiles CS CS4
Adobe Community Help
Adobe Content Viewer
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS5.5
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Fireworks CS5
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Flash Professional CS5.5
Adobe Fonts All
Adobe Illustrator CS5.1
Adobe InDesign CS5.5
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe MotionPicture Color Files CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Elements 7.0
Adobe Premiere Elements 7.0 Templates
Adobe Presenter 7
Adobe Reader 9.4.7
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Story
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe Visual Communicator 3
Adobe Widget Browser
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advanced Audio FX Engine
AIM 7
AOL Messaging Toolbar
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Article Marketing Robot
Audacity 1.3.12 (Unicode)
Banctec Service Agreement
Bonjour
Browser Address Error Redirector
Camtasia Studio 7
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Click to Call with Skype
Connect
Copernic Agent Personal
Definition update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell-eBay
Dell DataSafe Online
Dell Dock
Dell Getting Started Guide
Dell Touchpad
Dell Video Chat (remove only)
Dell Webcam Central
Dell Wireless WLAN Card Utility
Download Updater (AOL LLC)
Dramatica Pro 4.0
Dramatica Pro Story Wizard
EDocs
Facemoods Toolbar
FileZilla Client 3.5.3
Final Draft
Free Audio Converter version 2.1
Free File Viewer 2011
Google AdWords Editor
GoToAssist 8.0.0.514
GoToMeeting 4.8.0.723
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
InstallIQ Updater
Integrated Webcam Driver (1.06.03.0309)
Intel(R) Graphics Media Accelerator Driver
ITECIR Driver
iTunes
Java(TM) 6 Update 7
jZip
Keyword Pad v1.0.112706
kuler
LAME v3.98.3 for Audacity
Live! Cam Avatar Creator
Magic Article Rewriter
Magic Article Submitter
Magic Tokens Database 2.0
MagicDisc 2.7.106
Malwarebytes Anti-Malware version 1.60.0.1800
McAfee SecurityCenter
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Advertising Intelligence
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACT7)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ Run Time Lib Setup
Microsoft Web Platform Installer 3.0
Microsoft XML Parser
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Microsoft_VC90_MFCLOC_x86
Mozilla Firefox 9.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Muse (code name)
Notepad++
PDF Settings CS4
PDF Settings CS5
Photodex Presenter
Photoshop Camera Raw
Pixel Bender Toolkit
Podcast Plug-in for RSS Submit v1.0
ProShow Producer
Proxy Goblin
QuickSet
QuickTime
Revo Uninstaller 1.93
Robin Good's RSSTop55 Plug-in for RSS Submit v1.2
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
RSS Submit RSS Submit SEO Expansion Pack v1.0
RSS Submit v3.0
S3 Ripper 1.3
Sales and Marketing Pro
Screen Sharing Plug-in
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553353) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
SENukeUpdate
Skype™ 5.5
SmartSound Quicktracks for Premiere Elements
Suite Shared Configuration CS4
Toolbar Cleaner 1.0
Traffic Travis 3.3.21
Tube Spy
TweetAttacks
TweetDeck
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft Excel 2010 (KB2553439) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553455) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553323) 32-Bit Edition
Update for Microsoft Outlook Social Connector (KB2583935)
Viewet
Visual Studio Tools for the Office system 3.0 Runtime
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258)
Windows Live ID Sign-in Assistant
Windows Media Player Firefox Plugin
Workspace Desktop
YouTube Downloader 3.4
.
==== Event Viewer Messages From Past Week ========
.
1/27/2012 10:52:29 AM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 00225F5D2ACC has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
1/27/2012 1:02:27 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 00225F5D2ACC has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
1/23/2012 1:28:48 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 00225F5D2ACC has been denied by the DHCP server 10.10.104.1 (The DHCP Server sent a DHCPNACK message).
1/22/2012 4:41:44 AM, Error: EventLog [6008] - The previous system shutdown at 4:38:48 AM on 1/22/2012 was unexpected.
1/21/2012 1:20:31 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod Service service to connect.
1/21/2012 1:20:31 PM, Error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/21/2012 1:19:59 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
1/20/2012 10:18:41 AM, Error: EventLog [6008] - The previous system shutdown at 10:16:31 AM on 1/20/2012 was unexpected.
.
==== End Of File ===========================

Thank you for you're time and consideration, your effort is greatly appreciated

Sean J
 
Welcome to TechSpot! I'll be glad to help with the malware.

I see a couple of problems in the current logs. Please go ahead and do the following: There is a proxy set in Firefox- this might help that:

Reset your browser proxies
  • For Firefox:
    o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
    o Click on the "Network" tab, and then on the "Settings" button.
    o Please make sure that the "No Proxy" option is selected.
  • For Internet Explorer:
    o Open Internet Explorer.
    o Click on "Tools" and then select "Internet Options".
    o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
    o Uncheck "Use a Proxy server for your LAN".
    o Click Ok to close the Local Area Network (LAN) Settings window.
    o Click Ok to close the Internet Options window.
=============================
There is also another problem that you can start working on: You installed Facemods to put smiley faces on Facebook. It gave you a Facemods Toolbar This is not malware. It is called 'foistware.' It is installed without your knowledge or permission.

There are a lot of unhappy Facebook members dealing with this. Like ll foistware, it's sometimes easier to prevent that remove!

Uninstall Program
1. Go to the Start> Control Panel> Uninstall a Program.
2. Search for Facemoods Toolbar in the list.
3. Select the program and click Uninstall up near the top of that window.
4. Once done, use Windows Explorer to access Computer> Local Drive> Programs> Find the Facemods folder and do a right click> Delete.
5. Then reboot

You may also need to do the following:

Remove Facemoods Toolbar in Internet Explorer:
1. Open Internet Explorer. Go to Tools → Manage Add-ons.
2. Select Toolbars and Extensions. Uninstall everything related to Facemoods from the list: Facemoods toolbar, facemoods.com, etc.
3. Select Facemoods Search and click Remove button to uninstall it (lower right corner of the window).
----------------------------------
Remove Facemoods Toolbar in Mozilla Firefox:
1. Open Firefox> Tools> Add-ons.
2. Select Extensions/Plugins> Highlight Facemoods> click Uninstall.
(Note: the entry may read fcmdSrch)
3. Go to Tools> Options> General tab reset the startup homepage.
------------------------
There will be other entries. I will remove them with script ou will run through Combofix. I'll set that up after you run the program and I review the log.
=========================================
Then run Combofix: Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe
    cf-icon.jpg
    & follow the prompts.
  • If prompted for Recovery Console, please allow.
  • Once installed, you should see a blue screen prompt that says:
    • The Recovery Console was successfully installed.[/b]
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • .Close/disable all anti virus and anti malware programs
    (If you need help with this, please see HERE)
  • .Close any open browsers.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=====================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=======================================
Plese leave Combofix log and Eset scan log in next reply.
======================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.

If I haven't replied back to you within 48 hours, you can send a PMwith your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
Threads are closed after 5 days if there is no reply.
 
I followed your instructions and removed facemods from my system

here are my combo fix log and Eset scan

Combo Fix Log

ComboFix 12-01-27.01 - Charles McGehee 01/27/2012 16:54:09.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3030.2016 [GMT -6:00]
Running from: C:\Users\Charles McGehee\Contacts\Desktop\Tips & Tricks\virus removal logs\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated* {3D54B793-665E-3129-9103-206115370C8A}
SP: STOPzilla Anti-Spyware *Enabled/Updated* {B2E69928-50DC-94CA-6A80-AAB054008761}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Search Toolbar
C:\Program Files\Search Toolbar\icon.ico
C:\Program Files\Search Toolbar\SearchToolbarUninstall.exe
C:\Users\Charles McGehee\AppData\Local\assembly\tmp
C:\Users\Charles McGehee\AppData\Roaming\DataSafeDotNet.exe
C:\Users\Charles McGehee\AppData\Roaming\EurekaLog
C:\Users\Charles McGehee\AppData\Roaming\EurekaLog\EurekaLog.ini
C:\Users\Charles McGehee\AppData\Roaming\Microsoft\Windows\Recent\Protect Videos & Other Files On Amazon - S3FlowShield offers true protection for your videos and other files stored on Amazon S3. Includes a custom Flash.url
C:\Users\Charles McGehee\g2mdlhlpx.exe
C:\Users\Charles McGehee\GoToAssistDownloadHelper.exe
C:\Windows\system32\~GLH000a.TMP
C:\Windows\system32\~GLH000b.TMP
C:\Windows\system32\drivers\etc\hosts.txt


((((((((((((((((((((((((( Files Created from 2011-12-27 to 2012-01-27 )))))))))))))))))))))))))))))))


2012-01-27 23:06:43 . 2012-01-27 23:06:43 -------- d-----w- C:\Windows\system32\config\systemprofile\AppData\Local\temp
2012-01-27 23:06:43 . 2012-01-27 23:06:43 -------- d-----w- C:\Users\RA Media Server\AppData\Local\temp
2012-01-27 23:06:43 . 2012-01-27 23:06:43 -------- d-----w- C:\Users\Default\AppData\Local\temp
2012-01-27 18:04:57 . 2011-12-10 21:24:06 20464 ----a-w- C:\Windows\system32\drivers\mbam.sys
2012-01-27 18:04:55 . 2012-01-27 18:05:28 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2012-01-26 16:52:26 . 2012-01-26 16:52:27 -------- d-----w- C:\Program Files\Muse
2012-01-21 05:40:30 . 2012-01-21 06:27:12 -------- d-----w- C:\Program Files\RSS Submit
2012-01-13 01:21:29 . 2011-11-16 16:23:05 278528 ----a-w- C:\Windows\system32\schannel.dll
2012-01-13 01:21:16 . 2011-11-17 06:48:37 440192 ----a-w- C:\Windows\system32\drivers\ksecdd.sys
2012-01-13 01:21:01 . 2011-11-16 16:21:57 1259008 ----a-w- C:\Windows\system32\lsasrv.dll
2012-01-13 01:20:53 . 2011-11-16 16:23:44 377344 ----a-w- C:\Windows\system32\winhttp.dll
2012-01-13 01:20:35 . 2011-11-16 16:23:08 72704 ----a-w- C:\Windows\system32\secur32.dll
2012-01-13 01:20:23 . 2011-11-16 14:12:25 9728 ----a-w- C:\Windows\system32\lsass.exe
2012-01-11 13:48:51 . 2011-10-14 16:03:25 189952 ----a-w- C:\Windows\system32\winmm.dll
2012-01-11 13:48:38 . 2011-10-14 16:00:23 23552 ----a-w- C:\Windows\system32\mciseq.dll
2012-01-11 13:48:10 . 2011-11-18 20:23:34 1205064 ----a-w- C:\Windows\system32\ntdll.dll
2012-01-11 13:47:54 . 2011-11-18 17:47:03 66560 ----a-w- C:\Windows\system32\packager.dll
2012-01-11 13:47:38 . 2011-11-25 15:59:48 376320 ----a-w- C:\Windows\system32\winsrv.dll
2012-01-11 13:47:29 . 2011-12-01 15:21:18 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2012-01-11 13:47:07 . 2011-10-25 15:58:55 1314816 ----a-w- C:\Windows\system32\quartz.dll
2012-01-11 13:46:54 . 2011-10-25 15:58:54 497152 ----a-w- C:\Windows\system32\qdvd.dll
2012-01-02 04:50:54 . 2012-01-02 04:50:54 43992 ----a-w- C:\Program Files\Mozilla Firefox\mozutils.dll
2012-01-02 04:50:53 . 2012-01-02 04:50:53 626688 ----a-w- C:\Program Files\Mozilla Firefox\msvcr80.dll
2012-01-02 04:50:53 . 2012-01-02 04:50:53 548864 ----a-w- C:\Program Files\Mozilla Firefox\msvcp80.dll
2012-01-02 04:50:53 . 2012-01-02 04:50:53 479232 ----a-w- C:\Program Files\Mozilla Firefox\msvcm80.dll
2011-12-31 12:37:20 . 2011-12-31 12:39:40 -------- d-----w- C:\Users\Charles McGehee\AppData\Roaming\acccore
2011-12-31 12:37:19 . 2011-12-31 12:37:35 -------- d-----w- C:\Program Files\AIM Toolbar
2011-12-31 12:37:19 . 2011-12-31 12:37:19 -------- d-----w- C:\ProgramData\AIM Toolbar
2011-12-31 12:37:10 . 2011-12-31 12:37:14 -------- d-----w- C:\Users\Charles McGehee\AppData\Local\AIM
2011-12-31 12:37:09 . 2011-12-31 12:37:09 -------- d-----w- C:\Users\Charles McGehee\AppData\Local\AOL
2011-12-31 12:36:46 . 2011-12-31 12:36:46 -------- d-----w- C:\Program Files\Common Files\Software Update Utility
2011-12-31 12:36:27 . 2011-12-31 12:36:27 -------- d-----w- C:\ProgramData\AIM
2011-12-31 12:36:13 . 2011-12-31 12:36:25 -------- d-----w- C:\Program Files\AIM
2011-12-31 12:36:06 . 2011-12-31 12:36:06 -------- d-----w- C:\Program Files\Common Files\AOL
2011-12-30 02:17:35 . 2011-12-30 02:17:35 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-12-02 20:15:45 . 2011-05-13 11:43:38 414368 ----a-w- C:\Windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37:27 . 2011-12-15 01:24:50 2043904 ----a-w- C:\Windows\system32\win32k.sys
2011-11-08 14:42:19 . 2011-12-15 01:24:34 2048 ----a-w- C:\Windows\system32\tzres.dll
2011-11-04 12:10:43 . 2011-11-04 12:10:43 388096 ----a-r- C:\Users\Charles McGehee\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-04 10:00:38 . 2011-11-04 10:00:38 348160 ----a-w- C:\Windows\system32\3ef99b402a2af762a8f33445e8ae1013.szcpf
2011-11-04 04:23:03 . 2008-12-25 20:51:44 348160 ----a-w- C:\Windows\system32\msvcr71.dll
2011-11-03 22:47:42 . 2011-12-15 09:05:59 1798144 ----a-w- C:\Windows\system32\jscript9.dll
2011-11-03 22:40:21 . 2011-12-15 09:05:56 1427456 ----a-w- C:\Windows\system32\inetcpl.cpl
2011-11-03 22:39:47 . 2011-12-15 09:06:00 1127424 ----a-w- C:\Windows\system32\wininet.dll
2011-11-03 22:31:57 . 2011-12-15 09:06:01 2382848 ----a-w- C:\Windows\system32\mshtml.tlb
2012-01-02 04:50:53 . 2011-11-06 12:21:05 121816 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-21 02:25:11 125952]
"Adobe Acrobat Synchronizer"="C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2011-09-05 17:05:08 1240992]
"Starfield Updater"="C:\Program Files\Workspace\workspaceupdate.exe" [2011-11-21 23:25:13 34496]
"wben"="C:\Program Files\Workspace\wben.exe" [2011-12-21 14:34:28 368368]
"Aim"="C:\Program Files\AIM\aim.exe" [2011-05-03 15:43:14 4321112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2008-07-17 12:00:18 196608]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2008-08-05 12:17:20 3563520]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2008-01-14 16:13:02 132392]
"Act.Outlook.Service"="C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe" [2008-02-22 00:39:50 9728]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 22:58:10 37296]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2010-11-29 22:38:18 421888]
"mcui_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2011-11-22 23:18:26 1318816]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 17:04:58 36760]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 17:04:58 2904984]
"AdobeAAMUpdater-1.0"="C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 22:42:18 499608]
"SwitchBoard"="C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 18:37:14 517096]
"AdobeCS5.5ServiceManager"="C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 12:08:56 1523360]
"BCSSync"="C:\Program Files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 19:54:26 91520]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 12:22:28 59240]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-10-09 23:06:40 421736]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2011-02-12 01:26:32 137752]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2011-02-12 01:26:26 171032]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2011-02-12 01:26:30 172568]
"AdobeCS4ServiceManager"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-06-08 12:52:50 611712]
"Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 23:50:18 460872]

C:\Users\Charles McGehee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - C:\Program Files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2008-7-9 1616976]

C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - C:\Program Files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-25 20:56:45 10536 ----a-w- C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

S2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\aestsrv.exe [2008-07-17 10:22:56 73728]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
2011-07-05 16:26:04 435976 ----a-w- C:\Program Files\SFT\GuardedID\GIDI.exe

Contents of the 'Scheduled Tasks' folder

2012-01-27 C:\Windows\Tasks\Free File Viewer Update Checker.job
- C:\Program Files\FreeFileViewer\FFVCheckForUpdates.exe [2011-01-06 19:13:33 . 2011-02-05 21:50:30]


------- Supplementary Scan -------

uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:80
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
DPF: Web-Based Email Tools - hxxp://email06.secureserver.net/Download.CAB
FF - ProfilePath - C:\Users\Charles McGehee\AppData\Roaming\Mozilla\Firefox\Profiles\iad8cnbd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20111231123641249&tb_oid=31-12-2011&tb_mrud=31-12-2011
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20111231123641249&tb_oid=31-12-2011&tb_mrud=31-12-2011&query=
FF - prefs.js: network.proxy.ftp_port - 90
FF - prefs.js: network.proxy.gopher_port - 90
FF - prefs.js: network.proxy.http_port - 90
FF - prefs.js: network.proxy.socks_port - 90
FF - prefs.js: network.proxy.ssl_port - 90
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false

- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
SafeBoot-66937918.sys
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - C:\ProgramData\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}\bm_installer.exe


Eset Scan

C:\Users\Charles McGehee\Downloads\Chess+Wizard.exe MSIL/Solimba application

Thanks for your time and effort

Sean

PS. should I uninstall malwarebytes anti malware, gamer, and dds from my system now
 
Sorry bout that! I was helping 2 members who both came up with Facemods and the user names are very close. I have it straight now.
----------------------------------
For the Eset entry: Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files 
C:\Users\Charles McGehee\Downloads\Chess+Wizard.exe 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download.

Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system. ( You have Java v6u7. The current version is v6u30. That is a vulnerability to the system.
===================================
Firefox Keyword Reset:

  • [1]. Open FireFox and instead of a url, type about:config in the Address Bar.
    [2]. Firefox will give you a warning, but go in anyway.
    [3]. Locate the keyword.url line. It should look like the image below.
    bing-zugo-firefox.gif

    [4]. Right click on keyword.url, then select Reset
--------------
I am resetting the homepge and search page in Firefox to the defaults. The redirect is mainly coming from a setting in it.
==================================
Please go on to the next reply.
 
Please be sure to disable all of these before running the sript. They are all enabled and should have been disabled to run Combofix:
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated
FW: McAfee Firewall *Enabled*
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Outdated*
SP: STOPzilla Anti-Spyware *Enabled/
------------------------------
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
C:\Windows\system32\3ef99b402a2af762a8f33445e8ae1013.szcpf
Folder::
C:\Windows\system32\config\systemprofile\AppData\Local\temp
C:\Users\RA Media Server\AppData\Local\temp
C:\Users\Default\AppData\Local\temp
C:\Program Files\AIM Toolbar
C:\ProgramData\AIM Toolbar
C:\Users\Charles McGehee\AppData\Local\AIM
C:\ProgramData\AIM
C:\Program Files\AIM
Extra::
File:: 
Firefox:: 
Firefox-: - Profile - C:\Users\Charles McGehee\AppData\Roaming\Mozilla\Firefox\Profiles\iad8cnbd.default\
Firefox-: prefs.js -Search.DefaultURL
Firefox-: prefs:js - Startup.Homepage
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:80
mSearchAssistant = hxxp://start.facemoods.com/?a=grupo&s={searchTerms}&f=4
uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: CescrtHlpr Object: {64182481-4f71-486b-a045-b233bd0da8fc} - c:\program files\facemoods.com\facemoods\1.4.17.11\bh\facemoods.dll
BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: facemoods Toolbar: {db4e9724-f518-4dfd-9c7c-78b52103cab9} - c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll
mRun: [facemoods] "c:\program files\facemoods.com\facemoods\1.4.17.11\facemoodssrv.exe" /md I
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

Clearjavacache::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
=========================================
Removed: AIM Toolbar Search Class aimtb.dll AIM Toolbar, a pre-checked Search changer
-----------------------------------------------
C:\Program Files\FreeFileViewer\FFVCheckForUpdates.exe I did not put this in the scrupt but I strongly recommend that you Stop the Scheduled Task and remove the program:
"Monitoring website changes with UpdatePatrol- Website updates are out of your control. You have no idea what changes could be being made to your favorite websites right now, and no way of finding out."
There is a high potential for getting adware, script, or having system conflicts when you go to access a 'changed' webpage.' Basically it's checking all of your Favorites/Bookmarks for updates. This presents added internet traffic and use of your system resources.
======================================
Please uninstall the HijackThis you have now. Then set up as follows:
First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
  • Extract it to the directory on your hard drive you created C:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
============================================
About Foxy Proxy: do you know how this works? Do you know how to set it? Do you need it?
===========================================
Logs in next reply: After running OTM, Combofix, HijackThis.
 
otm Moveit Log

ll processes killed
========== FILES ==========
File/Folder C:\Users\Charles McGehee\Downloads\Chess+Wizard.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Charles McGehee
->Temp folder emptied: 112645418 bytes
->Temporary Internet Files folder emptied: 2498729 bytes
->Java cache emptied: 4799926 bytes
->FireFox cache emptied: 49534698 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 60334 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56543 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: RA Media Server
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: TEMP

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 37376 bytes
Windows Temp folder emptied: 57070 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 51198 bytes
RecycleBin emptied: 40427582 bytes

Total Files Cleaned = 200.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 01292012_213837

Files moved on Reboot...

Registry entries deleted on Reboot...

I uninstalled Java v6u7 and installed v6u30

I reset Firefox Keyword URL



I ran Custom CFScript here is new combofix txt log

ComboFix 12-01-27.01 - Charles McGehee 01/29/2012 22:28:31.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3030.2045 [GMT -6:00]
Running from: C:\Users\Charles McGehee\Contacts\Desktop\Tips & Tricks\virus removal logs\ComboFix.exe
Command switches used :: C:\Users\Charles McGehee\Contacts\Desktop\Tips & Tricks\virus removal logs\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"C:\Windows\system32\3ef99b402a2af762a8f33445e8ae1013.szcpf"


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\AIM Toolbar
C:\Program Files\AIM Toolbar\aimtb.dll
C:\Program Files\AIM Toolbar\aimtbServer.exe
C:\Program Files\AIM Toolbar\aimtbServerPS.dll
C:\Program Files\AIM Toolbar\install.log
C:\Program Files\AIM Toolbar\uninstall.exe
C:\Program Files\AIM Toolbar\xprt6.dll
C:\Program Files\AIM
C:\Program Files\AIM\acccore.dll
C:\Program Files\AIM\aim.bin
C:\Program Files\AIM\aim.exe
C:\Program Files\AIM\config.xml
C:\Program Files\AIM\content.aba
C:\Program Files\AIM\coolcore61.dll
C:\Program Files\AIM\defaults.xml
C:\Program Files\AIM\en-us.aba
C:\Program Files\AIM\install.log
C:\Program Files\AIM\isAim.dll
C:\Program Files\AIM\jga0tlk.dll
C:\Program Files\AIM\jga1tlk.dll
C:\Program Files\AIM\jgattlk.dll
C:\Program Files\AIM\jgedtlk.dll
C:\Program Files\AIM\jgs2tlk.dll
C:\Program Files\AIM\jgs3tlk.dll
C:\Program Files\AIM\jgs6tlk.dll
C:\Program Files\AIM\jgs7tlk.dll
C:\Program Files\AIM\jgsetlk.dll
C:\Program Files\AIM\jgtktlk.dll
C:\Program Files\AIM\Microsoft.VC90.CRT.manifest
C:\Program Files\AIM\migrator.exe
C:\Program Files\AIM\msvcp90.dll
C:\Program Files\AIM\msvcr90.dll
C:\Program Files\AIM\nspr4.dll
C:\Program Files\AIM\nss3.dll
C:\Program Files\AIM\nssckbi.dll
C:\Program Files\AIM\pb_videoconf.dll
C:\Program Files\AIM\plc4.dll
C:\Program Files\AIM\plds4.dll
C:\Program Files\AIM\post.ini
C:\Program Files\AIM\rbm.exe
C:\Program Files\AIM\services\imApp\aim_en-US.ico
C:\Program Files\AIM\services\imApp\ver7_5_11_9\html\Emoticals_bitmap.swf
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\AIMHelp.chm
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\buddyin.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\buddyout.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\cashregister.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\dooropen.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\doorslam.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\imrcv.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\imsend.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\IncomingCall.mp3
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\jumplist_bullet.ico
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\logoFolder.ico
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\moo.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\newalert.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\newmail.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\panelchange1.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\phone.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\PhoneRingInternal.mp3
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\ring.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\talkbeg.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\talkend.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\talkstop.wav
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\themes.xml
C:\Program Files\AIM\services\imApp\ver7_5_11_9\resources\en-US\tips.xml
C:\Program Files\AIM\sipXmediaLib.dll
C:\Program Files\AIM\sipXtapi.dll
C:\Program Files\AIM\smime3.dll
C:\Program Files\AIM\softokn3.dll
C:\Program Files\AIM\ssl3.dll
C:\Program Files\AIM\uninst.exe
C:\Program Files\AIM\xprt6.dll
C:\ProgramData\AIM Toolbar
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtb.cfg
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\buttons\defaultButtons.xml
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\bullet.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\qap.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.css
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\rss\rss.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\00.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\01.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\02.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\03.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\04.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\05.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\06.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\07.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\08.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\09.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\about.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\addbuddybutton.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\addcustombutton.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\ani_media_icon.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blocker.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_0.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_1.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_down_2.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_0.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_1.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_normal_2.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_0.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_1.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\blue_input_over_2.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\branding.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buddy.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedowndisabled.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedowndown.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedownover.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_movedownup.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupdisabled.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupdown.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupover.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_moveupup.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextdown.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextover.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_nextup.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevdown.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevover.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\button_prevup.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttonManager.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttons.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\buttons_frame.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\clearprints.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\clearprints_confirm.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\custombutton.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\customize_icon.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\defaultsearch.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_0.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_1.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\disabled_input_2.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dot.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\dropcustombutton.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\firsttimepage.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\footprints.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\footprints_frame.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\general_icon.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_0.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_1.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_down_2.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_0.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_1.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_normal_2.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_0.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_1.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\green_input_over_2.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\latest.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\metrics.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\olderversion.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\options.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\options_frame.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_left.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_right.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_bottom_tile.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_left_tile.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_right_tile.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left_bot.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_left_large.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right_bot.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_right_large.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\pan_top_tile.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popup_icon.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popups_frame.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\popups_icon.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\preferences.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\preferences.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\privacy_icon.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\renamecustombutton.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\resettoolbar.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search.js
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search_frame.htm
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\search_icon.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabActive.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabNormal.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\SettingTabOver.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_bg.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_bottom.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_left.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\sidebar_top.gif
C:\ProgramData\AIM Toolbar\ieToolbar\resources\en-US\ui\stylesheet.css
C:\ProgramData\AIM
C:\ProgramData\AIM\Settings\migrator.xml
C:\Users\Charles McGehee\AppData\Local\AIM
C:\Users\Charles McGehee\AppData\Local\AIM\aimx.bin
C:\Users\Charles McGehee\AppData\Local\AIM\Settings\global.xml
C:\Users\Charles McGehee\AppData\Local\AIM\Settings\seanjmcgehee\settings.xml
C:\Users\Default\AppData\Local\temp
C:\Users\RA Media Server\AppData\Local\temp
C:\Windows\system32\config\systemprofile\AppData\Local\temp

---- Previous Run -------

C:\Program Files\Search Toolbar
C:\Program Files\Search Toolbar\icon.ico
C:\Program Files\Search Toolbar\SearchToolbarUninstall.exe
C:\Users\Charles McGehee\AppData\Local\assembly\tmp
C:\Users\Charles McGehee\AppData\Roaming\DataSafeDotNet.exe
C:\Users\Charles McGehee\AppData\Roaming\EurekaLog
C:\Users\Charles McGehee\AppData\Roaming\EurekaLog\EurekaLog.ini
C:\Users\Charles McGehee\AppData\Roaming\Microsoft\Windows\Recent\Protect Videos & Other Files On Amazon - S3FlowShield offers true protection for your videos and other files stored on Amazon S3. Includes a custom Flash.url
C:\Users\Charles McGehee\g2mdlhlpx.exe
C:\Users\Charles McGehee\GoToAssistDownloadHelper.exe
C:\Windows\system32\~GLH000a.TMP
C:\Windows\system32\~GLH000b.TMP
C:\Windows\system32\drivers\etc\hosts.txt


((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-30 )))))))))))))))))))))))))))))))


2012-01-30 04:16:19 . 2012-01-30 04:16:19 -------- d-----w- C:\Program Files\Common Files\Java
2012-01-30 04:15:55 . 2012-01-30 04:15:21 472808 ----a-w- C:\Windows\system32\deployJava1.dll
2012-01-30 03:38:37 . 2012-01-30 03:38:37 -------- d-----w- C:\_OTM
2012-01-29 18:44:46 . 2012-01-29 18:44:46 -------- d-----w- C:\Program Files\SpeedPPC
2012-01-29 18:44:44 . 2012-01-30 00:18:56 -------- d-----w- C:\Users\Charles McGehee\AppData\Roaming\SpeedPPC4
2012-01-29 16:13:42 . 2012-01-29 16:13:42 -------- d-----w- C:\ProgramData\FLEXnet
2012-01-29 15:27:09 . 2012-01-29 15:35:40 -------- d-----w- C:\Users\Charles McGehee\AdobeLicensingFilesBackup
2012-01-29 03:06:30 . 2012-01-29 03:17:51 -------- d-----w- C:\Program Files\1ClickDownload
2012-01-29 01:28:02 . 2012-01-29 01:28:02 3584 ----a-r- C:\Users\Charles McGehee\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2012-01-29 01:28:02 . 2012-01-29 01:28:02 -------- d-----w- C:\Program Files\Windows Installer Clean Up
2012-01-28 23:26:31 . 2012-01-29 05:04:58 -------- d-----w- C:\AdobeTemp
2012-01-28 22:46:18 . 2012-01-28 22:46:18 -------- d-----w- C:\MoTemp
2012-01-28 22:45:07 . 2012-01-28 22:45:07 -------- d-----w- C:\Users\Charles McGehee\AppData\Roaming\com.adobe.WidgetBrowser.E7BED6E5DDA59983786DD72EBFA46B1598278E07.1
2012-01-28 22:29:51 . 2012-01-28 22:29:51 -------- d-----w- C:\Users\Charles McGehee\AppData\Roaming\com.adobe.dmp.contentviewer
2012-01-28 17:58:57 . 2012-01-28 17:59:03 -------- d-----w- C:\Users\Charles McGehee\AppData\Local\Ilivid Player
2012-01-28 17:55:09 . 2012-01-28 19:51:59 -------- d-----w- C:\Program Files\iLivid
2012-01-28 00:15:49 . 2012-01-28 00:15:49 -------- d-----w- C:\Program Files\ESET
2012-01-27 18:04:57 . 2011-12-10 21:24:06 20464 ----a-w- C:\Windows\system32\drivers\mbam.sys
2012-01-27 18:04:55 . 2012-01-27 18:05:28 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2012-01-26 16:52:26 . 2012-01-26 16:52:27 -------- d-----w- C:\Program Files\Muse
2012-01-21 05:40:30 . 2012-01-21 06:27:12 -------- d-----w- C:\Program Files\RSS Submit
2012-01-13 01:21:29 . 2011-11-16 16:23:05 278528 ----a-w- C:\Windows\system32\schannel.dll
2012-01-13 01:21:16 . 2011-11-17 06:48:37 440192 ----a-w- C:\Windows\system32\drivers\ksecdd.sys
2012-01-13 01:21:01 . 2011-11-16 16:21:57 1259008 ----a-w- C:\Windows\system32\lsasrv.dll
2012-01-13 01:20:53 . 2011-11-16 16:23:44 377344 ----a-w- C:\Windows\system32\winhttp.dll
2012-01-13 01:20:35 . 2011-11-16 16:23:08 72704 ----a-w- C:\Windows\system32\secur32.dll
2012-01-13 01:20:23 . 2011-11-16 14:12:25 9728 ----a-w- C:\Windows\system32\lsass.exe
2012-01-11 13:48:51 . 2011-10-14 16:03:25 189952 ----a-w- C:\Windows\system32\winmm.dll
2012-01-11 13:48:38 . 2011-10-14 16:00:23 23552 ----a-w- C:\Windows\system32\mciseq.dll
2012-01-11 13:48:10 . 2011-11-18 20:23:34 1205064 ----a-w- C:\Windows\system32\ntdll.dll
2012-01-11 13:47:54 . 2011-11-18 17:47:03 66560 ----a-w- C:\Windows\system32\packager.dll
2012-01-11 13:47:38 . 2011-11-25 15:59:48 376320 ----a-w- C:\Windows\system32\winsrv.dll
2012-01-11 13:47:29 . 2011-12-01 15:21:18 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2012-01-11 13:47:07 . 2011-10-25 15:58:55 1314816 ----a-w- C:\Windows\system32\quartz.dll
2012-01-11 13:46:54 . 2011-10-25 15:58:54 497152 ----a-w- C:\Windows\system32\qdvd.dll
2012-01-02 04:50:54 . 2012-01-02 04:50:54 43992 ----a-w- C:\Program Files\Mozilla Firefox\mozutils.dll
2012-01-02 04:50:53 . 2012-01-02 04:50:53 626688 ----a-w- C:\Program Files\Mozilla Firefox\msvcr80.dll
2012-01-02 04:50:53 . 2012-01-02 04:50:53 548864 ----a-w- C:\Program Files\Mozilla Firefox\msvcp80.dll
2012-01-02 04:50:53 . 2012-01-02 04:50:53 479232 ----a-w- C:\Program Files\Mozilla Firefox\msvcm80.dll
2011-12-31 12:37:20 . 2011-12-31 12:39:40 -------- d-----w- C:\Users\Charles McGehee\AppData\Roaming\acccore
2011-12-31 12:37:09 . 2011-12-31 12:37:09 -------- d-----w- C:\Users\Charles McGehee\AppData\Local\AOL
2011-12-31 12:36:46 . 2011-12-31 12:36:46 -------- d-----w- C:\Program Files\Common Files\Software Update Utility
2011-12-31 12:36:06 . 2011-12-31 12:36:06 -------- d-----w- C:\Program Files\Common Files\AOL
.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-12-30 02:17:35 . 2011-12-30 02:17:35 677136 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-12-02 20:15:45 . 2011-05-13 11:43:38 414368 ----a-w- C:\Windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:37:27 . 2011-12-15 01:24:50 2043904 ----a-w- C:\Windows\system32\win32k.sys
2011-11-08 14:42:19 . 2011-12-15 01:24:34 2048 ----a-w- C:\Windows\system32\tzres.dll
2011-11-04 12:10:43 . 2011-11-04 12:10:43 388096 ----a-r- C:\Users\Charles McGehee\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-11-04 10:00:38 . 2011-11-04 10:00:38 348160 ----a-w- C:\Windows\system32\3ef99b402a2af762a8f33445e8ae1013.szcpf
2011-11-04 04:23:03 . 2008-12-25 20:51:44 348160 ----a-w- C:\Windows\system32\msvcr71.dll
2011-11-03 22:47:42 . 2011-12-15 09:05:59 1798144 ----a-w- C:\Windows\system32\jscript9.dll
2011-11-03 22:40:21 . 2011-12-15 09:05:56 1427456 ----a-w- C:\Windows\system32\inetcpl.cpl
2011-11-03 22:39:47 . 2011-12-15 09:06:00 1127424 ----a-w- C:\Windows\system32\wininet.dll
2011-11-03 22:31:57 . 2011-12-15 09:06:01 2382848 ----a-w- C:\Windows\system32\mshtml.tlb
2012-01-02 04:50:53 . 2011-11-06 12:21:05 121816 ----a-w- C:\Program Files\mozilla firefox\components\browsercomps.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-21 02:25:11 125952]
"AdobeBridge"="" [BU]
"Adobe Acrobat Synchronizer"="C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe" [2011-09-05 17:05:08 1240992]
"Starfield Updater"="C:\Program Files\Workspace\workspaceupdate.exe" [2011-11-21 23:25:13 34496]
"wben"="C:\Program Files\Workspace\wben.exe" [2011-12-21 14:34:28 368368]
"ogcsn"="C:\Program Files\Workspace\outsync.exe" [2012-01-20 20:45:52 702448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\DellTPad\Apoint.exe" [2008-07-17 12:00:18 196608]
"Broadcom Wireless Manager UI"="C:\Windows\system32\WLTRAY.exe" [2008-08-05 12:17:20 3563520]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2008-01-14 16:13:02 132392]
"Act.Outlook.Service"="C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe" [2008-02-22 00:39:50 9728]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 22:58:10 37296]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 07:37:53 843712]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2010-11-29 22:38:18 421888]
"mcui_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2011-11-22 23:18:26 1318816]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 17:04:58 36760]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 17:04:58 2904984]
"AdobeAAMUpdater-1.0"="C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-03-15 22:42:18 499608]
"SwitchBoard"="C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 18:37:14 517096]
"AdobeCS5.5ServiceManager"="C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" [2011-01-12 12:08:56 1523360]
"BCSSync"="C:\Program Files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 19:54:26 91520]
"APSDaemon"="C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 12:22:28 59240]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2011-10-09 23:06:40 421736]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2011-02-12 01:26:32 137752]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2011-02-12 01:26:26 171032]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2011-02-12 01:26:30 172568]
"Malwarebytes' Anti-Malware"="C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 23:50:18 460872]
"AdobeCS4ServiceManager"="C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-06-08 12:52:50 611712]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 19:06:06 254696]

C:\Users\Charles McGehee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - C:\Program Files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2008-7-9 1616976]

C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - C:\Program Files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-25 20:56:45 10536 ----a-w- C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

S2 AESTFilters;Andrea ST Filters Service;C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\aestsrv.exe [2008-07-17 10:22:56 73728]


--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
2011-07-05 16:26:04 435976 ----a-w- C:\Program Files\SFT\GuardedID\GIDI.exe

Contents of the 'Scheduled Tasks' folder

2012-01-30 C:\Windows\Tasks\Free File Viewer Update Checker.job
- C:\Program Files\FreeFileViewer\FFVCheckForUpdates.exe [2011-01-06 19:13:33 . 2011-02-05 21:50:30]


------- Supplementary Scan -------

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
DPF: Web-Based Email Tools - hxxp://email06.secureserver.net/Download.CAB
FF - ProfilePath - C:\Users\Charles McGehee\AppData\Roaming\Mozilla\Firefox\Profiles\iad8cnbd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20111231123641249&tb_oid=31-12-2011&tb_mrud=31-12-2011
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20111231123641249&tb_oid=31-12-2011&tb_mrud=31-12-2011&query=
FF - prefs.js: network.proxy.ftp_port - 90
FF - prefs.js: network.proxy.gopher_port - 90
FF - prefs.js: network.proxy.http_port - 90
FF - prefs.js: network.proxy.socks_port - 90
FF - prefs.js: network.proxy.ssl_port - 90
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim - C:\Program Files\AIM\aim.exe
AddRemove-AIM Toolbar - C:\Program Files\AIM Toolbar\uninstall.exe
AddRemove-AIM_7 - C:\Program Files\AIM\uninst.exe


I uninstalled Hijack This and reinstalled in new folder located in C directory


Hijack This Log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:24:57 PM, on 1/29/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Workspace\workspaceupdate.exe
C:\Program Files\Workspace\wben.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Hijack This\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AOL Messaging Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll (file missing)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111220184827.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Act.Outlook.Service] "C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Adobe Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe"
O4 - HKCU\..\Run: [Starfield Updater] "C:\Program Files\Workspace\workspaceupdate.exe"
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [wben] "C:\Program Files\Workspace\wben.exe"
O4 - .DEFAULT User Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: Web-Based Email Tools - http://email06.secureserver.net/Download.CAB
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\mcsniepl.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: File Backup Service (File Backup) - Starfield Technologies - C:\Program Files\Workspace\offSyncService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\program files\common files\protexis\license service\psiservice_2.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowProducer\ScsiAccess.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 12741 bytes

Thank you for all of your expertise and patience, you're doing an awesome job and I really appreciate you.

Sean
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
780
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back