Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Please help with infected PC - aftermath of SMART HDD [Solved]

Started by Sheep17 , Jun 18 2012 06:05 PM

This topic is locked

#16
Sheep17

Posted 26 June 2012 - 06:38 AM

Member

Topic Starter
Member
18 posts

ComboFix 12-06-26.01 - wooly7 06/26/2012 6:52.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3070.2209 [GMT -5:00]
Running from: c:\users\wooly7\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\wooly7\AppData\Local\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}
c:\users\wooly7\AppData\Local\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\@
c:\users\wooly7\AppData\Local\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\n
c:\users\wooly7\AppData\Local\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\U\00000001.@
c:\users\wooly7\AppData\Local\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\U\80000000.@
c:\users\wooly7\AppData\Local\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\U\800000cb.@
.
---- Previous Run -------
.
c:\users\wooly7\AppData\Local\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\@
c:\users\wooly7\AppData\Local\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\n
c:\users\wooly7\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_uninst_setup_9.0.0.722_30.06.2011_15-07.exe.lnk
c:\users\wooly7\GoToAssistDownloadHelper.exe
c:\windows\assembly\GAC\Desktop.ini
c:\windows\Installer\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\@
c:\windows\Installer\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\L\00000004.@
c:\windows\Installer\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\L\1afb2d56
c:\windows\Installer\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\n
c:\windows\Installer\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\U\00000004.@
c:\windows\Installer\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\U\00000008.@
c:\windows\Installer\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\U\000000cb.@
c:\windows\Installer\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\U\80000000.@
c:\windows\Installer\{1c976c55-a72f-556b-16ee-3f7bb61aebdc}\U\80000032.@
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy5_!Windows!ERDNT!cache!services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-05-26 to 2012-06-26 )))))))))))))))))))))))))))))))
.
.
2012-06-26 12:01 . 2012-06-26 12:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-26 12:01 . 2012-06-26 12:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-26 02:22 . 2012-06-26 02:22 729688 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-06-22 11:18 . 2012-06-22 11:18 -------- d-----w- C:\_OTL
2012-06-19 13:35 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-19 13:35 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-19 13:35 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-19 13:35 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-19 13:35 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-19 13:35 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-19 13:35 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-19 13:35 . 2012-06-02 20:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-19 13:35 . 2012-06-02 20:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-15 22:31 . 2012-06-15 22:31 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-14 23:47 . 2012-06-14 23:47 -------- d-----w- C:\_OTM
2012-06-14 23:42 . 2012-06-14 23:43 -------- d-----w- c:\program files\ERUNT
2012-06-14 23:15 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D038D17-181F-4314-B276-784AAEEB08E2}\mpengine.dll
2012-06-14 02:50 . 2012-06-07 00:47 565248 ----a-w- c:\program files\Mozilla Firefox\Tweaking.com - Unhide Non System Files\repair.exe
2012-06-14 02:50 . 2010-04-27 16:04 381816 ----a-w- c:\program files\Mozilla Firefox\Tweaking.com - Unhide Non System Files\files\psexec.exe
2012-06-14 02:50 . 2004-06-11 21:33 290304 ----a-w- c:\program files\Mozilla Firefox\Tweaking.com - Unhide Non System Files\files\subinacl.exe
2012-06-14 02:50 . 2003-04-18 23:07 36864 ----a-w- c:\program files\Mozilla Firefox\Tweaking.com - Unhide Non System Files\files\regini.exe
2012-06-14 02:48 . 2012-06-14 02:48 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-14 02:40 . 2012-06-14 02:48 -------- d-----w- c:\programdata\HitmanPro
2012-06-14 00:34 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 00:33 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-14 00:33 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-14 00:33 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-14 00:33 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-14 00:33 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-14 00:33 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-14 00:33 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 00:33 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 00:33 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-13 23:11 . 2012-02-10 13:02 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{87158AB4-69A6-48EF-8661-073C01E6E3CB}\gapaengine.dll
2012-06-13 23:05 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 04:39 . 2012-05-11 17:10 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-11 17:10 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 10:23 . 2012-05-11 17:10 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-03-18 17:53 . 2011-03-26 12:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\wooly7\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\wooly7\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\wooly7\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\wooly7\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\users\wooly7\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-12-28 79872]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"KeePass 2 PreLoad"="c:\program files\KeePass Password Safe 2\KeePass.exe" [2012-01-05 1823744]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/w...&ver=10.0.1375" [?]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-12-22 984936]
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2010-6-28 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R1 MpKsl863eb478;MpKsl863eb478;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8D038D17-181F-4314-B276-784AAEEB08E2}\MpKsl863eb478.sys [2012-06-15 29904]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 74112]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-26 1343400]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [2011-04-08 233472]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [2012-02-23 3074624]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-09-26 189736]
.
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\cwalsp.dll
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
FF - ProfilePath - c:\users\wooly7\AppData\Roaming\Mozilla\Firefox\Profiles\eq8bx4q8.default\
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-MsMpSvc
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(1492)
c:\users\wooly7\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Completion time: 2012-06-26 07:29:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-26 12:29
ComboFix2.txt 2011-07-01 12:09
.
Pre-Run: 134,080,544,768 bytes free
Post-Run: 133,615,083,520 bytes free
.
- - End Of File - - 69242EF6175F185A62CC15DA1FD334BC

#17
maliprog

Posted 26 June 2012 - 06:44 AM

Trusted Helper

Malware Removal
6,172 posts

OTL and Combofix did great job. Please test your system now and let me know if you have any problems.

#18
Sheep17

Posted 26 June 2012 - 08:42 PM

Member

Topic Starter
Member
18 posts

That is great news! So far so good. We have used it some this evening with no issues. I did notice in file explorer the icons for Computer and Network were for unknown files. Please see attached pic.

Attached Thumbnails

#19
maliprog

Posted 26 June 2012 - 11:20 PM

Trusted Helper

Malware Removal
6,172 posts

That is usually system problem. Let's try standard fix first. Make sure to restart your system after running this program.

Download:

Rebuild_Icon_Cache.bat 1.07KB 574 downloads

Right click on it and select Run as Administrator.
Follow prompts and press any key to continue.
Type Y to restart your system at the end.

Let me know if this fixed icons problem.

#20
Sheep17

Posted 27 June 2012 - 04:40 PM

Member

Topic Starter
Member
18 posts

Greetings,
That program fixed the icons and the computer has run flawlessly all day! Is there anything else you recommend?
Thanks,
David

#21
Sheep17

Posted 27 June 2012 - 07:01 PM

Member

Topic Starter
Member
18 posts

Greetings,
We have noticed a few Google redirects tonight. Do you have a recommended fix?
Thanks again.
David

#22
maliprog

Posted 27 June 2012 - 11:16 PM

Trusted Helper

Malware Removal
6,172 posts

Hi Sheep17,

That is strange. Let's do scans again and see if infection is back.

Do you experience redirect only in one browser or all browsers you use?

Step 1

Run OTL.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open notepad window. OTL.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of this file, and post it with your next reply.

Step 2

Please run Combofix again and post log.

Step 3

Please don't forget to include these items in your reply:

OTL log
Combofix log

It would be helpful if you could post each log in separate post using "Add Reply" button

#23
Sheep17

Posted 28 June 2012 - 04:57 AM

Member

Topic Starter
Member
18 posts

OTL logfile created on: 6/28/2012 5:21:10 AM - Run 3
OTL by OldTimer - Version 3.2.53.0 Folder = C:\Users\wooly7\Desktop
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 1.79 Gb Available Physical Memory | 59.58% Memory free
5.99 Gb Paging File | 4.59 Gb Available in Paging File | 76.60% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 232.82 Gb Total Space | 122.65 Gb Free Space | 52.68% Space Free | Partition Type: NTFS

Computer Name: SHED | User Name: wooly7 | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/06/28 05:20:51 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\wooly7\Desktop\OTL.scr
PRC - [2012/03/26 17:08:12 | 000,931,200 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2012/03/26 17:03:40 | 000,258,712 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe
PRC - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2012/02/23 10:13:43 | 003,074,624 | ---- | M] (ContentWatch, Inc.) -- C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe
PRC - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/12/22 08:48:12 | 000,984,936 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
PRC - [2011/12/22 07:31:08 | 000,045,056 | ---- | M] (Intuit) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
PRC - [2011/03/18 12:53:06 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/12/27 19:18:17 | 000,079,872 | ---- | M] (SanDisk Corporation) -- C:\Users\wooly7\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
PRC - [2010/11/20 07:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/06/16 16:42:58 | 000,839,680 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
PRC - [2010/03/23 13:19:32 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2009/09/25 23:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2007/12/05 07:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AERTSrv.exe

========== Modules (No Company Name) ==========

MOD - [2012/02/23 10:13:52 | 001,216,512 | ---- | M] () -- C:\Windows\System32\wxcode_msw28u_wxcurl_CW.dll
MOD - [2012/02/23 10:13:52 | 000,081,920 | ---- | M] () -- C:\Windows\System32\wxcode_msw28u_wxjson_CW.dll
MOD - [2012/02/23 10:13:48 | 000,975,872 | ---- | M] () -- C:\Windows\System32\libxml2_CW.dll
MOD - [2012/02/23 10:13:48 | 000,151,552 | ---- | M] () -- C:\Windows\System32\libexpat.dll
MOD - [2011/11/13 10:01:19 | 008,527,008 | ---- | M] () -- C:\Windows\System32\Macromed\Flash\NPSWF32.dll
MOD - [2011/03/18 12:53:11 | 001,874,904 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/02/10 14:22:20 | 002,916,352 | ---- | M] () -- C:\Windows\System32\wxmsw28u_core_vc_CW.dll
MOD - [2011/02/10 14:22:20 | 001,236,992 | ---- | M] () -- C:\Windows\System32\wxbase28u_vc_CW.dll
MOD - [2011/02/10 14:22:20 | 000,135,168 | ---- | M] () -- C:\Windows\System32\wxbase28u_xml_vc_CW.dll
MOD - [2010/06/16 16:42:58 | 000,839,680 | ---- | M] () -- C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
MOD - [2010/06/13 16:54:28 | 000,094,208 | ---- | M] () -- C:\Program Files\FileZilla FTP Client\fzshellext.dll

========== Win32 Services (SafeList) ==========

SRV - [2012/04/04 15:56:40 | 000,654,408 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/03/26 17:03:40 | 000,214,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2012/03/26 17:03:40 | 000,011,552 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2012/02/23 10:13:43 | 003,074,624 | ---- | M] (ContentWatch, Inc.) [Auto | Running] -- C:\Program Files\ContentWatch\Internet Protection\cwsvc.exe -- (CwAltaService20)
SRV - [2012/01/03 08:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/12/22 07:31:08 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)
SRV - [2010/06/26 06:36:14 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/03/23 13:19:32 | 001,528,616 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2009/09/25 23:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/08/08 21:10:46 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)
SRV - [2007/12/05 07:17:24 | 000,077,824 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\SBREdrv.sys -- (SBRE)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS -- (MRESP50)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS -- (MREMP50)
DRV - File not found [File_System | On_Demand | Stopped] -- C:\Windows\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\wooly7\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2012/03/20 20:44:12 | 000,074,112 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2010/11/20 05:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 04:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/07/10 06:37:00 | 011,008,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/03/23 13:15:36 | 000,308,859 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2009/10/07 09:47:56 | 000,266,008 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\lvrs.sys -- (LVRS)
DRV - [2009/10/07 08:49:40 | 006,756,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam E3500(UVC)
DRV - [2009/07/13 18:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009/07/13 17:02:50 | 000,211,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2008/11/16 18:39:44 | 000,131,984 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 20:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CVirtA.sys -- (CVirtA)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 61 AA D0 25 CB 14 CB 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {E46FFAF8-092F-44CC-A60E-092364C5DB69}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{482DF3D6-A0F5-43C2-8125-6EAF5AE4348C}: "URL" = http://search.avg.co...e}&iy=&ychte=us
IE - HKCU\..\SearchScopes\{E46FFAF8-092F-44CC-A60E-092364C5DB69}: "URL" = http://www.google.co...age={startPage}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo! Search"
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: ""
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.3
FF - prefs.js..extensions.enabledItems: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}:20110323
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:10.0.0.1178
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..keyword.URL: "http://us.yhs.search...2-tb-web_us&p="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll (Amazon.com, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/03/26 07:25:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/12 07:20:07 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 13.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2012/06/26 08:12:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{9E084360-A7E5-478C-8781-3A49F52F7925}: C:\Users\wooly7\AppData\Local\{9E084360-A7E5-478C-8781-3A49F52F7925} [2011/05/14 11:35:45 | 000,000,000 | ---D | M]

[2010/06/25 20:29:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\wooly7\AppData\Roaming\Mozilla\Extensions
[2010/06/25 20:27:50 | 000,000,000 | ---D | M] (No name found) -- C:\Users\wooly7\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2012/06/15 16:43:31 | 000,000,000 | ---D | M] (No name found) -- C:\Users\wooly7\AppData\Roaming\Mozilla\Firefox\Profiles\eq8bx4q8.default\extensions
[2012/05/20 17:50:23 | 000,000,000 | ---D | M] (WOT) -- C:\Users\wooly7\AppData\Roaming\Mozilla\Firefox\Profiles\eq8bx4q8.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/11/06 18:36:02 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/11/06 18:36:03 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2010/06/25 21:42:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/18 05:43:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/11/08 08:16:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/05/14 11:35:45 | 000,000,000 | ---D | M] (XULRunner) -- C:\USERS\WOOLY7\APPDATA\LOCAL\{9E084360-A7E5-478C-8781-3A49F52F7925}
[2012/01/06 16:28:22 | 000,634,964 | ---- | M] () (No name found) -- C:\USERS\WOOLY7\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\EQ8BX4Q8.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2009/07/13 18:11:12 | 000,004,819 | ---- | M] () (No name found) -- C:\USERS\WOOLY7\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\EQ8BX4Q8.DEFAULT\EXTENSIONS\NCFDDMETQT@NCFDDMETQT.ORG.XPI
[2011/03/18 12:53:24 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/09/15 05:50:38 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2012/06/26 07:26:04 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe (Intuit Inc. All rights reserved.)
O4 - HKLM..\Run: [KeePass 2 PreLoad] C:\Program Files\KeePass Password Safe 2\KeePass.exe (Dominik Reichl)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKCU..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O4 - HKCU..\Run: [SansaDispatch] C:\Users\wooly7\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe (SanDisk Corporation)
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\Windows\System32\cmd.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000037 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000038 - C:\Windows\System32\cwalsp.dll (ContentWatch, Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_22)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A5C29F90-C06D-40D6-91F2-81B397208E73}: DhcpNameServer = 208.67.222.222 208.67.220.220
O18 - Protocol\Handler\intu-help-qb2 {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 16:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/06/28 05:20:45 | 000,596,992 | ---- | C] (OldTimer Tools) -- C:\Users\wooly7\Desktop\OTL.scr
[2012/06/26 17:46:25 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/06/26 07:29:28 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/06/26 07:28:14 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/06/22 06:18:36 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/06/15 17:31:25 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2012/06/14 18:47:46 | 000,000,000 | ---D | C] -- C:\_OTM
[2012/06/14 18:42:51 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
[2012/06/14 18:42:48 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2012/06/13 21:48:23 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2012/06/13 21:40:24 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2012/05/30 10:28:20 | 000,000,000 | ---D | C] -- C:\Users\wooly7\Documents\School e-books

========== Files - Modified Within 30 Days ==========

[2012/06/28 05:21:00 | 000,013,760 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/06/28 05:21:00 | 000,013,760 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/06/28 05:20:51 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\wooly7\Desktop\OTL.scr
[2012/06/28 05:13:35 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs
[2012/06/28 05:13:33 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/06/28 05:13:28 | 2414,481,408 | -HS- | M] () -- C:\hiberfil.sys
[2012/06/27 05:16:07 | 000,001,097 | ---- | M] () -- C:\Users\wooly7\Desktop\Rebuild_Icon_Cache.bat
[2012/06/26 17:46:42 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2012/06/26 17:46:30 | 000,626,040 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012/06/26 17:46:30 | 000,107,316 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012/06/26 07:26:04 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2012/06/25 17:51:26 | 381,148,437 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/06/15 10:46:12 | 000,330,544 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/06/13 21:48:23 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2012/06/11 23:20:54 | 000,002,046 | ---- | M] () -- C:\Users\wooly7\Documents\Default.rdp

========== Files Created - No Company Name ==========

[2012/06/27 05:16:05 | 000,001,097 | ---- | C] () -- C:\Users\wooly7\Desktop\Rebuild_Icon_Cache.bat
[2012/06/26 17:46:36 | 000,001,915 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/06/22 06:19:47 | 000,000,000 | ---- | C] () -- C:\Windows\System32\drivers\lvuvc.hs
[2012/06/13 19:39:03 | 000,002,641 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
[2012/06/13 19:39:03 | 000,002,392 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
[2012/06/13 19:39:03 | 000,001,515 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
[2012/06/13 19:39:03 | 000,001,352 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Anytime Upgrade.lnk
[2012/06/13 19:39:03 | 000,001,326 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk
[2012/06/13 19:39:03 | 000,001,246 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
[2012/06/13 19:39:03 | 000,001,210 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
[2012/06/13 19:39:02 | 000,002,044 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk
[2012/06/13 19:39:02 | 000,001,345 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
[2012/06/13 19:39:02 | 000,001,330 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
[2012/06/13 19:39:02 | 000,001,104 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012/06/13 19:39:01 | 000,001,075 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeePass 2.lnk
[2012/06/13 19:39:00 | 000,001,024 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Audacity 1.3 Beta (Unicode).lnk
[2012/06/13 19:38:59 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2012/06/13 19:38:59 | 000,002,136 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Digital Editions.lnk
[2012/06/13 19:38:59 | 000,000,977 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat_com.lnk
[2012/02/23 10:14:05 | 001,216,512 | ---- | C] () -- C:\Windows\System32\wxcode_msw28u_wxcurl_CW.dll
[2012/02/23 10:14:05 | 000,081,920 | ---- | C] () -- C:\Windows\System32\wxcode_msw28u_wxjson_CW.dll
[2012/02/23 10:14:02 | 000,975,872 | ---- | C] () -- C:\Windows\System32\libxml2_CW.dll
[2012/02/23 10:14:02 | 000,151,552 | ---- | C] () -- C:\Windows\System32\libexpat.dll
[2012/02/04 10:13:09 | 000,000,061 | ---- | C] () -- C:\Windows\TaxACT11.ini
[2011/10/11 18:31:11 | 000,000,600 | ---- | C] () -- C:\Users\wooly7\AppData\Local\PUTTY.RND
[2011/08/30 19:07:05 | 000,007,608 | ---- | C] () -- C:\Users\wooly7\AppData\Local\Resmon.ResmonCfg
[2011/07/01 06:45:23 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/07/01 06:45:23 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2011/07/01 06:45:23 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/07/01 06:45:23 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/07/01 06:45:23 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/04/28 20:02:50 | 000,000,844 | ---- | C] () -- C:\Users\wooly7\.recently-used.xbel
[2011/03/03 20:08:17 | 002,916,352 | ---- | C] () -- C:\Windows\System32\wxmsw28u_core_vc_CW.dll
[2011/03/03 20:08:17 | 000,524,288 | ---- | C] () -- C:\Windows\System32\wxmsw28u_xrc_vc_CW.dll
[2011/03/03 20:08:17 | 000,499,712 | ---- | C] () -- C:\Windows\System32\wxmsw28u_html_vc_CW.dll
[2011/03/03 20:08:17 | 000,110,592 | ---- | C] () -- C:\Windows\System32\wxmsw28u_media_vc_CW.dll
[2011/03/03 20:08:16 | 001,236,992 | ---- | C] () -- C:\Windows\System32\wxbase28u_vc_CW.dll
[2011/03/03 20:08:16 | 000,716,800 | ---- | C] () -- C:\Windows\System32\wxmsw28u_adv_vc_CW.dll
[2011/03/03 20:08:16 | 000,135,168 | ---- | C] () -- C:\Windows\System32\wxbase28u_xml_vc_CW.dll
[2011/03/03 20:08:16 | 000,135,168 | ---- | C] () -- C:\Windows\System32\wxbase28u_net_vc_CW.dll
[2011/02/02 14:13:49 | 000,000,061 | ---- | C] () -- C:\Windows\TaxACT10.ini
[2010/12/11 18:04:38 | 000,005,120 | ---- | C] () -- C:\Users\wooly7\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/11/16 21:43:19 | 000,000,085 | ---- | C] () -- C:\Users\wooly7\AppData\Roaming\WaveBreaker.ini
[2010/11/16 21:11:48 | 000,000,060 | ---- | C] () -- C:\Windows\System32\SYSWBDRV.SYS
[2010/11/16 19:46:03 | 000,000,077 | ---- | C] () -- C:\Windows\WaveBreaker.ini
[2010/11/06 15:36:25 | 000,000,090 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini
[2010/10/21 18:33:47 | 000,004,096 | ---- | C] () -- C:\Windows\d3dx.dat
[2010/10/07 17:40:42 | 000,064,000 | ---- | C] () -- C:\Windows\System32\esfw52.bin
[2010/06/25 21:33:48 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat

========== LOP Check ==========

[2010/08/02 19:31:07 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\Amazon
[2011/04/15 16:58:09 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\Audacity
[2010/10/17 07:56:10 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\AVG10
[2012/06/22 06:10:33 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\Dropbox
[2010/10/07 18:42:24 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\EPSON
[2010/06/28 20:07:18 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\FileZilla
[2010/07/16 20:30:59 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\flightgear.org
[2011/03/02 19:30:45 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\fltk.org
[2011/02/23 13:11:30 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\gtk-2.0
[2012/01/10 18:57:57 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\ImgBurn
[2012/06/01 19:30:59 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\KeePass
[2010/11/30 22:09:36 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\MakeMusic
[2012/06/11 21:22:36 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\MediaMonkey
[2011/04/01 23:12:22 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\OpenDNS Updater
[2010/06/25 21:54:34 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\OpenOffice.org
[2010/11/19 20:02:59 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\SanDisk
[2010/06/25 20:27:49 | 000,000,000 | ---D | M] -- C:\Users\wooly7\AppData\Roaming\Thunderbird
[2012/06/14 20:52:03 | 000,032,562 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 925 bytes -> C:\Users\wooly7\Documents\Fwd FUNNY---What's that again.eml:OECustomProperty

< End of report >

#24
Sheep17

Posted 28 June 2012 - 04:59 AM

Member

Topic Starter
Member
18 posts

We were only using Firefox/Google. I was able to hit a number of links without it redirecting. We will try IE today. There are no other symptoms of a problem.

ComboFix 12-06-28.01 - wooly7 06/28/2012 5:31.4.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3070.2021 [GMT -5:00]
Running from: c:\users\wooly7\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-28 )))))))))))))))))))))))))))))))
.
.
2012-06-28 10:37 . 2012-06-28 10:37 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-06-28 10:37 . 2012-06-28 10:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-28 10:29 . 2012-06-28 10:29 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{42E48378-A5E9-40DB-9048-65980288C8E6}\MpKslf6802ed2.sys
2012-06-28 10:28 . 2012-06-28 10:28 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{42E48378-A5E9-40DB-9048-65980288C8E6}\offreg.dll
2012-06-28 10:24 . 2012-05-31 01:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{42E48378-A5E9-40DB-9048-65980288C8E6}\mpengine.dll
2012-06-26 22:50 . 2012-06-26 22:50 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F303C6D5-C1B8-48CC-A3AF-68D3A053B729}\gapaengine.dll
2012-06-26 22:50 . 2012-05-31 01:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-06-26 22:46 . 2012-06-26 22:46 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-22 11:18 . 2012-06-22 11:18 -------- d-----w- C:\_OTL
2012-06-19 13:35 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-19 13:35 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-19 13:35 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-19 13:35 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-19 13:35 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-19 13:35 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-19 13:35 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-19 13:35 . 2012-06-02 20:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-19 13:35 . 2012-06-02 20:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-15 22:31 . 2012-06-15 22:31 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-14 23:47 . 2012-06-14 23:47 -------- d-----w- C:\_OTM
2012-06-14 23:42 . 2012-06-14 23:43 -------- d-----w- c:\program files\ERUNT
2012-06-14 02:50 . 2012-06-07 00:47 565248 ----a-w- c:\program files\Mozilla Firefox\Tweaking.com - Unhide Non System Files\repair.exe
2012-06-14 02:50 . 2010-04-27 16:04 381816 ----a-w- c:\program files\Mozilla Firefox\Tweaking.com - Unhide Non System Files\files\psexec.exe
2012-06-14 02:50 . 2004-06-11 21:33 290304 ----a-w- c:\program files\Mozilla Firefox\Tweaking.com - Unhide Non System Files\files\subinacl.exe
2012-06-14 02:50 . 2003-04-18 23:07 36864 ----a-w- c:\program files\Mozilla Firefox\Tweaking.com - Unhide Non System Files\files\regini.exe
2012-06-14 02:48 . 2012-06-14 02:48 12872 ----a-w- c:\windows\system32\bootdelete.exe
2012-06-14 02:40 . 2012-06-14 02:48 -------- d-----w- c:\programdata\HitmanPro
2012-06-14 00:34 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 00:33 . 2012-04-26 04:45 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-06-14 00:33 . 2012-04-26 04:45 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-06-14 00:33 . 2012-04-26 04:41 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-14 00:33 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-14 00:33 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-14 00:33 . 2012-05-01 04:44 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-06-14 00:33 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-14 00:33 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-14 00:33 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-31 04:39 . 2012-05-11 17:10 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-31 04:39 . 2012-05-11 17:10 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-03-18 17:53 . 2011-03-26 12:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\wooly7\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\wooly7\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\wooly7\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\wooly7\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SansaDispatch"="c:\users\wooly7\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-12-28 79872]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"KeePass 2 PreLoad"="c:\program files\KeePass Password Safe 2\KeePass.exe" [2012-01-05 1823744]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/w...&ver=10.0.1375" [?]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-12-22 984936]
VPN Client.lnk - c:\windows\Installer\{B0BF7057-6869-4E4B-920C-EA2A58DA07F0}\Icon3E5562ED7.ico [2010-6-28 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 PuranDefrag;PuranDefrag;c:\windows\system32\PuranDefragS.exe [x]
S1 MpKslf6802ed2;MpKslf6802ed2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{42E48378-A5E9-40DB-9048-65980288C8E6}\MpKslf6802ed2.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [x]
S2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [x]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLF6802ED2
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\cwalsp.dll
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
FF - ProfilePath - c:\users\wooly7\AppData\Roaming\Mozilla\Firefox\Profiles\eq8bx4q8.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage -
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3572)
c:\users\wooly7\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
Completion time: 2012-06-28 05:40:35
ComboFix-quarantined-files.txt 2012-06-28 10:40
ComboFix2.txt 2012-06-26 12:29
ComboFix3.txt 2011-07-01 12:09
.
Pre-Run: 131,483,459,584 bytes free
Post-Run: 131,442,671,616 bytes free
.
- - End Of File - - E8A4EA76A3E07548274CBD5CA43EA074

#25
maliprog

Posted 28 June 2012 - 05:01 AM

Trusted Helper

Malware Removal
6,172 posts

OK. Please try IE today and let me know. It could help if we limit problem to FF only.

#26
Sheep17

Posted 28 June 2012 - 05:44 PM

Member

Topic Starter
Member
18 posts

IE ran great today with no issues. I've tested FF some this evening and while it hasn't redirected, occasionally it load pages extremely slow, but the same page loads normally in IE. Also noted yesteday if FF redirected, net nanny would block for porn, if clicked back, then the page would load. Please let me know if I could provide more.
Thanks!
David

#27
maliprog

Posted 28 June 2012 - 11:00 PM

Trusted Helper

Malware Removal
6,172 posts

OK. We need to test Firefox in safe mode

Click on Start then Run...
Type

firefox.exe -safe-mode

And press OK button
If it ask you press Continue in Safe Mode
Test Google searches and Firefox now and let me know results.

#28
maliprog

Posted 01 July 2012 - 11:15 PM

Trusted Helper

Malware Removal
6,172 posts

Hi Sheep17,

Are you still with me? Did you manage to run my last step?

#29
Sheep17

Posted 02 July 2012 - 04:53 AM

Member

Topic Starter
Member
18 posts

My apologies for the delay. Between power outages and weekend we haven't had a good test. I've tested some and firefox in safe mode loads pages normally and no redirect attempts.
Thanks,
David

#30
maliprog

Posted 02 July 2012 - 07:10 AM

Trusted Helper

Malware Removal
6,172 posts

If you don't experience any problems in safe-mode then you must check your add-ons in Firefox.

Open Firefox and from Tools menu select Add-ons
Disable them all and restart your Firefox
If you don't experience any problems then go to Add-ons and enable first add-on then restart Firefox
If problems starts then this is the bad one
If problems don't start then enable another one and so on until you find bad one

When you find it remove it from Add-ons.

Let me know results.