Solved Win7 Firefox links redirect; Comesis.A

Status
Not open for further replies.

beaker4251

Posts: 7   +0
Hello. While browsing websites using FireFox 9.0.1 I am often (seems random to my untrained eye) redirected to bogus search websites. I have Microsoft Security Essentials installed and it has detected and cleaned Comesis.A several times, but apparently this thing keeps coming back. I would like to clean Comesis.A off permanently and get my computer certified clean. I use NoScript FireFox add-on and when I block all scripts there are no redirects, but my suspicion is that I'm just treating the symptom and not the problem with that.

--Here are the 4 log files from the 5-Step Preliminary Removal Instructions--

MALWARE BYTES'
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122701

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

12/27/2011 12:55:58 AM
mbam-log-2011-12-27 (00-55-58).txt

Scan type: Quick scan
Objects scanned: 186846
Time elapsed: 1 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER
It didn't detect anything, log file was blank.

DDS.txt
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by kikko at 1:22:28 on 2011-12-27
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4095.2576 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files\Cyberlink\Shared files\RichVideo64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Logitech Gaming Software\LCore.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Windows\System32\spool\drivers\x64\3\E_IATI9LA.EXE
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-8.12.072\Applets\x86\LCDMedia.exe
C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-8.12.072\Applets\x64\LCDClock.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "C:\Users\kikko\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [\\192.168.1.67\EPSON Stylus Photo R1800] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATI9LA.EXE /FU "C:\Windows\TEMP\E_SCB3C.tmp" /EF "HKCU"
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
StartupFolder: C:\Users\kikko\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{FC578E5E-7B78-4FF2-B181-B48EF0E54F08} : DhcpNameServer = 192.168.1.254
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
mRun-x64: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
Hosts: 217.23.4.166 www.google-analytics.com.
Hosts: 217.23.4.166 ad-emea.doubleclick.net.
Hosts: 217.23.4.166 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\kikko\AppData\Roaming\Mozilla\Firefox\Profiles\z012xdg1.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\ProgramData\id Software\QuakeLive\npquakezero.dll
FF - plugin: C:\Users\kikko\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Users\kikko\AppData\Roaming\Mozilla\Firefox\Profiles\z012xdg1.default\extensions\2020Player@2020Technologies.com\plugins\NP2020Player.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-11-9 361984]
R2 AODDriver4.01;AODDriver4.01;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2011-6-24 55424]
R2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);C:\Program Files\Cyberlink\Shared files\RichVideo64.exe [2011-4-12 386344]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\system32\drivers\LGBusEnum.sys --> C:\Windows\system32\drivers\LGBusEnum.sys [?]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\system32\drivers\LGVirHid.sys --> C:\Windows\system32\drivers\LGVirHid.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 FlyUsb;FLY Fusion;C:\Windows\system32\DRIVERS\FlyUsb.sys --> C:\Windows\system32\DRIVERS\FlyUsb.sys [?]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 VaneFltr;Lachesis Mouse Driver;C:\Windows\system32\drivers\Lachesis.sys --> C:\Windows\system32\drivers\Lachesis.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-12-27 09:20:57 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4D57A144-DA39-4E89-A606-19995709A3C2}\offreg.dll
2011-12-27 09:20:54 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4D57A144-DA39-4E89-A606-19995709A3C2}\mpengine.dll
2011-12-27 08:53:33 -------- d-----w- C:\Users\kikko\AppData\Roaming\Malwarebytes
2011-12-27 08:53:28 -------- d-----w- C:\ProgramData\Malwarebytes
2011-12-27 08:53:25 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-12-27 08:53:25 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-12-27 08:46:55 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2011-12-27 08:46:55 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2011-12-27 08:46:55 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2011-12-27 08:46:55 43992 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2011-12-21 06:30:51 -------- d-----w- C:\Program Files (x86)\AMD APP
2011-12-20 04:56:27 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-12-11 00:56:34 8822856 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-10 04:22:08 -------- d-----w- C:\Program Files\Logitech Gaming Software
2011-12-10 01:38:44 53248 ----a-r- C:\Users\kikko\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-12-10 01:38:28 18960 ----a-w- C:\Windows\System32\drivers\LNonPnP.sys
2011-12-10 01:37:13 -------- d-----w- C:\Users\kikko\AppData\Roaming\Logishrd
2011-12-10 00:52:08 917840 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{82E551DF-8562-49FB-A23D-9AE866DBCC72}\gapaengine.dll
2011-12-10 00:50:36 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-12-10 00:50:26 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-12-09 11:41:54 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{E7467E6B-8458-453F-82C4-29355A0CD48B}\mpengine.dll
2011-12-03 00:34:46 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-02 22:00:56 -------- d-----w- C:\Windows\System32\SPReview
2011-12-02 22:00:29 -------- d-----w- C:\Windows\System32\EventProviders
2011-12-02 21:54:59 787968 ----a-w- C:\Windows\System32\d3d11.dll
2011-12-02 21:53:59 98304 ----a-w- C:\Windows\System32\wudriver.dll
2011-12-02 21:50:40 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2011-12-02 21:50:40 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2011-12-02 21:50:40 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
2011-12-02 21:50:40 1225216 ----a-w- C:\Windows\System32\wbem\wbemcore.dll
2011-12-02 21:50:22 244736 ----a-w- C:\Windows\System32\sqmapi.dll
2011-12-02 21:50:21 933376 ----a-w- C:\Windows\System32\SmiEngine.dll
2011-12-02 21:50:14 199168 ----a-w- C:\Windows\System32\PkgMgr.exe
2011-12-02 21:50:05 422912 ----a-w- C:\Windows\System32\drvstore.dll
2011-12-02 21:50:05 399872 ----a-w- C:\Windows\System32\dpx.dll
2011-12-01 06:50:32 -------- d-----w- C:\Users\kikko\AppData\Local\Chromium
2011-12-01 05:44:50 -------- d-----w- C:\ProgramData\Hi-Rez Studios
2011-11-28 15:51:59 -------- d-----w- C:\ProgramData\Blizzard Entertainment
2011-11-28 06:44:10 -------- d-----w- C:\Program Files (x86)\Common Files\Blizzard Entertainment
2011-11-28 06:39:14 -------- d-----w- C:\ProgramData\Battle.net
.
==================== Find3M ====================
.
2011-12-02 22:05:02 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-12-02 22:05:02 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-11-10 06:39:50 69632 ----a-w- C:\Windows\System32\OpenVideo64.dll
2011-11-10 06:39:44 59904 ----a-w- C:\Windows\SysWow64\OpenVideo.dll
2011-11-10 06:39:36 61952 ----a-w- C:\Windows\System32\OVDecode64.dll
2011-11-10 06:39:32 54784 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2011-11-10 06:39:22 17442304 ----a-w- C:\Windows\System32\amdocl64.dll
2011-11-10 06:38:40 14375936 ----a-w- C:\Windows\SysWow64\amdocl.dll
2011-11-10 06:37:50 51200 ----a-w- C:\Windows\System32\OpenCL.dll
2011-11-10 06:37:46 44032 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2011-11-10 03:45:30 10567680 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-11-10 03:20:50 25218048 ----a-w- C:\Windows\System32\atio6axx.dll
2011-11-10 03:17:10 159744 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-11-10 03:16:56 774656 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-11-10 03:15:20 927232 ----a-w- C:\Windows\System32\aticfx64.dll
2011-11-10 03:12:24 466944 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-11-10 03:12:10 516608 ----a-w- C:\Windows\System32\atieclxx.exe
2011-11-10 03:11:32 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-11-10 03:10:18 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-11-10 03:09:58 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-11-10 03:09:52 360448 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-11-10 03:09:40 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-11-10 03:09:34 21504 ----a-w- C:\Windows\System32\atimuixx.dll
2011-11-10 03:09:30 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-11-10 03:09:24 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-11-10 03:06:20 6077952 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-11-10 02:58:20 18996224 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-11-10 02:51:18 7405056 ----a-w- C:\Windows\System32\atidxx64.dll
2011-11-10 02:40:52 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-11-10 02:40:18 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-11-10 02:40:04 4061696 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-11-10 02:34:54 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-11-10 02:34:52 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-11-10 02:34:44 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-11-10 02:34:42 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-11-10 02:34:28 13552640 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-11-10 02:33:52 5852672 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-11-10 02:29:58 11300864 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-11-10 02:29:46 4200960 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-11-10 02:24:26 7439360 ----a-w- C:\Windows\System32\atiumd64.dll
2011-11-10 02:18:44 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-11-10 02:13:32 494592 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-11-10 02:13:22 348160 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-11-10 02:13:08 17408 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-11-10 02:13:04 14336 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-11-10 02:13:04 14336 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-11-10 02:13:00 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-11-10 02:12:52 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-11-10 02:12:44 325632 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-11-10 02:11:54 41984 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-11-10 02:11:46 32256 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-11-10 02:11:40 39424 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-11-10 02:11:32 54784 ----a-w- C:\Windows\System32\atimpc64.dll
2011-11-10 02:11:32 54784 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-11-10 02:11:32 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-11-10 02:11:26 53760 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-11-10 02:11:26 53760 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-11-10 02:10:54 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-11-05 05:41:43 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-11-05 05:32:50 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-11-05 04:35:00 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-11-05 04:26:03 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-11-05 03:32:47 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-11-05 02:48:51 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-10-26 05:21:40 66560 ----a-w- C:\Windows\System32\OVDecoder64.dll
2011-10-26 05:21:34 56832 ----a-w- C:\Windows\SysWow64\OVDecoder.dll
2011-10-26 05:21:20 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2011-10-22 04:16:12 1843200 ----a-w- C:\Windows\SysWow64\SlotMaximizerBe.dll
2011-10-22 04:15:46 104448 ----a-w- C:\Windows\SysWow64\SlotMaximizerAg.dll
2011-10-22 04:12:32 2763264 ----a-w- C:\Windows\System32\SlotMaximizerBe.dll
2011-10-22 04:07:42 125440 ----a-w- C:\Windows\System32\SlotMaximizerAg.dll
2011-10-17 17:40:50 93712 ----a-w- C:\Windows\System32\drivers\AtihdW76.sys
2011-10-15 06:31:56 723456 ----a-w- C:\Windows\System32\EncDec.dll
2011-10-15 05:38:59 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2011-10-10 05:07:12 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-10-10 05:07:12 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-10-09 06:22:28 280904 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-10-03 13:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-10-02 07:25:12 75136 ----a-w- C:\Windows\SysWow64\PnkBstrA.exe
2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
.
============= FINISH: 1:23:10.26 ===============

Attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 11/14/2010 10:06:13 PM
System Uptime: 12/27/2011 1:18:42 AM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | M4A88TD-M/USB3
Processor: AMD Phenom(tm) II X2 555 Processor | AM3 | 2080/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 69 GiB total, 32.817 GiB free.
D: is FIXED (NTFS) - 112 GiB total, 38.388 GiB free.
E: is CDROM (CDFS)
H: is FIXED (NTFS) - 1863 GiB total, 1754.395 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP195: 12/21/2011 2:05:19 AM - Scheduled Checkpoint
RP196: 12/22/2011 9:07:14 PM - Windows Update
RP197: 12/26/2011 9:07:04 PM - Windows Update
.
==== Hosts File Hijack ======================
.
Hosts: 217.23.4.166 www.google-analytics.com.
Hosts: 217.23.4.166 ad-emea.doubleclick.net.
Hosts: 217.23.4.166 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
Hosts: 69.72.252.254 www.statcounter.com.
.
==== Installed Programs ======================
.
µTorrent
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.1.1)
Air Video Server 2.4.3
AMD VISION Engine Control Center
Assassin's Creed Brotherhood
Call of Duty: Black Ops
Call of Duty: Black Ops - Multiplayer
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
CCC Help English
Counter-Strike: Source
CyberLink PowerDirector
CyberLink WaveEditor
Deus Ex: Human Revolution
eReg
ESN Sonar
Fallout: New Vegas
FileZilla Client 3.4.0
Fraps (remove only)
Google Chrome
Java Auto Updater
Java(TM) 6 Update 29
LeapFrog Connect
LeapFrog Tag Plugin
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Mozilla Firefox 9.0.1 (x86 en-US)
NEC Electronics USB 3.0 Host Controller Driver
NVIDIA PhysX
Pazzles Inspiration Studio
PC Probe II
Portal 2
PunkBuster Services
PuTTY version 0.61
Quake Live Mozilla Plugin
Rainmeter
Realtek Ethernet Controller Driver For Windows 7
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
SmartSound Quicktracks 5
Spotify
Steam
The Elder Scrolls V: Skyrim
The Witcher 2
Ubisoft Game Launcher
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Use the entry named LeapFrog Connect to uninstall (LeapFrog Tag Plugin)
VirtualCloneDrive
VLC media player 1.1.11
Windows Media Player Firefox Plugin
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
12/21/2011 2:04:54 AM, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
.
==== End Of File ===========================

Thank you so much for taking the time to help me. I'll check this post from work tomorrow but I won't be able to take action until I get home in the evening time Pacific.
 
Welcome to TechSpot! I'll help with the malware.

It is likely that recurring entries of the JS Trojan may have gotten into the Java cache- so let's clear that:

This should help with clearing the Java cache:
1. Click Start, and then click Control Panel.
w7_strt_cp_click.gif

2. Click Programs, and then click the Java icon.
java_icon.gif

If you are using Windows 7 and your View by is set to either Large icons or Small icons, then click the Java icon.
w7_cp_lrg_icn_jv.gif

------------------>
w7_cp_lrg_icn_jv.gif

3. Click the General tab> Temporary Internet Files section> click Settings.
4. Click Delete Files.
5. In the Delete Temporary Files window, select all the check boxes, and then click OK.
6. Click OK to close the Temporary Files Settings window.
7. Click OK to close the Java Control Panel window.
Images courtesy AOL Help
====================================
The redirects are occuring because the Host files have been hijacked. We can remove those with HijackThis:
  • First, set up a Directory for HijackThis as follows:
    [o]Right click Taskbar> Explore> My Computer> Local Drive (C)
    [o]Then click on File> New> Folder> Name folder HijackThis
  • Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
  • Extract it to the directory on your hard drive you created C:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.
NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
=====================================
We need to check for additional malware entries:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    ***Please note: if you have downloaded Combofix to a flash drive, then run it on the infected machine> the Recovery Console will not install- just bypass and go on.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once installed, you should see a blue screen prompt that says:
    The Recovery Console was successfully installed.
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=============================
Please leave the logs from HijackThis and Combofix in your next reply. We'll go from there:
==============================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Please let me know if there is any change in the system.

If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
Thanks Bobbye, you're fantastic.

Note: HijackThis reported Hosts file was write protected. Should that app have been run with MS Security Essentials enabled or disabled? I believe I left it enabled. So I have a log from HJT but I don't believe it attempted to clean anything, I didn't instruct it to do so.

---- ComboFix.tx -----
ComboFix 11-12-28.03 - kikko 12/28/2011 9:23.1.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4095.2544 [GMT -8:00]
Running from: c:\users\kikko\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 17:26 . 2011-12-28 17:26 -------- d-----w- c:\users\Jessica\AppData\Local\temp
2011-12-28 17:26 . 2011-12-28 17:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-28 17:14 . 2011-12-28 17:18 -------- d-----w- C:\HijackThis
2011-12-28 09:24 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{89ED2466-EB02-45D5-AD74-5DFCDBEE2BAD}\mpengine.dll
2011-12-27 10:07 . 2011-12-27 10:07 -------- d-----w- c:\programdata\id Software
2011-12-27 08:53 . 2011-12-27 08:53 -------- d-----w- c:\users\kikko\AppData\Roaming\Malwarebytes
2011-12-27 08:53 . 2011-12-27 08:53 -------- d-----w- c:\programdata\Malwarebytes
2011-12-27 08:53 . 2011-12-27 08:53 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-12-27 08:53 . 2011-09-01 01:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-27 08:46 . 2011-12-27 08:46 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2011-12-27 08:46 . 2011-12-27 08:46 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2011-12-27 08:46 . 2011-12-27 08:46 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2011-12-27 08:46 . 2011-12-27 08:46 43992 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2011-12-21 06:30 . 2011-12-21 06:30 -------- d-----w- c:\programdata\ATI
2011-12-21 06:30 . 2011-12-21 06:30 -------- d-----w- c:\program files (x86)\AMD APP
2011-12-20 04:56 . 2011-11-24 04:52 3145216 ----a-w- c:\windows\system32\win32k.sys
2011-12-11 00:56 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-10 04:22 . 2011-12-10 04:22 -------- d-----w- c:\program files\Logitech Gaming Software
2011-12-10 01:38 . 2011-12-10 01:38 53248 ----a-r- c:\users\kikko\AppData\Roaming\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2011-12-10 01:38 . 2011-12-10 01:38 -------- d-----w- c:\users\kikko\AppData\Roaming\Leadertech
2011-12-10 01:38 . 2011-12-10 01:38 -------- d-----w- c:\program files (x86)\Common Files\LogiShrd
2011-12-10 01:38 . 2011-12-10 01:38 18960 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2011-12-10 01:38 . 2011-12-10 01:38 -------- d-----w- c:\programdata\Logishrd
2011-12-10 01:37 . 2011-12-10 01:38 -------- d-----w- c:\program files\Common Files\LogiShrd
2011-12-10 01:37 . 2011-12-10 01:39 -------- d-----w- c:\users\kikko\AppData\Roaming\Logitech
2011-12-10 01:37 . 2011-12-10 01:37 -------- d-----w- c:\users\kikko\AppData\Roaming\Logishrd
2011-12-10 00:52 . 2011-12-10 00:52 917840 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{82E551DF-8562-49FB-A23D-9AE866DBCC72}\gapaengine.dll
2011-12-10 00:50 . 2011-12-10 00:50 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-12-10 00:50 . 2011-12-10 00:50 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-09 11:41 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E7467E6B-8458-453F-82C4-29355A0CD48B}\mpengine.dll
2011-12-03 00:34 . 2011-12-03 00:34 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-03 00:34 . 2011-12-03 00:34 -------- d-----w- c:\windows\system32\Macromed
2011-12-02 22:00 . 2011-12-02 22:00 -------- d-----w- c:\windows\system32\SPReview
2011-12-02 22:00 . 2011-12-02 22:00 -------- d-----w- c:\windows\system32\EventProviders
2011-12-02 21:54 . 2010-11-20 13:27 444416 ----a-w- c:\windows\system32\winhttp.dll
2011-12-02 21:53 . 2010-11-20 13:27 98304 ----a-w- c:\windows\system32\wudriver.dll
2011-12-02 21:50 . 2010-11-20 13:27 524288 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-12-02 21:50 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2011-12-02 21:50 . 2010-11-20 13:27 1225216 ----a-w- c:\windows\system32\wbem\wbemcore.dll
2011-12-02 21:50 . 2010-11-20 13:27 244736 ----a-w- c:\program files\Windows Portable Devices\sqmapi.dll
2011-12-02 21:50 . 2010-11-20 13:27 244736 ----a-w- c:\windows\system32\sqmapi.dll
2011-12-02 21:50 . 2010-11-20 13:27 933376 ----a-w- c:\windows\system32\SmiEngine.dll
2011-12-02 21:50 . 2010-11-20 13:25 199168 ----a-w- c:\windows\system32\PkgMgr.exe
2011-12-02 21:50 . 2010-11-20 13:26 422912 ----a-w- c:\windows\system32\drvstore.dll
2011-12-02 21:50 . 2010-11-20 13:26 399872 ----a-w- c:\windows\system32\dpx.dll
2011-12-02 21:23 . 2011-12-02 21:23 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-12-01 06:50 . 2011-12-01 06:50 -------- d-----w- c:\users\kikko\AppData\Local\Chromium
2011-12-01 05:44 . 2011-12-20 04:53 -------- d-----w- c:\programdata\Hi-Rez Studios
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-02 22:05 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2011-12-02 22:05 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2011-11-11 22:54 . 2011-11-11 22:54 485576 ----a-w- c:\users\kikko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
2011-11-10 06:39 . 2011-11-10 06:39 69632 ----a-w- c:\windows\system32\OpenVideo64.dll
2011-11-10 06:39 . 2011-11-10 06:39 59904 ----a-w- c:\windows\SysWow64\OpenVideo.dll
2011-11-10 06:39 . 2011-11-10 06:39 61952 ----a-w- c:\windows\system32\OVDecode64.dll
2011-11-10 06:39 . 2011-11-10 06:39 54784 ----a-w- c:\windows\SysWow64\OVDecode.dll
2011-11-10 06:39 . 2011-11-10 06:39 17442304 ----a-w- c:\windows\system32\amdocl64.dll
2011-11-10 06:38 . 2011-11-10 06:38 14375936 ----a-w- c:\windows\SysWow64\amdocl.dll
2011-11-10 06:37 . 2011-11-10 06:37 51200 ----a-w- c:\windows\system32\OpenCL.dll
2011-11-10 06:37 . 2011-11-10 06:37 44032 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-11-10 03:45 . 2011-11-10 03:45 10567680 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-11-10 03:20 . 2011-10-26 02:16 25218048 ----a-w- c:\windows\system32\atio6axx.dll
2011-11-10 03:17 . 2011-11-10 03:17 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2011-11-10 03:16 . 2011-11-10 03:16 774656 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-11-10 03:15 . 2011-01-27 05:59 927232 ----a-w- c:\windows\system32\aticfx64.dll
2011-11-10 03:12 . 2011-10-26 02:01 466944 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-11-10 03:12 . 2011-11-10 03:12 516608 ----a-w- c:\windows\system32\atieclxx.exe
2011-11-10 03:11 . 2011-11-10 03:11 204288 ----a-w- c:\windows\system32\atiesrxx.exe
2011-11-10 03:10 . 2011-11-10 03:10 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-11-10 03:09 . 2011-11-10 03:09 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-11-10 03:09 . 2011-11-10 03:09 360448 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-11-10 03:09 . 2011-11-10 03:09 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-11-10 03:09 . 2011-11-10 03:09 21504 ----a-w- c:\windows\system32\atimuixx.dll
2011-11-10 03:09 . 2011-11-10 03:09 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-11-10 03:09 . 2011-11-10 03:09 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-11-10 03:06 . 2011-11-10 03:06 6077952 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-11-10 02:58 . 2011-11-10 02:58 18996224 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-11-10 02:51 . 2011-01-27 05:40 7405056 ----a-w- c:\windows\system32\atidxx64.dll
2011-11-10 02:40 . 2011-11-10 02:40 1113088 ----a-w- c:\windows\system32\atiumd6v.dll
2011-11-10 02:40 . 2011-11-10 02:40 1828864 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-11-10 02:40 . 2011-10-26 01:43 4061696 ----a-w- c:\windows\system32\atiumd6a.dll
2011-11-10 02:34 . 2011-11-10 02:34 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-11-10 02:34 . 2011-11-10 02:34 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-11-10 02:34 . 2011-11-10 02:34 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-11-10 02:34 . 2011-11-10 02:34 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-11-10 02:34 . 2011-11-10 02:34 13552640 ----a-w- c:\windows\system32\aticaldd64.dll
2011-11-10 02:33 . 2011-11-10 02:33 5852672 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-11-10 02:29 . 2011-11-10 02:29 11300864 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-11-10 02:29 . 2011-11-10 02:29 4200960 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-11-10 02:24 . 2011-10-26 01:29 7439360 ----a-w- c:\windows\system32\atiumd64.dll
2011-11-10 02:18 . 2011-01-27 05:20 58880 ----a-w- c:\windows\system32\coinst.dll
2011-11-10 02:13 . 2011-10-26 01:22 494592 ----a-w- c:\windows\system32\atiadlxx.dll
2011-11-10 02:13 . 2011-11-10 02:13 348160 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-11-10 02:13 . 2011-10-26 01:22 17408 ----a-w- c:\windows\system32\atig6pxx.dll
2011-11-10 02:13 . 2011-11-10 02:13 14336 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-11-10 02:13 . 2011-11-10 02:13 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2011-11-10 02:13 . 2011-10-26 01:22 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-11-10 02:12 . 2011-11-10 02:12 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-11-10 02:12 . 2011-11-10 02:12 325632 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-11-10 02:11 . 2011-01-27 05:12 41984 ----a-w- c:\windows\system32\atiuxp64.dll
2011-11-10 02:11 . 2011-11-10 02:11 32256 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-11-10 02:11 . 2011-10-26 01:21 39424 ----a-w- c:\windows\system32\atiu9p64.dll
2011-11-10 02:11 . 2011-11-10 02:11 54784 ----a-w- c:\windows\system32\atimpc64.dll
2011-11-10 02:11 . 2011-11-10 02:11 54784 ----a-w- c:\windows\system32\amdpcom64.dll
2011-11-10 02:11 . 2011-11-10 02:11 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-11-10 02:11 . 2011-11-10 02:11 53760 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-11-10 02:11 . 2011-11-10 02:11 53760 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-11-10 02:10 . 2011-11-10 02:10 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-10-26 05:21 . 2011-10-26 05:21 66560 ----a-w- c:\windows\system32\OVDecoder64.dll
2011-10-26 05:21 . 2011-10-26 05:21 56832 ----a-w- c:\windows\SysWow64\OVDecoder.dll
2011-10-22 04:16 . 2011-10-22 04:16 1843200 ----a-w- c:\windows\SysWow64\SlotMaximizerBe.dll
2011-10-22 04:15 . 2011-10-22 04:15 104448 ----a-w- c:\windows\SysWow64\SlotMaximizerAg.dll
2011-10-22 04:12 . 2011-10-22 04:12 2763264 ----a-w- c:\windows\system32\SlotMaximizerBe.dll
2011-10-22 04:07 . 2011-10-22 04:07 125440 ----a-w- c:\windows\system32\SlotMaximizerAg.dll
2011-10-17 17:40 . 2011-10-17 17:40 93712 ----a-w- c:\windows\system32\drivers\AtihdW76.sys
2011-10-10 05:07 . 2010-11-17 08:32 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-10-10 05:07 . 2010-11-17 08:05 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-10-09 06:22 . 2010-11-17 08:05 280904 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-10-03 13:06 . 2011-04-05 02:25 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-10-02 07:25 . 2010-11-17 08:05 75136 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\192.168.1.67\EPSON Stylus Photo R1800"="c:\windows\system32\spool\DRIVERS\x64\3\E_IATI9LA.EXE" [2007-01-12 211968]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-03-30 113296]
"Monitor"="c:\program files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-11-19 193880]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-11-10 343168]
.
c:\users\kikko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2011-2-6 100352]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [x]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [x]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-28 288272]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 VaneFltr;Lachesis Mouse Driver;c:\windows\system32\drivers\Lachesis.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 VBoxDrv;VirtualBox Service;c:\windows\system32\DRIVERS\VBoxDrv.sys [x]
S1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\DRIVERS\VBoxUSBMon.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2011-11-10 361984]
S2 AODDriver4.01;AODDriver4.01;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [2011-06-24 55424]
S2 RichVideo64;Cyberlink RichVideo64 Service(CRVS);c:\program files\Cyberlink\Shared files\RichVideo64.exe [2010-08-20 386344]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [x]
S3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\DRIVERS\VBoxNetAdp.sys [x]
S3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\DRIVERS\VBoxNetFlt.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3686450549-117384506-567555741-1000Core.job
- c:\users\kikko\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-16 05:20]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3686450549-117384506-567555741-1000UA.job
- c:\users\kikko\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-16 05:20]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3686450549-117384506-567555741-1003Core.job
- c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-16 03:54]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3686450549-117384506-567555741-1003UA.job
- c:\users\Jessica\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-16 03:54]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1744152]
"Launch LCore"="c:\program files\Logitech Gaming Software\LCore.exe" [2011-09-29 110360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\kikko\AppData\Roaming\Mozilla\Firefox\Profiles\z012xdg1.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ESN Sonar-0.70.0 - c:\program files (x86)\Battlelog Web Plugins\Sonar\esnsonar_uninstall.exe
.
.
"ImagePath"="\"c:\program files\Cyberlink\Shared files\RichVideo64.exe\"\00Z
[\]^_d\01\00e\00\00\00\00HIJKLMNO\00\00\00\00\00\00\00\00\03\00\00\00|}~d\01\00e\00\00\00\00e\00\00\00\00\00\00\00\00‘’“"
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3686450549-117384506-567555741-1000\Software\SecuROM\License information*]
"datasecu"=hex:19,d7,a2,b1,02,5b,e2,24,24,f0,c8,7d,1c,82,0d,ed,bc,d2,a8,67,bf,
a4,e9,1d,e0,43,64,af,fd,f5,17,4b,cc,d6,df,21,49,c0,bd,e9,98,86,0b,ac,3f,4d,\
"rkeysecu"=hex:2d,1e,8e,63,a8,fc,43,96,57,58,34,f8,d6,2f,f9,0d
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10m.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-12-28 09:31:02 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-28 17:31
.
Pre-Run: 33,913,073,664 bytes free
Post-Run: 34,186,932,224 bytes free
.
- - End Of File - - 3FE4EF40E379AABA8CF54101487437C3

----- hijackthis.log -----
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:18:33 AM, on 12/28/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-8.12.072\Applets\x86\LCDMedia.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O1 - Hosts: 217.23.4.166 www.google-analytics.com.
O1 - Hosts: 217.23.4.166 ad-emea.doubleclick.net.
O1 - Hosts: 217.23.4.166 www.statcounter.com.
O1 - Hosts: 69.72.252.254 www.google-analytics.com.
O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
O1 - Hosts: 69.72.252.254 www.statcounter.com.
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [Google Update] "C:\Users\kikko\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [\\192.168.1.67\EPSON Stylus Photo R1800] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATI9LA.EXE /FU "C:\Windows\TEMP\E_SCB3C.tmp" /EF "HKCU"
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Cyberlink RichVideo64 Service(CRVS) (RichVideo64) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo64.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7819 bytes
 
You're welcome!

Let me know if HJT gives you any problem removing these:
Please reopen HijackThis to 'do system scan only,' Check eaxh of the following, if present:

O1 - Hosts: 217.23.4.166 www.google-analytics.com.
O1 - Hosts: 217.23.4.166 ad-emea.doubleclick.net.
O1 - Hosts: 217.23.4.166 www.statcounter.com.
O1 - Hosts: 69.72.252.254 www.google-analytics.com.
O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
O1 - Hosts: 69.72.252.254 www.statcounter.com.


Close all Windows except HijackThis and click on "Fix Checked."
====================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
=================================
Although you have some extra processes running I see in Combofix, they aren't malware. But I'd like to run this also:

Update and rescan with Malwarebytes: Note: On the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.
When scan has finished, you will see this image:
scan-finished.jpg

  • Click on OK to close box and continue.
  • Click on the Show Results button.
  • Click on the Remove Selected button to remove all the listed malware.
  • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
 
ESET scan didn't find anything, no log generated.

HijackThis still reported Hosts file was write protected. The scan did not list the O1 host file items this time though. I opened the hosts file itself and all it had in it was the localhost set to the loopback ip address. Log below.

Malwarebyte's Anti-Malware also reported 0 threats. Log below.

- - - - Hijackthis Log - - - -

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:36:46 PM, on 12/29/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Logitech Gaming Software\plugins\LCDAppletsMono-8.12.072\Applets\x86\LCDMedia.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
O4 - HKLM\..\Run: [Monitor] "C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [\\192.168.1.67\EPSON Stylus Photo R1800] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATI9LA.EXE /FU "C:\Windows\TEMP\E_SCB3C.tmp" /EF "HKCU"
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files (x86)\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Cyberlink RichVideo64 Service(CRVS) (RichVideo64) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo64.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7086 bytes


- - - - MB Anti-Malware - - - -
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 911122701

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

12/29/2011 11:58:29 AM
mbam-log-2011-12-29 (11-58-29).txt

Scan type: Full scan (C:\|D:\|H:\|)
Objects scanned: 343184
Time elapsed: 25 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Are you still being redirected?

New Holiday Notice! I will not be working on the threads Sat. Dec. 31 or Sunday Jan. 1 I will begin with the oldest threads first on Monday. I will do my best to get you finished or as far along as I can before that. Please do not send a PM during those days.
 
Hey Bobbye, I haven't noticed any redirects today but I haven't been using my computer more than an hour or so. I think I'm in the clear, but can we keep the thread open through the weekend?
 
Sorry for delay. Please use the system or a couple of days and make sure the redirect has been resolved. The logs look good> we need to handle the following:

Replacing Hosts files- Links::
Download: hosts.zip

How To: Download and Extract the HOSTS files

HOSTS File - Frequently Asked Questions

Text version for determining possible unwanted connections

Get notified when the MVPS HOSTS file is updated
-----------------------
Install a Site Advisor
Web of Trust (WOT)[/b] add-on is a safe surfing tool for your browser. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.Your online email account – Google Mail, Yahoo! Mail and Hotmail is also protected.

Every time you do a search and the screen comes up with the sites, they will have the rating light:
Green (2 shades)> Good to go.
Amber/Yellow> use Caution,
Red> not advised.
 
Hey Bobbye, thank you so much.

I haven't noticed any redirects this week at all. Very nice.

I've replaced my hosts file with the epic MVPS hosts file. It never occurred to me that you could block access to unwanted servers by redirecting to localhost, fantastic. I was a little hesitant when I read it could slow your machine down, but I'll use the registry work around of limiting the time the DNS cache is saved if I notice slowness. I can't disable DNS Client because I use Network Discovery. I also subscribed to the feed so I'll receive update notices about the MVPS hosts file.

I'm grabbing the WoT firefox add-on now.

I think that covers it. Am I all set?
 
You're very welcome for the help.

It never occurred to me that you could block access to unwanted servers by redirecting to localhost, fantastic.

Hijacking the host files is a favorite malware action- the one thing that helps us is that we can see the hijcaked hosts. So you're not actually blocking those unwanted servers> you are actually removing the damage the malware did.
=========================================
The system looks good. You can just install WOT on the OS itself- it will cover the browser you use. I have to do a lot of searching at times to identify unknown file. I am always amazed that most of the site I see come up RED in WOT- I don't go near those sites and it has served me well.
==========================================
Let's clean up and then I'll leave some tips to help you stay that way:
Remove all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
    [o] Click START> then RUN
    [o] Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • Download OTCleanIt by OldTimer and save it to your Desktop.
    [o] Double click OTCleanIt.exe.
    [o] Click the CleanUp! button.
    [o] If you are prompted to Reboot during the cleanup, select Yes.
    [o]The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
  • Set a new, clean Restore Point
    [o] Click on Start> right click on Computer> Properties
    [o] Select System Protection
    [o] Click on the Create button (near bottom)
    [o] Type a name for the Restore Point
    [o] Click on Create again to save the restore point.
  • Deleting all but the most recent System Protection point in Windows 7
    [o] Click Start> Computer> right click the C Drive and choose Properties> enter.
    [o] Click Disk Cleanup from there.
    image2.png

    [o] Click Clean up system files
    This restarts Disk Cleanup to run in elevated mode.
    [o] Click the More Options tab
    w7-srp2.png

    [o] Click the Clean up under System Restore and Shadow Copies.
    [o] Click OK.
    [o] You will get a confirmation screen> Just click Delete.
    [o] Click OK on the Disk Cleanup Screen.
    [o] Click Delete Files on the Confirmation screen.
image6.png

This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
Images courtesy lytebyte.

Empty the Recycle Bin
==================================
Tips for added security and safer browsing: (Links are in Bold Blue)
  1. Browser Security
    [o] Safe Settings (Please ignore the suggestion to use the Registry Editor in this section "Creating a Custom Security Zone")
    [o] ZonedOut. This manages the Zones in Internet Explorer. (Browser, version and OS dependent 7)
    [o] Replace the Host Files
    [o] Google Toolbar Pop Up Blocker
    [o]Web of Trust (WOT) Site Advisor. Traffic-light rating symbols show which rate the site for Trustworthiness, Vendor Reliability, Privacy, Child Safety.
  2. Have layered Security:
    [o]Antivirus :(only one):Both of the following programs are free and known to be good:
    [o]Avira-AntiVir-Personal-Free-Antivirus
    [o]Avast-Free Antivirus
    [o]Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
    [o]Comodo
    [o]Zone Alarm
  3. Antimalware: I recommend all of the following:
    [o]Spywareblaster: SpywareBlaster protects against bad ActiveX.
    [o]Spybot Search & Destroy
  4. Updates: Stay current:
    [o] the Microsoft Download Sitefrequently. All updates marked Critical and the current SP updates.
    [o]Adobe Reader Install current, uninstall old.
    [o]Java Updates Install current, uninstall old.
  5. Tracking Cookies
    Reset Cookie:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
    [o]For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
  6. Do regular Maintenance
    Clean the temporary internet files often:
    [o] Temporary File Cleaner]
    or
    [o] ATF Cleaner by Atribune
  7. Restore Points:
    [o]See System Restore Guide
  8. Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
Please let me know if you find any bad link.

You might want to note #3 and add antimalware and I highly recommend the 2 addons for Firefox at the end of #5.
 
Thanks dude. removed Combofix, ran OTCleanit, did the restore point and removed all old ones, etc.

ABP add-on was already installed along with NoScript, I subscribed to the EasyList list for ABP.

A question about firewall/antimalware/antivirus apps: I'm running Microsoft's Security Essentials. I shouldn't install another anti-virus or anti-malware while I'm using that right, because they can interfere with each other? What about a firewall, can I run Zone Alarm in tandem with Microsoft Security Essentials?
 
I shouldn't install another anti-virus or anti-malware while I'm using that right, because they can interfere with each other?

There are some who think that having MSE is all the security needed to protect a system. I am not one of those people. MS represents MSE as full protection but I find it is really 'only' an antivirus program. To protect a system fully there should be:

You need one antivirus> yes in MSE
You need one firewall> Noe in MSE.
A software firewall should be added. The Windows firewall is not sufficient
You need at least 2 antimalware programs. Preferably ones that protect the system differently. MSE has some protection in this area. But I'd add:
Spywareblaster
Spybot Search & Destroy.

For even better security, use a router. It will have a hardware firewall. I ran ZoneAlarm for years. Then I got a router> kept ZA running with router (1 software firewall and a hardware firewall are okay) I ran the 2 for 3 months and there were no hits in the ZA log. I removed ZA and use the router.

The concept you want to understand is that when you have 2 (or more) programs that are trying to do the same thing, that's the source of conflict. AV looks for virus/Trojan, etc. footprints. FW listens at ports> bidirectional FW like ZA listens to both incoming and outgoing ports. Antimalware programs can be combined as different types of protection.

Does that help? FYI, I have Nod32 AV, router, Spywareblaster, Spybot S&D.I also use Secunia. I prefer the free-standing programs rather than the suites. and I also usually get the paid version for the AV because if I need help with anything, the paid is a bit better than the free versions.
 
Status
Not open for further replies.
Back