Search redirect virus

aphonopelma · February 7, 2013

Some time in the last few weeks, one of the users on my computer acquired a search redirect virus. It appears to only be affecting that user account. When he searches on google, it gives what appear to be normal search results, but upon clicking the results, he's taken to alternate sites, usually after redirecting first to click.livesearchnow.com.

I ran this from the admin user, which hasn't seemed affected. Also probably important to know: in an (I hope) unrelated issue, I can't use usb devices during boot, which has prevented me from booting into safe mode (or, as I'd prefer, installing another operating system).

Thank you in advance for your time & effort.

dds:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer:

Run by Owner at 19:28:51 on 2013-02-06

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2214 [GMT -5:00]

.

AV: Microsoft Security Essentials *Enabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Enabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

c:\Program Files\Microsoft Security Client\MsMpEng.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe

C:\Windows\system32\svchost.exe -k imgsvc

c:\Program Files\Microsoft Security Client\NisSrv.exe

C:\Windows\System32\WUDFHost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Windows\system32\taskhost.exe

C:\Program Files\Microsoft Security Client\msseces.exe

C:\Program Files (x86)\Steam\Steam.exe

C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Program Files (x86)\Common Files\Steam\SteamService.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

mWinlogon: Userinit = userinit.exe

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

uRun: [steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent

mRun: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

mPolicies-Explorer: NoActiveDesktop = dword:1

mPolicies-Explorer: NoActiveDesktopChanges = dword:1

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

TCP: NameServer = 192.168.1.1

TCP: Interfaces\{5B4FB22D-0E6D-42F4-BAA8-77F2153CDF61} : DHCPNameServer = 192.168.42.129

TCP: Interfaces\{83E4DDDE-F100-4D78-B172-4D961B6A0733} : DHCPNameServer = 192.168.2.1

TCP: Interfaces\{C4D73EF4-69AE-4936-BA8F-960FCA7BEE5A} : DHCPNameServer = 192.168.1.1

TCP: Interfaces\{C4D73EF4-69AE-4936-BA8F-960FCA7BEE5A}\E4544574541425D25374 : DHCPNameServer = 192.168.1.1

SSODL: WebCheck - <orphaned>

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey

x64-Run: [Logitech Download Assistant] C:\Windows\System32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch

x64-SSODL: WebCheck - <orphaned>

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\dhwufmky.default\

FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll

FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\npmproxy.dll

FF - ExtSQL: 2012-12-29 10:39; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\dhwufmky.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

FF - ExtSQL: 2012-12-29 10:39; donottrackplus@abine.com; C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\dhwufmky.default\extensions\donottrackplus@abine.com

FF - ExtSQL: 2013-01-02 15:21; jid1-xUfzOsOFlzSOXg@jetpack; C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\dhwufmky.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi

.

============= SERVICES / DRIVERS ===============

.

R0 gfibto;gfibto;C:\Windows\System32\drivers\gfibto.sys [2013-1-29 14456]

R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2012-8-30 228768]

R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-1-29 398184]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-1-29 682344]

R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-8-30 128456]

R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-9-15 88576]

R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-1-29 24176]

R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2009-6-19 712704]

R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-9-12 368896]

R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2009-6-10 187392]

R3 VST64_DPV;VST64_DPV;C:\Windows\System32\drivers\VSTDPV6.SYS [2009-7-13 1485312]

R3 VST64HWBS2;VST64HWBS2;C:\Windows\System32\drivers\VSTBS26.SYS [2009-7-13 411136]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S3 DroidCam;DroidCam Virtual Audio;C:\Windows\System32\drivers\droidcam.sys [2013-1-6 25216]

S3 HTCAND64;HTC Device Driver;C:\Windows\System32\drivers\ANDROIDUSB.sys [2009-11-2 33736]

S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\System32\drivers\htcnprot.sys [2010-6-25 36928]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-11-18 1255736]

.

=============== Created Last 30 ================

.

2013-02-06 22:10:59 -------- d-----w- C:\Users\Owner\AppData\Local\CrashDumps

2013-02-06 21:36:09 -------- d-----w- C:\ProgramData\Sophos

2013-02-06 20:53:09 73728 ----a-r- C:\Users\Owner\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe

2013-02-06 20:53:08 73728 ----a-r- C:\Users\Owner\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe

2013-02-06 20:53:08 73728 ----a-r- C:\Users\Owner\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe

2013-02-06 20:52:58 -------- d-----w- C:\Program Files (x86)\Sophos

2013-02-06 15:07:27 -------- d-----w- C:\Users\Owner\AppData\Local\NPE

2013-02-06 15:07:27 -------- d-----w- C:\ProgramData\Norton

2013-02-05 20:14:24 9161176 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{EBA30B85-1CF2-4681-88AB-79C20D535897}\mpengine.dll

2013-02-04 20:14:10 9161176 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-01-30 04:51:56 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes

2013-01-30 04:51:48 -------- d-----w- C:\ProgramData\Malwarebytes

2013-01-30 04:51:46 24176 ----a-w- C:\Windows\System32\drivers\mbam.sys

2013-01-30 04:51:46 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2013-01-30 04:51:38 -------- d-----w- C:\Users\Owner\AppData\Local\Programs

2013-01-30 04:34:23 -------- d-----w- C:\ProgramData\Ad-Aware Antivirus

2013-01-30 03:23:20 -------- d-----w- C:\Program Files (x86)\Ad-Aware Antivirus

2013-01-30 03:22:58 14456 ----a-w- C:\Windows\System32\drivers\gfibto.sys

2013-01-30 03:22:39 -------- d-----w- C:\ProgramData\blekko toolbars

2013-01-30 03:22:30 -------- d-----w- C:\Program Files (x86)\adawaretb

2013-01-30 03:22:27 -------- d-----w- C:\Program Files (x86)\Toolbar Cleaner

2013-01-30 03:20:52 -------- d-----w- C:\Users\Owner\AppData\Roaming\LavasoftStatistics

2013-01-30 03:20:38 -------- d-----w- C:\Users\Owner\AppData\Roaming\Ad-Aware Antivirus

2013-01-29 05:29:30 -------- d-----w- C:\Users\Owner\AppData\Roaming\AccurateRip

2013-01-29 05:29:05 4022504 ----a-w- C:\Windows\SysWow64\SpoonUninstall.exe

2013-01-29 05:28:50 -------- d-----w- C:\Program Files (x86)\Illustrate

2013-01-29 05:28:06 -------- d-----w- C:\Program Files (x86)\sox-14-4-0

2013-01-24 18:47:20 -------- d-----w- C:\Users\Owner\AppData\Local\ElevatedDiagnostics

2013-01-24 18:34:25 741480 ------w- C:\Windows\System32\HPDiscoPM5C12.dll

2013-01-24 18:33:49 -------- d-----w- C:\Program Files (x86)\HP

2013-01-24 18:33:45 -------- d-----w- C:\Program Files\HP

2013-01-24 18:33:22 -------- d-----w- C:\Users\Owner\AppData\Local\HP

2013-01-22 23:22:44 -------- d-----w- C:\Users\Owner\AppData\Roaming\foobar2000

2013-01-22 23:22:34 -------- d-----w- C:\Program Files (x86)\foobar2000

2013-01-15 17:19:42 -------- d-----w- C:\Users\Owner\AppData\Local\Google

2013-01-09 20:04:17 859072 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll

2013-01-09 20:04:17 779704 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2013-01-09 18:15:15 751104 ----a-w- C:\Windows\System32\win32spl.dll

2013-01-09 18:15:15 492032 ----a-w- C:\Windows\SysWow64\win32spl.dll

2013-01-09 18:15:07 2001408 ----a-w- C:\Windows\System32\msxml6.dll

2013-01-09 18:15:06 1880064 ----a-w- C:\Windows\System32\msxml3.dll

2013-01-09 18:15:06 1388544 ----a-w- C:\Windows\SysWow64\msxml6.dll

2013-01-09 18:15:05 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll

2013-01-09 18:15:04 307200 ----a-w- C:\Windows\System32\ncrypt.dll

2013-01-09 18:15:04 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll

2013-01-09 18:15:02 801280 ----a-w- C:\Windows\System32\usp10.dll

2013-01-09 18:15:02 627712 ----a-w- C:\Windows\SysWow64\usp10.dll

.

==================== Find3M ====================

.

2013-01-30 10:53:22 273840 ------w- C:\Windows\System32\MpSigStub.exe

2013-01-08 23:26:29 74248 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-08 23:26:29 697864 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2013-01-06 20:47:02 25216 ----a-w- C:\Windows\System32\drivers\droidcam.sys

2012-12-16 16:52:02 46080 ----a-w- C:\Windows\System32\atmlib.dll

2012-12-16 14:40:45 367616 ----a-w- C:\Windows\System32\atmfd.dll

2012-12-16 14:25:27 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll

2012-12-16 14:25:19 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2012-12-07 05:41:16 441856 ----a-w- C:\Windows\System32\Wpc.dll

2012-12-07 05:35:34 2745856 ----a-w- C:\Windows\System32\gameux.dll

2012-12-07 05:04:20 308736 ----a-w- C:\Windows\SysWow64\Wpc.dll

2012-12-07 04:57:38 2576384 ----a-w- C:\Windows\SysWow64\gameux.dll

2012-12-07 03:21:08 45568 ----a-w- C:\Windows\SysWow64\oflc-nz.rs

2012-11-30 05:50:00 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-11-30 05:50:00 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-11-30 05:50:00 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-11-30 05:49:28 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-11-30 05:46:35 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-11-30 05:43:53 424960 ----a-w- C:\Windows\System32\KernelBase.dll

2012-11-30 05:06:50 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2012-11-30 05:06:49 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-11-30 03:33:03 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-11-30 02:56:36 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2012-11-30 02:56:35 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2012-11-30 02:56:34 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2012-11-30 02:56:33 2048 ----a-w- C:\Windows\SysWow64\user.exe

2012-11-30 02:51:41 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-11-30 02:51:41 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-11-30 02:51:41 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-11-30 02:51:41 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2012-11-28 21:44:00 135933721 ----a-w- C:\Apache_OpenOffice_incubating_3.4.1_Win_x86_install_en-US.exe

2012-11-23 03:45:35 3147264 ----a-w- C:\Windows\System32\win32k.sys

2012-11-14 19:52:35 0 ----a-w- C:\Windows\ativpsrm.bin

2012-11-14 06:11:44 2312704 ----a-w- C:\Windows\System32\jscript9.dll

2012-11-14 06:04:11 1392128 ----a-w- C:\Windows\System32\wininet.dll

2012-11-14 06:02:49 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl

2012-11-14 05:57:46 599040 ----a-w- C:\Windows\System32\vbscript.dll

2012-11-14 05:57:35 173056 ----a-w- C:\Windows\System32\ieUnatt.exe

2012-11-14 05:52:40 2382848 ----a-w- C:\Windows\System32\mshtml.tlb

2012-11-14 02:09:22 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll

2012-11-14 01:58:15 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl

2012-11-14 01:57:37 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-11-14 01:49:25 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-11-14 01:48:27 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-11-14 01:44:42 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-11-09 05:34:27 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-11-09 04:49:37 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

.

============= FINISH: 19:29:34.38 ===============

attach:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 11/14/2012 2:32:19 PM

System Uptime: 2/6/2013 7:22:02 PM (0 hours ago)

.

Motherboard: Dell Inc. | | 0F896N

Processor: AMD Athlon™ II X2 215 Processor | AM2 | 2700/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 596 GiB total, 490.159 GiB free.

D: is CDROM (UDF)

E: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e96c-e325-11ce-bfc1-08002be10318}

Description: DroidCam Virtual Audio

Device ID: ROOT\MEDIA\0000

Manufacturer: Dev47Apps

Name: DroidCam Virtual Audio

PNP Device ID: ROOT\MEDIA\0000

Service: DroidCam

.

==== System Restore Points ===================

.

RP39: 1/23/2013 8:36:30 PM - Windows Update

RP40: 1/27/2013 2:01:41 AM - Windows Update

RP41: 1/30/2013 3:14:40 PM - Windows Update

RP42: 2/3/2013 3:14:09 PM - Windows Update

RP43: 2/6/2013 10:12:25 AM - Norton_Power_Eraser_20130206101217778

RP44: 2/6/2013 3:32:24 PM - Windows Modules Installer

RP45: 2/6/2013 3:52:16 PM - Installed Sophos Virus Removal Tool.

RP46: 2/6/2013 5:27:24 PM - Removed Ad-Aware Antivirus.

RP47: 2/6/2013 5:28:16 PM - Removed Ad-Aware Antivirus.

.

==== Installed Programs ======================

.

µTorrent

7-Zip 9.20

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader XI

Cogs

Crayon Physics Deluxe

dBpoweramp DSP Effects

dBpoweramp Music Converter

Dungeon Defenders

Dungeons & Dragons Online ®: Eberron Unlimited ™ v01.17.01.801

foobar2000 v1.1.11

Google Chrome

Google Update Helper

HP Officejet 6700 Basic Device Software

HTC BMP USB Driver

HTC Driver Installer

HTC Sync

Machinarium

Malwarebytes Anti-Malware version 1.70.0.1100

Microsoft .NET Framework 1.1

Microsoft .NET Framework 4 Client Profile

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office Office 64-bit Components 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared 64-bit MUI (English) 2007

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Security Client

Microsoft Security Essentials

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2005 Redistributable (x64)

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

mIRC

Mozilla Firefox 18.0.1 (x86 en-US)

Mozilla Maintenance Service

MSXML 4.0 SP3 Parser

MSXML 4.0 SP3 Parser (KB2721691)

MSXML 4.0 SP3 Parser (KB2758694)

OpenOffice.org 3.4.1

PeerBlock 1.1 (r518)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition

Sophos Virus Removal Tool

Steam

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition

Update for Microsoft Office Access 2007 Help (KB963663)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office Infopath 2007 Help (KB963662)

Update for Microsoft Office OneNote 2007 Help (KB963670)

Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2760586) 32-Bit Edition

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Publisher 2007 Help (KB963667)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

VLC media player 2.0.4

Xilisoft PDF to Word Converter

.

==== Event Viewer Messages From Past Week ========

.

2/6/2013 1:51:08 PM, Error: Microsoft-Windows-DriverFrameworks-UserMode [10101] - The driver package installation has failed. The final status was 0x45B.

.

==== End Of File ===========================

gringo_pr · February 7, 2013

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

Please do not run any tools unless instructed to do so.
- We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
[*]Please do not attach logs or use code boxes, just copy and paste the text.
- Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
[*]Please read every post completely before doing anything.
- Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
[*]Please provide feedback about your experience as we go.
- A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

Download Security Check by screen317 from

here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

Please download

AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Delete.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[s1].txt as well.

--RogueKiller--

Download & SAVE to your Desktop RogueKiller or from here
- Quit all programs that you may have started.
- Please disconnect any USB or external drives from the computer before you run this scan!
- For Vista or Windows 7, right-click and select "Run as Administrator to start"
- For Windows XP, double-click to start.
- Wait until Prescan has finished ...
- Then Click on "Scan" button
- Wait until the Status box shows "Scan Finished"
- click on "delete"
- Wait until the Status box shows "Deleting Finished"
- Click on "Report" and copy/paste the content of the Notepad into your next reply.
- The log should be found in RKreport[1].txt on your Desktop
- Exit/Close RogueKiller+

Gringo

aphonopelma · February 7, 2013

Hi Gringo,

Thanks for the quick reply. I've followed your instructions, and here's where I'm at:

- Chrome is functioning normally. Previously, it wasn't working it all - all pages came up blank. No redirect activity apparent.

- Firefox is still affected. The home page reads "The URL is not valid and cannot be loaded." Sporadic redirects - not reliably reproducible.

- IE: IE was the most profoundly affected of the three, and before coming here for help, I disabled it altogether, so I can't give you an update on its behavior.

Log files:

Results of screen317's Security Check version 0.99.57

Windows 7 x64 (UAC is enabled)

Out of date service pack!!

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Microsoft Security Essentials

Antivirus up to date!

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.70.0.1100

Adobe Flash Player 11.5.502.146

Adobe Reader XI

Mozilla Firefox (18.0.1)

Google Chrome 24.0.1312.56

Google Chrome 24.0.1312.57

````````Process Check: objlist.exe by Laurent````````

Microsoft Security Essentials MSMpEng.exe

Microsoft Security Essentials msseces.exe

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

# AdwCleaner v2.111 - Logfile created 02/06/2013 at 23:29:26

# Updated 05/02/2013 by Xplode

# Operating system : Windows 7 Home Premium (64 bits)

# User : Owner - OWNER-PC

# Boot Mode : Normal

# Running from : C:\Users\Owner\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\adawaretb

Folder Deleted : C:\ProgramData\blekko toolbars

Folder Deleted : C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0bjnjcs0.default\adawaretb

Folder Deleted : C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\5xqw34qz.default\adawaretb

Folder Deleted : C:\Users\Owner\AppData\LocalLow\adawaretb

Folder Deleted : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\dhwufmky.default\adawaretb

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v18.0.1 (en-US)

File : C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\dhwufmky.default\prefs.js

[OK] File is clean.

File : C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\5xqw34qz.default\prefs.js

[OK] File is clean.

File : C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0bjnjcs0.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v24.0.1312.57

File : C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Chris\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [1701 octets] - [06/02/2013 23:29:26]

########## EOF - C:\AdwCleaner[s1].txt - [1761 octets] ##########

RogueKiller V8.4.4 [Feb 5 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version

Started in : Normal mode

User : Owner [Admin rights]

Mode : Remove -- Date : 02/06/2013 23:39:55

| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 14 ¤¤¤

[TASK][sUSP PATH] {0F04F0BD-231F-418F-B70D-24FE35DB2E18} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[TASK][sUSP PATH] {2D964CB9-8EA6-4B52-B1CF-B5E7A9DD02D3} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[TASK][sUSP PATH] {526F6BD3-665C-4AD2-A578-FB7737206B07} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[TASK][sUSP PATH] {60741C73-6BD2-4B2F-9BB2-B7301C560335} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[TASK][sUSP PATH] {9936B8F2-C6A8-46CE-9417-B6234FEAD8F0} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[TASK][sUSP PATH] {A56C12C3-37AE-4D3E-B3C2-2EF415961DDF} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[TASK][sUSP PATH] {BF1FBEF4-089D-4E11-B6B0-9AFFA8997C10} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[TASK][sUSP PATH] {E0EA38F5-51B1-4368-A241-2AEB4EAFBF44} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[TASK][sUSP PATH] {E8256A8F-3618-45A3-8496-60C3C82F191E} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[TASK][sUSP PATH] {E87309F2-CF43-4477-8620-F427F2E4AA43} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[TASK][sUSP PATH] {EC6AEEBC-73DA-4FD4-87D2-FF5B355BA9DC} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[TASK][sUSP PATH] {F54F63DE-D490-4C0D-8181-7646F1FF514B} : C:\Users\Chris\Desktop\Fallout\FALLOUTW.EXE -> DELETED

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD6400AAKS-75A7B2 ATA Device +++++

--- User ---

[MBR] 6df73f4d9a35de5c06ec8879aafe38e8

[bSP] 646c66b199b405905171364817bd3629 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 610478 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_02062013_02d2339.txt >>

RKreport[1]_S_02062013_02d2336.txt ; RKreport[2]_D_02062013_02d2339.txt

gringo_pr · February 7, 2013

Hello

Nice feedback and it helps very much

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

aphonopelma · February 7, 2013

Thanks! I've followed your instructions, and here's where I'm at now:

- Chrome is still functioning normally.

- I cannot get Firefox to redirect anything, even with enticing search queries like "buy ipod", but the homepage still reads "The URL is not valid and cannot be loaded" (Firefox settings say it should be loading the Mozilla home page). This started happening when the infection emerged.

- Still cannot check IE.

- When I logged into the "Chris" account, I got: "There was a problem starting C:\Users\Chris\AppData\Roaming\cttunei.dll The specified module could not be found" as well as one for cryptbaseo.dll. Dismissed both.

- I'm not sure whether this is relevant or just a curiosity, but I remembered a detail from last round: The redirect behavior changed. At first, I couldn't induce it. When I did, it was initially redirecting from a google search result link back to the google home page. A few links later, it was back to its old behavior, but via a new site (not click.livesearchnow). I couldn't read fast enough to catch exactly what it said, but it looked something like "thedailysatire".

Anyway, here's my log:

ComboFix 13-02-06.02 - Owner 02/07/2013 1:53.1.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2538 [GMT -5:00]

Running from: c:\users\Owner\Desktop\ComboFix.exe

AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Chris\AppData\Roaming\cryptbaseo.dll

c:\users\Chris\AppData\Roaming\cttunei.dll

c:\windows\SysWow64\URTTemp

c:\windows\SysWow64\URTTemp\regtlib.exe

.

((((((((((((((((((((((((( Files Created from 2013-01-07 to 2013-02-07 )))))))))))))))))))))))))))))))

.

2013-02-07 06:57 . 2013-02-07 06:57 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-07 06:57 . 2013-02-07 06:57 -------- d-----w- c:\users\Chris\AppData\Local\temp

2013-02-07 06:57 . 2013-02-07 06:57 -------- d-----w- c:\users\Admin\AppData\Local\temp

2013-02-07 00:33 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{BE87BF52-F170-4279-BE4B-3D6C41E624A1}\mpengine.dll

2013-02-06 22:10 . 2013-02-06 22:13 -------- d-----w- c:\users\Owner\AppData\Local\CrashDumps

2013-02-06 21:36 . 2013-02-06 21:36 -------- d-----w- c:\programdata\Sophos

2013-02-06 20:53 . 2013-02-06 20:53 73728 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe

2013-02-06 20:53 . 2013-02-06 20:53 73728 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe

2013-02-06 20:53 . 2013-02-06 20:53 73728 ----a-r- c:\users\Owner\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe

2013-02-06 20:52 . 2013-02-06 20:52 -------- d-----w- c:\program files (x86)\Sophos

2013-02-06 15:07 . 2013-02-06 15:15 -------- d-----w- c:\users\Owner\AppData\Local\NPE

2013-02-06 15:07 . 2013-02-06 15:07 -------- d-----w- c:\programdata\Norton

2013-02-05 20:14 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2013-01-31 05:13 . 2013-01-31 05:13 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes

2013-01-31 04:27 . 2013-01-31 04:27 -------- d-----w- c:\users\Admin\AppData\Local\Microsoft Games

2013-01-31 00:15 . 2013-01-31 00:15 -------- d-----w- c:\users\Admin\AppData\Local\Google

2013-01-31 00:15 . 2013-01-31 09:54 -------- d-----w- c:\users\Admin\AppData\Roaming\Ad-Aware Antivirus

2013-01-31 00:15 . 2013-01-31 00:15 -------- d-----w- c:\users\Admin\AppData\Local\adawarebp

2013-01-30 05:09 . 2013-01-30 18:26 -------- d-----w- c:\users\Chris\AppData\Roaming\Ad-Aware Antivirus

2013-01-30 05:09 . 2013-01-30 05:09 -------- d-----w- c:\users\Chris\AppData\Local\adawarebp

2013-01-30 04:51 . 2013-01-30 04:51 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes

2013-01-30 04:51 . 2013-01-30 04:51 -------- d-----w- c:\programdata\Malwarebytes

2013-01-30 04:51 . 2013-01-30 04:51 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2013-01-30 04:51 . 2012-12-14 21:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-01-30 04:51 . 2013-01-30 04:51 -------- d-----w- c:\users\Owner\AppData\Local\Programs

2013-01-30 04:34 . 2013-01-30 04:34 -------- d-----w- c:\programdata\Ad-Aware Antivirus

2013-01-30 03:23 . 2013-01-30 03:23 -------- d-----w- c:\programdata\Lavasoft

2013-01-30 03:23 . 2013-02-06 22:32 -------- d-----w- c:\program files (x86)\Ad-Aware Antivirus

2013-01-30 03:22 . 2013-01-30 03:22 14456 ----a-w- c:\windows\system32\drivers\gfibto.sys

2013-01-30 03:22 . 2013-01-30 03:22 -------- d-----w- c:\program files (x86)\Toolbar Cleaner

2013-01-30 03:20 . 2013-02-06 22:29 -------- d-----w- c:\users\Owner\AppData\Roaming\LavasoftStatistics

2013-01-30 03:20 . 2013-01-30 10:26 -------- d-----w- c:\users\Owner\AppData\Roaming\Ad-Aware Antivirus

2013-01-29 05:29 . 2013-01-29 05:29 -------- d-----w- c:\users\Owner\AppData\Roaming\AccurateRip

2013-01-29 05:29 . 2013-01-29 05:29 4022504 ----a-w- c:\windows\SysWow64\SpoonUninstall.exe

2013-01-29 05:28 . 2013-01-29 05:28 -------- d-----w- c:\program files (x86)\Illustrate

2013-01-29 05:28 . 2013-01-29 05:28 -------- d-----w- c:\program files (x86)\sox-14-4-0

2013-01-25 23:51 . 2013-01-25 23:51 -------- d-----w- c:\users\Chris\AppData\Roaming\foobar2000

2013-01-24 18:47 . 2013-01-24 18:47 -------- d-----w- c:\users\Owner\AppData\Local\ElevatedDiagnostics

2013-01-24 18:34 . 2012-10-17 09:31 741480 ------w- c:\windows\system32\HPDiscoPM5C12.dll

2013-01-24 18:33 . 2013-01-24 18:33 -------- d-----w- c:\programdata\HP

2013-01-24 18:33 . 2013-01-24 18:33 -------- d-----w- c:\program files (x86)\HP

2013-01-24 18:33 . 2013-01-24 18:33 -------- d-----w- c:\program files\HP

2013-01-24 18:33 . 2013-01-24 18:33 -------- d-----w- c:\users\Owner\AppData\Local\HP

2013-01-22 23:22 . 2013-02-06 15:07 -------- d-----w- c:\users\Owner\AppData\Roaming\foobar2000

2013-01-22 23:22 . 2013-01-22 23:22 -------- d-----w- c:\program files (x86)\foobar2000

2013-01-16 05:59 . 2013-01-16 05:59 -------- d-----w- c:\users\Public\Darkest of Days

2013-01-16 05:59 . 2013-01-16 05:59 -------- d-----w- c:\users\Chris\AppData\Roaming\InstallShield Installation Information

2013-01-16 05:59 . 2013-01-16 05:59 -------- d-----w- c:\users\Chris\AppData\Roaming\InstallShield

2013-01-15 21:52 . 2013-01-26 20:27 -------- d-----w- c:\users\Chris\AppData\Local\Google

2013-01-15 17:19 . 2013-01-15 17:20 -------- d-----w- c:\program files (x86)\Google

2013-01-15 17:19 . 2013-01-15 17:20 -------- d-----w- c:\users\Owner\AppData\Local\Google

2013-01-09 21:34 . 2013-01-11 05:51 -------- d-----w- c:\users\Chris\AppData\Local\Mozilla Thunderbird

2013-01-09 20:04 . 2013-01-09 20:03 859072 ----a-w- c:\windows\SysWow64\npDeployJava1.dll

2013-01-09 20:04 . 2013-01-09 20:03 779704 ----a-w- c:\windows\SysWow64\deployJava1.dll

2013-01-09 18:15 . 2012-11-09 05:34 751104 ----a-w- c:\windows\system32\win32spl.dll

2013-01-09 18:15 . 2012-11-09 04:49 492032 ----a-w- c:\windows\SysWow64\win32spl.dll

2013-01-09 18:15 . 2012-11-02 05:30 2001408 ----a-w- c:\windows\system32\msxml6.dll

2013-01-09 18:15 . 2012-11-02 05:30 1880064 ----a-w- c:\windows\system32\msxml3.dll

2013-01-09 18:15 . 2012-11-02 04:50 1388544 ----a-w- c:\windows\SysWow64\msxml6.dll

2013-01-09 18:15 . 2012-11-02 04:50 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll

2013-01-09 18:15 . 2012-11-20 05:55 307200 ----a-w- c:\windows\system32\ncrypt.dll

2013-01-09 18:15 . 2012-11-20 05:10 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll

2013-01-09 18:15 . 2012-11-22 10:32 801280 ----a-w- c:\windows\system32\usp10.dll

2013-01-09 18:15 . 2012-11-22 09:33 627712 ----a-w- c:\windows\SysWow64\usp10.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-01-30 10:53 . 2012-11-14 19:59 273840 ------w- c:\windows\system32\MpSigStub.exe

2013-01-10 08:02 . 2012-11-14 20:15 67599240 ----a-w- c:\windows\system32\MRT.exe

2013-01-08 23:26 . 2012-11-15 18:34 74248 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2013-01-08 23:26 . 2012-11-15 18:34 697864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2013-01-06 20:47 . 2013-01-06 20:47 25216 ----a-w- c:\windows\system32\drivers\droidcam.sys

2012-12-16 16:52 . 2012-12-21 08:00 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-16 14:40 . 2012-12-21 08:00 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-16 14:25 . 2012-12-21 08:00 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-16 14:25 . 2012-12-21 08:00 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-11-30 04:56 . 2013-01-09 18:14 44032 ----a-w- c:\windows\apppatch\acwow64.dll

2012-11-28 21:44 . 2012-11-28 21:48 135933721 ----a-w- C:\Apache_OpenOffice_incubating_3.4.1_Win_x86_install_en-US.exe

2012-11-28 06:20 . 2012-11-28 06:20 972264 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{38CD94B8-90D1-4A5F-9F98-7D3EC90C0202}\gapaengine.dll

2012-11-18 04:44 . 2012-11-28 06:20 972192 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll

2012-11-14 20:25 . 2012-11-14 20:25 86528 ----a-w- c:\windows\SysWow64\iesysprep.dll

2012-11-14 20:25 . 2012-11-14 20:25 76800 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe

2012-11-14 20:25 . 2012-11-14 20:25 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll

2012-11-14 20:25 . 2012-11-14 20:25 161792 ----a-w- c:\windows\SysWow64\msls31.dll

2012-11-14 20:25 . 2012-11-14 20:25 110592 ----a-w- c:\windows\SysWow64\IEAdvpack.dll

2012-11-14 20:25 . 2012-11-14 20:25 74752 ----a-w- c:\windows\SysWow64\iesetup.dll

2012-11-14 20:25 . 2012-11-14 20:25 63488 ----a-w- c:\windows\SysWow64\tdc.ocx

2012-11-14 20:25 . 2012-11-14 20:25 367104 ----a-w- c:\windows\SysWow64\html.iec

2012-11-14 20:25 . 2012-11-14 20:25 23552 ----a-w- c:\windows\SysWow64\licmgr10.dll

2012-11-14 20:25 . 2012-11-14 20:25 152064 ----a-w- c:\windows\SysWow64\wextract.exe

2012-11-14 20:25 . 2012-11-14 20:25 150528 ----a-w- c:\windows\SysWow64\iexpress.exe

2012-11-14 20:25 . 2012-11-14 20:25 35840 ----a-w- c:\windows\SysWow64\imgutil.dll

2012-11-14 20:25 . 2012-11-14 20:25 222208 ----a-w- c:\windows\system32\msls31.dll

2012-11-14 20:25 . 2012-11-14 20:25 11776 ----a-w- c:\windows\SysWow64\mshta.exe

2012-11-14 20:25 . 2012-11-14 20:25 101888 ----a-w- c:\windows\SysWow64\admparse.dll

2012-11-14 20:25 . 2012-11-14 20:25 91648 ----a-w- c:\windows\system32\SetIEInstalledDate.exe

2012-11-14 20:25 . 2012-11-14 20:25 89088 ----a-w- c:\windows\system32\ie4uinit.exe

2012-11-14 20:25 . 2012-11-14 20:25 85504 ----a-w- c:\windows\system32\iesetup.dll

2012-11-14 20:25 . 2012-11-14 20:25 82432 ----a-w- c:\windows\system32\icardie.dll

2012-11-14 20:25 . 2012-11-14 20:25 76800 ----a-w- c:\windows\system32\tdc.ocx

2012-11-14 20:25 . 2012-11-14 20:25 65024 ----a-w- c:\windows\system32\pngfilt.dll

2012-11-14 20:25 . 2012-11-14 20:25 55296 ----a-w- c:\windows\system32\msfeedsbs.dll

2012-11-14 20:25 . 2012-11-14 20:25 534528 ----a-w- c:\windows\system32\ieapfltr.dll

2012-11-14 20:25 . 2012-11-14 20:25 49664 ----a-w- c:\windows\system32\imgutil.dll

2012-11-14 20:25 . 2012-11-14 20:25 48640 ----a-w- c:\windows\system32\mshtmler.dll

2012-11-14 20:25 . 2012-11-14 20:25 452608 ----a-w- c:\windows\system32\dxtmsft.dll

2012-11-14 20:25 . 2012-11-14 20:25 448512 ----a-w- c:\windows\system32\html.iec

2012-11-14 20:25 . 2012-11-14 20:25 403248 ----a-w- c:\windows\system32\iedkcs32.dll

2012-11-14 20:25 . 2012-11-14 20:25 39936 ----a-w- c:\windows\system32\iernonce.dll

2012-11-14 20:25 . 2012-11-14 20:25 3695416 ----a-w- c:\windows\system32\ieapfltr.dat

2012-11-14 20:25 . 2012-11-14 20:25 30720 ----a-w- c:\windows\system32\licmgr10.dll

2012-11-14 20:25 . 2012-11-14 20:25 282112 ----a-w- c:\windows\system32\dxtrans.dll

2012-11-14 20:25 . 2012-11-14 20:25 267776 ----a-w- c:\windows\system32\ieaksie.dll

2012-11-14 20:25 . 2012-11-14 20:25 249344 ----a-w- c:\windows\system32\webcheck.dll

2012-11-14 20:25 . 2012-11-14 20:25 197120 ----a-w- c:\windows\system32\msrating.dll

2012-11-14 20:25 . 2012-11-14 20:25 163840 ----a-w- c:\windows\system32\ieakui.dll

2012-11-14 20:25 . 2012-11-14 20:25 160256 ----a-w- c:\windows\system32\ieakeng.dll

2012-11-14 20:25 . 2012-11-14 20:25 149504 ----a-w- c:\windows\system32\occache.dll

2012-11-14 20:25 . 2012-11-14 20:25 145920 ----a-w- c:\windows\system32\iepeers.dll

2012-11-14 20:25 . 2012-11-14 20:25 135168 ----a-w- c:\windows\system32\IEAdvpack.dll

2012-11-14 20:25 . 2012-11-14 20:25 12288 ----a-w- c:\windows\system32\mshta.exe

2012-11-14 20:25 . 2012-11-14 20:25 114176 ----a-w- c:\windows\system32\admparse.dll

2012-11-14 20:25 . 2012-11-14 20:25 111616 ----a-w- c:\windows\system32\iesysprep.dll

2012-11-14 20:25 . 2012-11-14 20:25 10752 ----a-w- c:\windows\system32\msfeedssync.exe

2012-11-14 20:25 . 2012-11-14 20:25 103936 ----a-w- c:\windows\system32\inseng.dll

2012-11-14 20:25 . 2012-11-14 20:25 165888 ----a-w- c:\windows\system32\iexpress.exe

2012-11-14 20:25 . 2012-11-14 20:25 160256 ----a-w- c:\windows\system32\wextract.exe

2012-11-14 07:06 . 2012-12-13 08:01 17811968 ----a-w- c:\windows\system32\mshtml.dll

2012-11-14 06:32 . 2012-12-13 08:01 10925568 ----a-w- c:\windows\system32\ieframe.dll

2012-11-14 06:11 . 2012-12-13 08:01 2312704 ----a-w- c:\windows\system32\jscript9.dll

2012-11-14 06:04 . 2012-12-13 08:01 1346048 ----a-w- c:\windows\system32\urlmon.dll

2012-11-14 06:04 . 2012-12-13 08:01 1392128 ----a-w- c:\windows\system32\wininet.dll

2012-11-14 06:02 . 2012-12-13 08:01 1494528 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-14 06:02 . 2012-12-13 08:01 237056 ----a-w- c:\windows\system32\url.dll

2012-11-14 05:59 . 2012-12-13 08:01 85504 ----a-w- c:\windows\system32\jsproxy.dll

2012-11-14 05:58 . 2012-12-13 08:01 816640 ----a-w- c:\windows\system32\jscript.dll

2012-11-14 05:57 . 2012-12-13 08:01 599040 ----a-w- c:\windows\system32\vbscript.dll

2012-11-14 05:57 . 2012-12-13 08:01 173056 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-14 05:55 . 2012-12-13 08:01 2144768 ----a-w- c:\windows\system32\iertutil.dll

2012-11-14 05:55 . 2012-12-13 08:01 729088 ----a-w- c:\windows\system32\msfeeds.dll

2012-11-14 05:53 . 2012-12-13 08:01 96768 ----a-w- c:\windows\system32\mshtmled.dll

2012-11-14 05:52 . 2012-12-13 08:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2012-11-14 05:46 . 2012-12-13 08:01 248320 ----a-w- c:\windows\system32\ieui.dll

2012-11-14 02:09 . 2012-12-13 08:01 1800704 ----a-w- c:\windows\SysWow64\jscript9.dll

2012-11-14 01:58 . 2012-12-13 08:01 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2012-11-14 01:57 . 2012-12-13 08:01 1129472 ----a-w- c:\windows\SysWow64\wininet.dll

2012-11-14 01:49 . 2012-12-13 08:01 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2012-11-14 01:48 . 2012-12-13 08:01 420864 ----a-w- c:\windows\SysWow64\vbscript.dll

2012-11-14 01:44 . 2012-12-13 08:01 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Steam"="c:\program files (x86)\Steam\Steam.exe" [2012-12-05 1354736]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-12-20 634880]

.

c:\users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R3 DroidCam;DroidCam Virtual Audio;c:\windows\system32\drivers\droidcam.sys [2013-01-06 25216]

R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-02 33736]

R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]

R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-08-31 128456]

R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-09-13 368896]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-11-18 1255736]

S0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-01-30 14456]

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]

S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2011-09-15 88576]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]

S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2009-06-19 712704]

S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2009-06-10 187392]

S3 VST64_DPV;VST64_DPV;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]

S3 VST64HWBS2;VST64HWBS2;c:\windows\system32\DRIVERS\VSTBS26.SYS [2009-06-10 411136]

.

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2013-01-31 22:24 1607120 ----a-w- c:\program files (x86)\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2013-02-07 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-15 23:26]

.

2013-02-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-15 17:19]

.

2013-02-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-15 17:19]

.

--------- X64 Entries -----------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 1289704]

"Logitech Download Assistant"="c:\windows\System32\LogiLDA.dll" [2012-09-20 1832760]

.

------- Supplementary Scan -------

.

uLocal Page = c:\windows\system32\blank.htm

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\dhwufmky.default\

FF - ExtSQL: 2012-12-29 10:39; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\dhwufmky.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

FF - ExtSQL: 2012-12-29 10:39; donottrackplus@abine.com; c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\dhwufmky.default\extensions\donottrackplus@abine.com

FF - ExtSQL: 2013-01-02 15:21; jid1-xUfzOsOFlzSOXg@jetpack; c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\dhwufmky.default\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-dBpoweramp DSP Effects - c:\windows\system32\SpoonUninstall.exe

AddRemove-dBpoweramp Music Converter - c:\windows\system32\SpoonUninstall.exe

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_146.ocx, 1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*]

@="?????????????????? v1"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*1*\CLSID]

@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*]

@="?????????????????? v2"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VideoLAN.VLCPlugin.*2*\CLSID]

@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-02-07 02:00:27

ComboFix-quarantined-files.txt 2013-02-07 07:00

.

Pre-Run: 529,266,241,536 bytes free

Post-Run: 529,597,419,520 bytes free

.

- - End Of File - - FEF5BA49DE4FE369F69658E6AE6CDBB0

gringo_pr · February 7, 2013

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

 ClearJavaCache::

Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.

Restart if you have to.

Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following

report from Combofix
let me know of any problems you may have had
How is the computer doing now after running the script?

Gringo

aphonopelma · February 8, 2013

Gringo -

Thanks for your response. After running the script, nothing has changed from last time, which means -

- No redirect behavior apparent

- Every time I log in as "Chris", I get "There was a problem starting C:\Users\Chris\AppData\Roaming\cttunei.dll The specified module could not be found" as well as one for cryptbaseo.dll

- Chrome is fully functional

- Firefox still reads "The URL is not valid and cannot be loaded" upon opening; Firefox settings say it should be loading FIrefox home page

ComboFix 13-02-06.02 - Owner 02/07/2013 20:12:12.2.2 - x64

Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2469 [GMT -5:00]

Running from: c:\users\Owner\Desktop\ComboFix.exe

Command switches used :: c:\users\Owner\Desktop\CFScript.txt

AV: Microsoft Security Essentials *Disabled/Updated* {B140BF4E-23BB-4198-90AB-A51A4C60A69C}

SP: Microsoft Security Essentials *Disabled/Updated* {0A215EAA-0581-4E16-AA1B-9E6837E7EC21}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((( Files Created from 2013-01-08 to 2013-02-08 )))))))))))))))))))))))))))))))

.

2013-02-08 01:19 . 2013-02-08 01:19 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-02-08 01:19 . 2013-02-08 01:19 -------- d-----w- c:\users\Chris\AppData\Local\temp

2013-02-08 01:19 . 2013-02-08 01:19 -------- d-----w- c:\users\Admin\AppData\Local\temp

2013-02-07 14:38 . 2013-01-08 05:32 9161176 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9047FFB2-2388-4465-B735-FEA4EB51AB97}\mpengine.dll