Malwarebytes blocking access to 91.218.121.57 from Firefox

[JeffW]

Malwarebytes successfully removed several infections from my computer including a rootkit using instructions I found in this forum. I still have an issue with Firefox apparently being hijacked. Sometimes when I click a google link it redirects to an unknown site. I upgraded to paid version and now Malwarebytes reports it is blocking a connection to 91.218.121.57 on a high numbered port. This happens every time I browse to Google.com.

As directed I ran a Malwarebytes quick scan. Here is the log:

Malwarebytes Anti-Malware (Trial) 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.24.12

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 9.0.8112.16421

jeff2 :: JEFF-PC [administrator]

Protection: Enabled

7/24/2012 1:05:50 PM

mbam-log-2012-07-24 (13-05-50).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 273788

Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

This is DDS.txt and attach.txt. Please note the changes to hosts are my changes and should be fine.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31

Run by jeff2 at 13:34:34 on 2012-07-24

Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8191.4345 [GMT -7:00]

.

AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\windows\system32\wininit.exe

C:\windows\system32\lsm.exe

C:\windows\system32\svchost.exe -k DcomLaunch

C:\windows\system32\svchost.exe -k RPCSS

C:\windows\system32\atiesrxx.exe

C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\windows\system32\svchost.exe -k netsvcs

C:\windows\system32\svchost.exe -k LocalService

C:\windows\system32\atieclxx.exe

C:\windows\system32\svchost.exe -k NetworkService

C:\windows\System32\spoolsv.exe

C:\windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Carbonite\Carbonite Mirror Image\CarboniteMirrorImage.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

c:\program files\mysql\mysql server 5.5\bin\mysqld.exe

C:\windows\System32\svchost.exe -k HPZ12

C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe

C:\Program Files (x86)\OpenVPN\bin\openvpnserv.exe

C:\Program Files (x86)\OpenVPN\bin\openvpn.exe

C:\windows\system32\conhost.exe

C:\windows\System32\svchost.exe -k HPZ12

C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe

C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe

C:\windows\System32\snmp.exe

C:\windows\system32\svchost.exe -k imgsvc

C:\Program Files\Windows Live\Mesh\wlcrasvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\windows\system32\taskhost.exe

C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\ccSvcHst.exe

C:\windows\system32\SearchIndexer.exe

C:\Windows\system32\WUDFHost.exe

C:\windows\system32\Dwm.exe

C:\windows\Explorer.EXE

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\SysInternalsSuite\Desktops.exe

C:\Program Files (x86)\MP3 Skype Recorder\MP3 Skype Recorder.exe

C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe

C:\Program Files (x86)\Windows Live\Mesh\WLSync.exe

C:\Program Files (x86)\Skype\Phone\Skype.exe

C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe

C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

C:\windows\SysWOW64\svchost.exe -k hpdevmgmt

C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe

C:\windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files (x86)\Windows Live\Mesh\MOE.exe

C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

C:\windows\system32\DllHost.exe

C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe

C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe

C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

C:\windows\ehome\ehRecvr.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE

C:\windows\system32\vssvc.exe

C:\windows\System32\svchost.exe -k swprv

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\TortoiseGit\bin\TGitCache.exe

C:\windows\system32\prevhost.exe

C:\windows\system32\svchost.exe -k SDRSVC

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\windows\splwow64.exe

C:\windows\system32\SearchProtocolHost.exe

C:\windows\system32\SearchFilterHost.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Internet Explorer\iexplore.exe

C:\windows\SysWOW64\cmd.exe

C:\windows\system32\conhost.exe

C:\windows\SysWOW64\cscript.exe

C:\windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\coIEPlg.dll

BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\IPS\IPSBHO.DLL

BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: WinZip Courier BHO: {a8fb70fa-0fdf-4601-9dc4-bfa1b357204f} - C:\PROGRA~2\WINZIP~1\wzwmcie.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\coIEPlg.dll

uRun: [sysinternals Desktops] C:\SysInternalsSuite\Desktops.exe

uRun: [MP3 Skype Recorder] C:\Program Files (x86)\MP3 Skype Recorder\MP3 Skype Recorder.exe

uRun: [WLSync] "C:\Program Files (x86)\Windows Live\Mesh\WLSync.exe" /background

uRun: [skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun

mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe

mRun: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup

mRun: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\GOOGLE~1.LNK - C:\Program Files (x86)\Google\Google Calendar Sync\GoogleCalendarSync.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INTUIT~1.LNK - C:\Program Files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MCAFEE~1.LNK - C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WNDA3100v2\WNDA3100v2.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~2.LNK - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\QUICKB~1.LNK - C:\Program Files (x86)\Intuit\QuickBooks 2012\QBW32.EXE

uPolicies-explorer: AlwaysShowClassicMenu = 1 (0x1)

uPolicies-explorer: ConfirmFileDelete = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

mPolicies-system: SoftwareSASGeneration = 1 (0x1)

IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - C:\PROGRA~1\MICROS~4\Office14\ONBttnIE.dll/105

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

LSP: %SystemRoot%\system32\vsocklib.dll

Trusted Zone: intuit.com\ttlc

DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/select/asusTek_sys_ctrl3.cab

DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.6.0.cab

DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab

DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxps://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - hxxps://ouvpn.us.oracle.com/prx/000/http/localhost/arr_x.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F9CD2233-6744-47C1-A6AE-00C30A35F73D} - hxxps://myaccount.cox.net/internettools/scripts/Inspector.cab

TCP: Interfaces\{3BA5415D-017F-4842-A7B5-36D1E68572AA} : DhcpNameServer = 192.168.17.1

TCP: Interfaces\{873265EB-5194-4A9B-B740-02E3211B74B9} : DhcpNameServer = 192.168.42.129

TCP: Interfaces\{B351DF5A-6FCD-415B-9CB7-7E5004452411}\E45445745414254363 : DhcpNameServer = 192.168.17.1

TCP: Interfaces\{D6F90E62-31AA-493D-83B2-401CD4F04F50} : DhcpNameServer = 192.168.42.129

TCP: Interfaces\{EBC9AA4C-60EC-414E-8BC9-809E6BA64EA7} : NameServer = 68.105.28.13,68.105.29.13

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - C:\Program Files (x86)\Intuit\QuickBooks 2012\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\MP3 Skype Recorder\Skype4Com.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"

BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO-X64: 0x1 - No File

BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

BHO-X64: HP Print Enhancer - No File

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\coIEPlg.dll

BHO-X64: Norton Identity Protection - No File

BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\IPS\IPSBHO.DLL

BHO-X64: Norton Vulnerability Protection - No File

BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

BHO-X64: Search Helper - No File

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO-X64: WinZip Courier BHO: {A8FB70FA-0FDF-4601-9DC4-BFA1B357204F} - C:\PROGRA~2\WINZIP~1\wzwmcie.dll

BHO-X64: WinZip Courier BHO - No File

BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

BHO-X64: SkypeIEPluginBHO - No File

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

BHO-X64: HP Smart BHO Class - No File

TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\coIEPlg.dll

mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe

mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe

mRun-x64: [intuit SyncManager] C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup

mRun-x64: [startCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

mRun-x64: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe" aml

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

Hosts: 10.145.54.1 picard.vpn.huntereight.com

Hosts: 10.145.54.10 gelt.vpn.huntereight.com

Hosts: 10.145.54.6 test.vpn.huntereight.com

Hosts: 10.145.54.14 jwpc.vpn.huntereight.com

Hosts: 50.57.171.12 picard.huntereight.com

.

Note: multiple HOSTS entries found. Please refer to Attach.txt

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\jeff2\AppData\Roaming\Mozilla\Firefox\Profiles\ih3dpzj7.default\

FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Program Files (x86)\WinZip Courier\npwzwmc.dll

FF - plugin: C:\Users\jeff2\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: C:\Windows\system32\Wat\npWatWeb.dll

FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SCMNdisP;General NDIS Protocol Driver;C:\windows\system32\DRIVERS\scmndisp.sys --> C:\windows\system32\DRIVERS\scmndisp.sys [?]

R0 SymDS;Symantec Data Store;C:\windows\system32\drivers\NISx64\1307010.005\SYMDS64.SYS --> C:\windows\system32\drivers\NISx64\1307010.005\SYMDS64.SYS [?]

R0 SymEFA;Symantec Extended File Attributes;C:\windows\system32\drivers\NISx64\1307010.005\SYMEFA64.SYS --> C:\windows\system32\drivers\NISx64\1307010.005\SYMEFA64.SYS [?]

R0 vididr;Acronis Virtual Disk;C:\windows\system32\DRIVERS\vididr.sys --> C:\windows\system32\DRIVERS\vididr.sys [?]

R0 vidsflt53;Acronis Disk Storage Filter (53);C:\windows\system32\DRIVERS\vsflt53.sys --> C:\windows\system32\DRIVERS\vsflt53.sys [?]

R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\BASHDefs\20120711.002\BHDrvx64.sys [2012-7-11 1161376]

R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\windows\system32\drivers\NISx64\1307010.005\ccSetx64.sys --> C:\windows\system32\drivers\NISx64\1307010.005\ccSetx64.sys [?]

R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\IPSDefs\20120722.001\IDSviA64.sys [2012-7-23 509088]

R1 SymIRON;Symantec Iron Driver;C:\windows\system32\drivers\NISx64\1307010.005\Ironx64.SYS --> C:\windows\system32\drivers\NISx64\1307010.005\Ironx64.SYS [?]

R1 SymNetS;Symantec Network Security WFP Driver;C:\windows\system32\Drivers\NISx64\1307010.005\SYMNETS.SYS --> C:\windows\system32\Drivers\NISx64\1307010.005\SYMNETS.SYS [?]

R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]

R2 AMD External Events Utility;AMD External Events Utility;C:\windows\system32\atiesrxx.exe --> C:\windows\system32\atiesrxx.exe [?]

R2 Carbonite-Mirror-Image-Svc;Carbonite Mirror Image Backup Service;C:\Program Files\Carbonite\Carbonite Mirror Image\CarboniteMirrorImage.exe [2011-9-16 3172864]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [2011-8-25 13672]

R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-12 655944]

R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.7.1.5\ccsvchst.exe [2012-7-13 138232]

R2 QBVSS;QBIDPService;C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [2011-8-19 1248256]

R2 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

R3 amdkmdag;amdkmdag;C:\windows\system32\DRIVERS\atikmdag.sys --> C:\windows\system32\DRIVERS\atikmdag.sys [?]

R3 amdkmdap;amdkmdap;C:\windows\system32\DRIVERS\atikmpag.sys --> C:\windows\system32\DRIVERS\atikmpag.sys [?]

R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\windows\system32\drivers\AtihdW76.sys --> C:\windows\system32\drivers\AtihdW76.sys [?]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-7-19 138912]

R3 MBAMProtector;MBAMProtector;\??\C:\windows\system32\drivers\mbam.sys --> C:\windows\system32\drivers\mbam.sys [?]

R3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]

R3 RDPDISPM;RDPDISPM;C:\windows\system32\DRIVERS\rdpdispm.sys --> C:\windows\system32\DRIVERS\rdpdispm.sys [?]

R3 RTL8167;Realtek 8167 NT Driver;C:\windows\system32\DRIVERS\Rt64win7.sys --> C:\windows\system32\DRIVERS\Rt64win7.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-12-21 136176]

S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-6-7 160944]

S2 WSWNDA3100;WSWNDA3100;C:\Program Files (x86)\NETGEAR\WNDA3100v2\WifiSvc.exe [2012-1-11 272864]

S3 Apache2.2;Apache2.2;C:\xampp\apache\bin\httpd.exe [2010-10-17 20549]

S3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;C:\windows\system32\DRIVERS\bcmwlhigh664.sys --> C:\windows\system32\DRIVERS\bcmwlhigh664.sys [?]

S3 dmvsc;dmvsc;C:\windows\system32\drivers\dmvsc.sys --> C:\windows\system32\drivers\dmvsc.sys [?]

S3 fssfltr;fssfltr;C:\windows\system32\DRIVERS\fssfltr.sys --> C:\windows\system32\DRIVERS\fssfltr.sys [?]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-12-21 136176]

S3 HTCAND64;HTC Device Driver;C:\windows\system32\Drivers\ANDROIDUSB.sys --> C:\windows\system32\Drivers\ANDROIDUSB.sys [?]

S3 HtcUsbMdmV64;HTC Proprietary USB Driver;C:\windows\system32\DRIVERS\HtcUsbMdmV64.sys --> C:\windows\system32\DRIVERS\HtcUsbMdmV64.sys [?]

S3 HtcVCom32;HTC Diagnostic Port;C:\windows\system32\DRIVERS\HtcVComV64.sys --> C:\windows\system32\DRIVERS\HtcVComV64.sys [?]

S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\windows\system32\drivers\IntcHdmi.sys --> C:\windows\system32\drivers\IntcHdmi.sys [?]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files\Microsoft Office\Office14\GROOVE.EXE [2011-6-12 51740536]

S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-7-23 113120]

S3 ose64;Office 64 Source Engine;C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2010-1-9 174440]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\windows\system32\drivers\rdpvideominiport.sys --> C:\windows\system32\drivers\rdpvideominiport.sys [?]

S3 Synth3dVsc;Synth3dVsc;C:\windows\system32\drivers\synth3dvsc.sys --> C:\windows\system32\drivers\synth3dvsc.sys [?]

S3 terminpt;Microsoft Remote Desktop Input Driver;C:\windows\system32\drivers\terminpt.sys --> C:\windows\system32\drivers\terminpt.sys [?]

S3 TsUsbFlt;TsUsbFlt;C:\windows\system32\drivers\tsusbflt.sys --> C:\windows\system32\drivers\tsusbflt.sys [?]

S3 TsUsbGD;Remote Desktop Generic USB Device;C:\windows\system32\drivers\TsUsbGD.sys --> C:\windows\system32\drivers\TsUsbGD.sys [?]

S3 tsusbhub;tsusbhub;C:\windows\system32\drivers\tsusbhub.sys --> C:\windows\system32\drivers\tsusbhub.sys [?]

S3 VBoxUSB;VirtualBox USB;C:\windows\system32\Drivers\VBoxUSB.sys --> C:\windows\system32\Drivers\VBoxUSB.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]

S4 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]

S4 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2012-3-8 1492840]

S4 SgtSch2Svc;Seagate Scheduler2 Service;C:\Program Files (x86)\Common Files\Seagate\Schedule2\schedul2.exe [2011-6-30 1191408]

S4 tvnserver;TightVNC Server;C:\Program Files (x86)\TightVNC\tvnserver.exe [2011-8-3 828944]

S4 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe [2011-8-29 846448]

S4 XAMPP;XAMPP Service;C:\xampp\service.exe [2007-12-20 60928]

.

=============== Created Last 30 ================

.

2012-07-24 11:13:19 -------- d-----w- C:\Users\jeff2\AppData\Local\{6657D100-BB68-486A-AF1B-94A21FB21962}

2012-07-24 11:13:04 -------- d-----w- C:\Users\jeff2\AppData\Local\{DAD39536-AF73-4F02-95CD-7E6FEA0CD622}

2012-07-24 01:13:15 -------- d-sh--w- C:\$RECYCLE.BIN

2012-07-23 23:12:37 -------- d-----w- C:\Users\jeff2\AppData\Local\{FCC9B01B-9D91-4208-BC9F-70F53FA04034}

2012-07-23 19:52:23 -------- d-----w- C:\Users\jeff2\AppData\Roaming\TortoiseGit

2012-07-23 11:11:43 -------- d-----w- C:\Users\jeff2\AppData\Local\{3D8CA742-13DC-47C0-8C93-51927F43D58A}

2012-07-22 23:11:14 -------- d-----w- C:\Users\jeff2\AppData\Local\{2C807373-0F4F-42B5-A8B3-F4CC75C60AFE}

2012-07-22 11:10:47 -------- d-----w- C:\Users\jeff2\AppData\Local\{747BFDC7-DD2C-464B-80B1-9F1FDB76E1E5}

2012-07-21 23:10:07 -------- d-----w- C:\Users\jeff2\AppData\Local\{0E851CBC-7CB5-4A85-B63D-61B8C898F3D2}

2012-07-21 11:09:28 -------- d-----w- C:\Users\jeff2\AppData\Local\{3853F252-093F-4D7F-8613-D176B4623016}

2012-07-20 23:08:37 -------- d-----w- C:\Users\jeff2\AppData\Local\{EA3BF1F0-EA9A-4D99-A27B-C62A0E608F02}

2012-07-20 17:22:31 -------- d-----w- C:\Users\jeff2\AppData\Local\TGitCache

2012-07-20 11:08:07 -------- d-----w- C:\Users\jeff2\AppData\Local\{EEF6664F-72E5-4464-8CB9-3F008BF243A1}

2012-07-20 11:07:42 -------- d-----w- C:\Users\jeff2\AppData\Local\{07C13613-C5EB-48E2-B2FD-F3B4FCD0F260}

2012-07-19 23:07:10 -------- d-----w- C:\Users\jeff2\AppData\Local\{27E326EC-0C4A-44BA-B397-2D4C5C98442B}

2012-07-19 18:03:24 -------- d-----w- C:\Program Files (x86)\Common Files\TortoiseOverlays

2012-07-19 18:03:23 -------- d-----w- C:\Program Files\TortoiseGit

2012-07-19 18:03:23 -------- d-----w- C:\Program Files\Common Files\TortoiseOverlays

2012-07-19 17:49:27 -------- d-----w- C:\Program Files (x86)\Git

2012-07-19 15:49:38 -------- d-----w- C:\Users\jeff2\AppData\Roaming\webex

2012-07-19 15:49:07 -------- d-----w- C:\ProgramData\WebEx

2012-07-19 11:06:42 -------- d-----w- C:\Users\jeff2\AppData\Local\{423F8D02-3E40-4CDD-A2C8-66850D7E55E2}

2012-07-18 23:04:04 -------- d-----w- C:\Users\jeff2\AppData\Local\{DD05D3B9-61FD-405E-B7EA-71A497CAB7B8}

2012-07-18 11:03:36 -------- d-----w- C:\Users\jeff2\AppData\Local\{4505569B-DF37-4736-AF62-D511121DD5F1}

2012-07-17 23:03:05 -------- d-----w- C:\Users\jeff2\AppData\Local\{FD63C07E-E705-4C92-961C-91A3F70B1439}

2012-07-17 11:02:39 -------- d-----w- C:\Users\jeff2\AppData\Local\{239C6FBD-834D-4482-A4F5-04466A8A1B25}

2012-07-16 23:02:02 -------- d-----w- C:\Users\jeff2\AppData\Local\{4A6352F7-D589-4FEC-94BA-18FC88431BCC}

2012-07-16 11:01:36 -------- d-----w- C:\Users\jeff2\AppData\Local\{0803665C-067A-4BD4-9EB3-F6F34DE25B7B}

2012-07-15 23:01:10 -------- d-----w- C:\Users\jeff2\AppData\Local\{4F3BD8CB-510F-4946-BB9E-47DB50EE9B62}

2012-07-15 11:00:27 -------- d-----w- C:\Users\jeff2\AppData\Local\{A67DE634-8B80-4D00-8263-DD2980426D44}

2012-07-15 11:00:09 -------- d-----w- C:\Users\jeff2\AppData\Local\{0958267D-580B-4401-B706-1380CF502627}

2012-07-15 00:56:39 -------- d-----w- C:\Users\jeff2\AppData\Local\NeoSmart_Technologies

2012-07-15 00:11:41 -------- d-----w- C:\Program Files (x86)\NirSoft

2012-07-14 22:59:32 -------- d-----w- C:\Users\jeff2\AppData\Local\{03133F0C-3016-4D6F-8A47-B95013871E51}

2012-07-14 22:59:01 -------- d-----w- C:\Users\jeff2\AppData\Local\{0AD6D424-971A-4325-AFF8-80590E96E35C}

2012-07-14 10:47:35 -------- d-----w- C:\Users\jeff2\AppData\Local\{9627DA19-99B3-4A8F-B4F8-7D6E4C856958}

2012-07-14 10:47:13 -------- d-----w- C:\Users\jeff2\AppData\Local\{18576B5D-BB30-43D7-BDAF-6F74A10378FA}

2012-07-14 10:32:11 -------- d-----w- C:\Users\jeff2\AppData\Local\{58EB4D3C-739B-44C0-B4D6-EB284EB15870}

2012-07-14 10:28:15 98816 ----a-w- C:\windows\sed.exe

2012-07-14 10:28:15 518144 ----a-w- C:\windows\SWREG.exe

2012-07-14 10:28:15 256000 ----a-w- C:\windows\PEV.exe

2012-07-14 10:28:15 208896 ----a-w- C:\windows\MBR.exe

2012-07-14 06:03:56 -------- d--h--w- C:\windows\msdownld.tmp

2012-07-13 22:50:01 737912 ----a-w- C:\windows\System32\drivers\NISx64\1307010.005\srtsp64.sys

2012-07-13 22:50:01 451192 ----a-r- C:\windows\System32\drivers\NISx64\1307010.005\symds64.sys

2012-07-13 22:50:01 405624 ----a-w- C:\windows\System32\drivers\NISx64\1307010.005\symnets.sys

2012-07-13 22:50:01 37496 ----a-w- C:\windows\System32\drivers\NISx64\1307010.005\srtspx64.sys

2012-07-13 22:50:01 190072 ----a-w- C:\windows\System32\drivers\NISx64\1307010.005\ironx64.sys

2012-07-13 22:50:01 167048 ----a-w- C:\windows\System32\drivers\NISx64\1307010.005\ccsetx64.sys

2012-07-13 22:50:01 1092728 ----a-w- C:\windows\System32\drivers\NISx64\1307010.005\symefa64.sys

2012-07-13 22:31:34 -------- d-----w- C:\Users\jeff2\AppData\Local\{CFAD4CB4-149F-4F2B-9C39-99696CB237B3}

2012-07-13 22:31:14 -------- d-----w- C:\Users\jeff2\AppData\Local\{EBE7FCDC-8ECE-4077-ACF1-84F93A12D0CD}

2012-07-13 22:20:17 -------- d-----w- C:\Users\jeff2\AppData\Local\{D5D917B7-00D2-4A56-A0DE-095D8B02FC5F}

2012-07-13 03:17:56 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared

2012-07-13 03:07:55 175736 ----a-w- C:\windows\System32\drivers\SYMEVENT64x86.SYS

2012-07-13 03:07:55 -------- d-----w- C:\Program Files\Symantec

2012-07-13 03:07:40 -------- d-----w- C:\Program Files (x86)\Norton Internet Security

2012-07-13 01:41:26 -------- d-sh--w- C:\windows\System32\%APPDATA%

2012-07-13 01:38:38 -------- d-----w- C:\Users\jeff2\AppData\Local\{C63E3001-CC8B-11E1-8270-B8AC6F996F26}

2012-07-13 01:38:38 -------- d-----w- C:\Users\jeff2\AppData\Local\{C63DF453-CC8B-11E1-8270-B8AC6F996F26}

2012-07-12 19:11:40 3148800 ----a-w- C:\windows\System32\win32k.sys

2012-07-12 19:03:29 -------- d-----w- C:\Users\jeff2\AppData\Local\{7CE21CF4-BA07-4599-8F7B-2D508BF440AF}

2012-07-12 19:01:37 -------- d-----w- C:\Users\jeff2\AppData\Local\{C8C1BC19-9A20-4EEF-A151-F8282A2AFDA6}

2012-07-12 16:45:51 514560 ----a-w- C:\windows\SysWow64\qdvd.dll

2012-07-12 16:45:51 366592 ----a-w- C:\windows\System32\qdvd.dll

2012-07-12 05:23:07 -------- d-----w- C:\Users\jeff2\AppData\Local\{E086BF17-3E0E-4EE2-852B-FBA41E824A6A}

2012-07-11 17:22:41 -------- d-----w- C:\Users\jeff2\AppData\Local\{3263903B-E577-4CE5-B496-F93A34569407}

2012-07-11 05:22:05 -------- d-----w- C:\Users\jeff2\AppData\Local\{11002A4B-761E-4FBF-94B9-153F436723C4}

2012-07-10 17:21:25 -------- d-----w- C:\Users\jeff2\AppData\Local\{46C59AE5-4B04-43DC-8A6E-E22C57170DE4}

2012-07-10 05:20:56 -------- d-----w- C:\Users\jeff2\AppData\Local\{FD4AEF0A-0C23-4FE6-AA17-89CBB8D8F412}

2012-07-09 17:20:31 -------- d-----w- C:\Users\jeff2\AppData\Local\{A15A70FA-744F-4283-88AD-C3A76D2B08FD}

2012-07-09 05:20:04 -------- d-----w- C:\Users\jeff2\AppData\Local\{B8047751-4410-4073-8C60-99A79BDCBE6A}

2012-07-08 23:37:33 -------- d-----w- C:\Users\jeff2\AppData\Local\TerraGo Technologies

2012-07-08 23:34:15 -------- d-----w- C:\Users\jeff2\AppData\Local\Downloaded Installations

2012-07-08 17:19:25 -------- d-----w- C:\Users\jeff2\AppData\Local\{86DB2290-34F8-499F-8D6D-EB7BEDF4F1F8}

2012-07-08 05:18:38 -------- d-----w- C:\Users\jeff2\AppData\Local\{4435CECC-2524-404B-A25C-C9414E75C79E}

2012-07-07 17:18:13 -------- d-----w- C:\Users\jeff2\AppData\Local\{5992E06D-A204-470B-8347-2ECCA642F288}

2012-07-07 05:17:32 -------- d-----w- C:\Users\jeff2\AppData\Local\{A434B1FD-87AE-4891-B9B8-48EE08B88DE0}

2012-07-06 17:17:02 -------- d-----w- C:\Users\jeff2\AppData\Local\{79BC0E1D-EFC4-4B6D-9617-BCD0C130B3AD}

2012-07-06 05:16:20 -------- d-----w- C:\Users\jeff2\AppData\Local\{F5460E22-7827-4BAB-89E9-D1F924720604}

2012-07-05 17:15:53 -------- d-----w- C:\Users\jeff2\AppData\Local\{AE0C43F1-1EB1-4D61-AF94-19227D7FC2C0}

2012-07-05 05:15:16 -------- d-----w- C:\Users\jeff2\AppData\Local\{E3A3FF7B-0EBE-45DE-8023-8EAA166D35CF}

2012-07-04 17:14:40 -------- d-----w- C:\Users\jeff2\AppData\Local\{F5316054-5F76-451B-A272-973821947CAB}

2012-07-04 05:13:59 -------- d-----w- C:\Users\jeff2\AppData\Local\{A6242255-658B-4F7F-81F8-65718FEC16BD}

2012-07-03 17:13:34 -------- d-----w- C:\Users\jeff2\AppData\Local\{D7BD8FEE-0C46-440A-893C-E6F1AC3BBC47}

2012-07-03 05:12:58 -------- d-----w- C:\Users\jeff2\AppData\Local\{F3BF567E-C1B0-4ED9-BBEA-5C4D57FDCD18}

2012-07-03 05:10:42 -------- d-----w- C:\Users\jeff2\AppData\Local\{B48C61B9-0268-4905-AC8E-CC10C79437CD}

2012-07-02 20:02:27 224088 ----a-w- C:\windows\System32\drivers\VBoxDrv.sys

2012-07-02 20:02:20 130904 ----a-w- C:\windows\System32\drivers\VBoxUSBMon.sys

2012-07-02 17:10:15 -------- d-----w- C:\Users\jeff2\AppData\Local\{AA0C13D1-2FCE-4556-A699-D9DFBD034141}

2012-07-02 07:49:10 -------- d-----w- C:\Program Files\iPod

2012-07-02 07:49:09 -------- d-----w- C:\Program Files\iTunes

2012-07-02 07:49:09 -------- d-----w- C:\Program Files (x86)\iTunes

2012-07-02 05:07:36 -------- d-----w- C:\Users\jeff2\AppData\Local\{0A588E22-C0DE-41EB-A8E6-6F51327918DD}

2012-07-01 17:06:47 -------- d-----w- C:\Users\jeff2\AppData\Local\{55748C07-751D-4201-B51F-F1D0E50AC2A3}

2012-07-01 05:06:22 -------- d-----w- C:\Users\jeff2\AppData\Local\{FAD8849B-9B8A-436B-87EA-27F08CC06384}

2012-06-30 17:05:26 -------- d-----w- C:\Users\jeff2\AppData\Local\{F13944B6-F368-4E37-B381-670BC693BDD8}

2012-06-30 05:05:02 -------- d-----w- C:\Users\jeff2\AppData\Local\{5DF04638-85A2-454D-ADAE-275678B00C86}

2012-06-29 17:04:24 -------- d-----w- C:\Users\jeff2\AppData\Local\{A2964C9F-40A5-4F16-BE41-B35861D69B6A}

2012-06-29 05:02:03 -------- d-----w- C:\Users\jeff2\AppData\Local\{31D9C53E-57DC-403F-B082-41B15E332F47}

2012-06-28 17:00:55 -------- d-----w- C:\Users\jeff2\AppData\Local\{E5C06165-B255-4B44-8802-BF91C77FF06A}

2012-06-28 04:58:47 -------- d-----w- C:\Users\jeff2\AppData\Local\{A3D90A86-F34A-4294-8334-B940014FB4E9}

2012-06-27 16:56:25 -------- d-----w- C:\Users\jeff2\AppData\Local\{34769C29-7EE0-4A80-A13B-5F4A333C4D06}

2012-06-27 04:55:24 -------- d-----w- C:\Users\jeff2\AppData\Local\{EECE2BDE-638E-4BA2-8629-DC2A845C9B6F}

2012-06-26 16:54:58 -------- d-----w- C:\Users\jeff2\AppData\Local\{CE6FA757-B88B-4DD8-9E25-81F7454345FB}

2012-06-26 04:52:25 -------- d-----w- C:\Users\jeff2\AppData\Local\{188D9827-2ABA-4E8F-8509-6EA58C06CF9D}

2012-06-25 16:52:02 -------- d-----w- C:\Users\jeff2\AppData\Local\{85D92BBF-1EEF-4960-85F0-EDA0CAD17008}

2012-06-25 04:51:10 -------- d-----w- C:\Users\jeff2\AppData\Local\{3BEA3157-C3D9-4B23-93AE-55B4FBEF8760}

.

==================== Find3M ====================

.

2012-07-18 20:27:15 70344 ----a-w- C:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-07-18 20:27:15 426184 ----a-w- C:\windows\SysWow64\FlashPlayerApp.exe

2012-07-03 20:46:44 24904 ----a-w- C:\windows\System32\drivers\mbam.sys

2012-06-06 06:06:16 2004480 ----a-w- C:\windows\System32\msxml6.dll

2012-06-06 06:06:16 1881600 ----a-w- C:\windows\System32\msxml3.dll

2012-06-06 06:02:54 1133568 ----a-w- C:\windows\System32\cdosys.dll

2012-06-06 05:05:52 1390080 ----a-w- C:\windows\SysWow64\msxml6.dll

2012-06-06 05:05:52 1236992 ----a-w- C:\windows\SysWow64\msxml3.dll

2012-06-06 05:03:06 805376 ----a-w- C:\windows\SysWow64\cdosys.dll

2012-06-05 23:03:52 166232 ----a-w- C:\windows\System32\drivers\VBoxNetFlt.sys

2012-06-05 23:03:52 147288 ----a-w- C:\windows\System32\drivers\VBoxNetAdp.sys

2012-06-05 23:02:22 320856 ----a-w- C:\windows\System32\VBoxNetFltNobj.dll

2012-06-02 22:19:42 186752 ----a-w- C:\windows\System32\wuwebv.dll

2012-06-02 22:15:31 2622464 ----a-w- C:\windows\System32\wucltux.dll

2012-06-02 22:15:12 36864 ----a-w- C:\windows\System32\wuapp.exe

2012-06-02 22:15:08 99840 ----a-w- C:\windows\System32\wudriver.dll

2012-06-02 12:12:17 2311680 ----a-w- C:\windows\System32\jscript9.dll

2012-06-02 12:05:28 1392128 ----a-w- C:\windows\System32\wininet.dll

2012-06-02 12:04:50 1494528 ----a-w- C:\windows\System32\inetcpl.cpl

2012-06-02 12:01:40 173056 ----a-w- C:\windows\System32\ieUnatt.exe

2012-06-02 11:57:08 2382848 ----a-w- C:\windows\System32\mshtml.tlb

2012-06-02 08:33:25 1800192 ----a-w- C:\windows\SysWow64\jscript9.dll

2012-06-02 08:25:08 1129472 ----a-w- C:\windows\SysWow64\wininet.dll

2012-06-02 08:25:03 1427968 ----a-w- C:\windows\SysWow64\inetcpl.cpl

2012-06-02 08:20:33 142848 ----a-w- C:\windows\SysWow64\ieUnatt.exe

2012-06-02 08:16:52 2382848 ----a-w- C:\windows\SysWow64\mshtml.tlb

2012-06-02 05:50:10 458704 ----a-w- C:\windows\System32\drivers\cng.sys

2012-06-02 05:48:16 95600 ----a-w- C:\windows\System32\drivers\ksecdd.sys

2012-06-02 05:48:16 151920 ----a-w- C:\windows\System32\drivers\ksecpkg.sys

2012-06-02 05:45:31 340992 ----a-w- C:\windows\System32\schannel.dll

2012-06-02 05:44:21 307200 ----a-w- C:\windows\System32\ncrypt.dll

2012-06-02 04:40:42 22016 ----a-w- C:\windows\SysWow64\secur32.dll

2012-06-02 04:40:39 225280 ----a-w- C:\windows\SysWow64\schannel.dll

2012-06-02 04:39:10 219136 ----a-w- C:\windows\SysWow64\ncrypt.dll

2012-06-02 04:34:09 96768 ----a-w- C:\windows\SysWow64\sspicli.dll

2012-05-04 11:06:22 5559664 ----a-w- C:\windows\System32\ntoskrnl.exe

2012-05-04 10:03:53 3968368 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe

2012-05-04 10:03:50 3913072 ----a-w- C:\windows\SysWow64\ntoskrnl.exe

2012-05-01 05:40:20 209920 ----a-w- C:\windows\System32\profsvc.dll

2012-04-28 05:32:05 1112064 ----a-w- C:\windows\System32\rdpcorets.dll

2012-04-28 03:55:21 210944 ----a-w- C:\windows\System32\drivers\rdpwd.sys

2012-04-26 05:41:56 77312 ----a-w- C:\windows\System32\rdpwsx.dll

2012-04-26 05:41:55 149504 ----a-w- C:\windows\System32\rdpcorekmts.dll

2012-04-26 05:34:27 9216 ----a-w- C:\windows\System32\rdrmemptylst.exe

2011-08-24 01:42:54 332144 ----a-w- C:\Program Files (x86)\Common Files\MediaOrganizer.dll

2011-08-24 01:35:38 33136 ----a-w- C:\Program Files (x86)\Common Files\FlickrProvider.dll

2011-08-24 01:35:14 402800 ----a-w- C:\Program Files (x86)\Common Files\facebook.dll

2011-08-24 01:35:14 130416 ----a-w- C:\Program Files (x86)\Common Files\PluginCommon.dll

2011-08-24 01:34:26 465264 ----a-w- C:\Program Files (x86)\Common Files\AppFramework.dll

.

============= FINISH: 13:35:21.89 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Ultimate

Boot Device: \Device\HarddiskVolume1

Install Date: 12/18/2010 6:42:28 PM

System Uptime: 7/23/2012 6:14:11 PM (19 hours ago)

.

Motherboard: ASUSTeK Computer INC. | | P5Q-EM

Processor: Intel® Core™2 Duo CPU E8500 @ 3.16GHz | LGA 775 | 3166/333mhz

.

==== Disk Partitions =========================

.

A: is Removable

C: is FIXED (NTFS) - 651 GiB total, 438.709 GiB free.

D: is CDROM (UDF)

E: is Removable

F: is Removable

G: is Removable

H: is Removable

K: is Removable

M: is FIXED (NTFS) - 677 GiB total, 319.779 GiB free.

N: is FIXED (NTFS) - 535 GiB total, 205.671 GiB free.

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: VMware Virtual Ethernet Adapter for VMnet1

Device ID: ROOT\VMWARE\0000

Manufacturer: VMware, Inc.

Name: VMware Virtual Ethernet Adapter for VMnet1

PNP Device ID: ROOT\VMWARE\0000

Service: VMnetAdapter

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: VMware Virtual Ethernet Adapter for VMnet8

Device ID: ROOT\VMWARE\0001

Manufacturer: VMware, Inc.

Name: VMware Virtual Ethernet Adapter for VMnet8

PNP Device ID: ROOT\VMWARE\0001

Service: VMnetAdapter

.

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}

Description: Cisco Systems VPN Adapter for 64-bit Windows

Device ID: ROOT\NET\0001

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter for 64-bit Windows

PNP Device ID: ROOT\NET\0001

Service: CVirtA

.

==== System Restore Points ===================

.

RP253: 7/19/2012 11:03:03 AM - Installed TortoiseGit 1.7.11.3 (64 bit)

RP254: 7/19/2012 4:10:33 PM - Removed TerraGo Toolbar.

RP255: 7/23/2012 5:07:14 PM - ComboFix created restore point

.

==== Hosts File Hijack ======================

.

REMOVED FOR PRIVACY

.

==== Installed Programs ======================

.

.

AddCustomPaper

Adobe AIR

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.0)

Apple Application Support

Apple Software Update

Auslogics Duplicate File Finder

B9100

BSIZE_CDA_B9100_Software_Min

BufferChm

Canon IJ Network Scan Utility

Canon IJ Network Tool

Canon MP Navigator EX 1.1

Canon MX850 series User Registration

Canon Utilities Easy-PhotoPrint EX

Canon Utilities Solution Menu

Carbonite

Catalyst Control Center

Catalyst Control Center - Branding

Catalyst Control Center Graphics Previews Common

Catalyst Control Center InstallProxy

Catalyst Control Center Localization All

CCC Help Chinese Standard

CCC Help Chinese Traditional

CCC Help Czech

CCC Help Danish

CCC Help Dutch

CCC Help English

CCC Help Finnish

CCC Help French

CCC Help German

CCC Help Greek

CCC Help Hungarian

CCC Help Italian

CCC Help Japanese

CCC Help Korean

CCC Help Norwegian

CCC Help Polish

CCC Help Portuguese

CCC Help Russian

CCC Help Spanish

CCC Help Swedish

CCC Help Thai

CCC Help Turkish

Cisco WebEx Meetings

Corel PaintShop Pro X4

Corel PaintShop Pro X4 Ultimate Bonus Pack

D3DX10

Destinations

DeviceDiscovery

EasyBCD 2.0

Git version 1.7.11-preview20120620

Google Calendar Sync

Google Chrome

Google Earth

Google Update Helper

GoToMeeting 5.1.0.880

GPBaseService2

Hewlett-Packard ACLM.NET v1.1.0.0

HP Photosmart Pro print plug-in for Adobe Photoshop ®

HP Product Detection

HP Update

HPDiagnosticAlert

HPPhotoGadget

HPPhotoSmartDiscLabelContent1

HPPhotosmartEssential

HPProductAssistant

HPSSupply

HTC Driver Installer

HTC Sync

ICA

Image Data Converter SR

IPM_PSP_COM

iSEEK AnswerWorks English Runtime

Java Auto Updater

Java™ 6 Update 22

Java™ 6 Update 31

Junk Mail filter update

LightScribe Applications

LightScribe System Software

Malwarebytes Anti-Malware version 1.62.0.1300

MarketResearch

Mesh Runtime

Messenger Companion

Microsoft Access database engine 2010 (English)

Microsoft Application Error Reporting

Microsoft Expression Encoder 4

Microsoft Expression Encoder 4 Screen Capture Codec

Microsoft MapPoint North America 2011

Microsoft Office Access database engine 2007 (English)

Microsoft Office Small Business Connectivity Components

Microsoft Search Enhancement Pack

Microsoft SharedView

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable Package

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Mozilla Firefox 14.0.1 (x86 en-US)

Mozilla Maintenance Service

MP3 Skype Recorder

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 4.0 SP2 Parser and SDK

MySQL Tools for 5.0

MySQL Workbench 5.2 CE

NETGEAR WNDA3100v2 wireless USB 2.0 adapter

Norton Internet Security

OpenOffice.org 3.3

OpenVPN 2.2.1

Outlook Setup Tool

PaintShop Photo Pro X3 Registration Incentive

PhotoStockPlus Uploader Tool 2.0.59

Presto! PageManager 7.15.20

PSPPContent

PSPPHelp

QuickBooks

QuickBooks Pro 2012

Quicken 2011

QuickTime

Realtek Ethernet Controller Driver

RealUpgrade 1.1

ScanSoft OmniPage SE 4

Seagate DiscWizard

SeaTools for Windows

Security Update for CAPICOM (KB931906)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Setup

Skype Click to Call

Skype™ 5.10

SmartWebPrinting

SolutionCenter

Sony Picture Utility

Status

System Requirements Lab for Intel

TextPad 4.7

TightVNC 2.0.4

Toolbox

tools-linux

TrayApp

TurboTax 2011

TurboTax 2011 waziper

TurboTax 2011 WinPerFedFormset

TurboTax 2011 WinPerReleaseEngine

TurboTax 2011 WinPerTaxSupport

TurboTax 2011 wrapper

UnloadSupport

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Van Dyke Technologies SecureCRT 3.4

VMware Player

VZAccess Manager

WebReg

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Windows Media Player Firefox Plugin

WinMerge 2.12.4

WinSCP 4.3.5

WinZip 15.5

WinZip Courier

WModem Driver Installer

XAMPP 1.7.4

.

==== Event Viewer Messages From Past Week ========

.

7/23/2012 6:12:47 PM, Error: SNMP [1500] - The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ExtensionAgents.

7/23/2012 6:12:46 PM, Error: SNMP [1500] - The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.

7/23/2012 5:21:57 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

7/23/2012 5:08:48 PM, Error: Service Control Manager [7034] - The OpenVPN Service service terminated unexpectedly. It has done this 1 time(s).

7/23/2012 5:01:21 PM, Error: Service Control Manager [7034] - The hpqcxs08 service terminated unexpectedly. It has done this 1 time(s).

7/19/2012 4:36:46 PM, Error: Service Control Manager [7024] - The Apache2.2 service terminated with service-specific error Incorrect function..

.

==== End Of File ===========================

[JeffW]

FYI - this is the original log when Malwarebytes removed the infection. It was quite a mess....

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.13.01

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

jeff2 :: JEFF-PC [administrator]

7/12/2012 7:16:37 PM

mbam-log-2012-07-12 (19-16-37).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 295695

Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Trojan.Lameshield) -> Quarantined and deleted successfully.

Registry Values Detected: 3

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|pntlt (Trojan.Agent) -> Data: rundll32.exe "C:\Users\jeff2\AppData\Roaming\pntlt.dll",DescribePixelFormat -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|0C1CFB13006AE2FD029E19E3F875EF60 (Trojan.Lameshield) -> Data: C:\ProgramData\0C1CFB13006AE2FD029E19E3F875EF60\0C1CFB13006AE2FD029E19E3F875EF60.exe -> Quarantined and deleted successfully.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Windows Update Server (Backdoor.IRCBot) -> Data: C:\Users\jeff2\8ae0bd7c-3156.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 4

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|Load (Trojan.Agent) -> Bad: (C:\Users\jeff2\LOCALS~1\Temp\msaoehoco.exe) Good: () -> Delete on reboot.

HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0

(No malicious items detected)

Files Detected: 10

C:\Users\jeff2\AppData\Roaming\pntlt.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\ProgramData\0C1CFB13006AE2FD029E19E3F875EF60\0C1CFB13006AE2FD029E19E3F875EF60.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.

C:\Users\jeff2\Local Settings\Temp\msaoehoco.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\jeff2\AppData\Local\Temp\00c6a5d3.exe (Trojan.Lameshield) -> Quarantined and deleted successfully.

C:\Users\jeff2\AppData\Local\Temp\2E15.tmp (Trojan.FakeAlert.FSA15) -> Quarantined and deleted successfully.

C:\Users\jeff2\AppData\Local\Temp\msaoehoco.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Users\jeff2\AppData\Local\Temp\~!#B62A.tmp (Trojan.Lameshield) -> Quarantined and deleted successfully.

C:\Windows\Installer\{41de673f-9bcd-4663-6c09-9a3f2e48004e}\n (Trojan.Sirefef) -> Quarantined and deleted successfully.

C:\Windows\Installer\{41de673f-9bcd-4663-6c09-9a3f2e48004e}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

C:\Users\jeff2\8ae0bd7c-3156.exe (Backdoor.IRCBot) -> Quarantined and deleted successfully.

(end)

After this I still had a rootkit infection:

Malwarebytes Anti-Malware 1.62.0.1300

www.malwarebytes.org

Database version: v2012.07.13.01

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)

Internet Explorer 9.0.8112.16421

jeff2 :: JEFF-PC [administrator]

7/12/2012 7:32:43 PM

mbam-log-2012-07-12 (19-32-43).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 295757

Time elapsed: 43 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Windows\Installer\{41de673f-9bcd-4663-6c09-9a3f2e48004e}\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

It was apparently removed by ComboFix.

[JeffW]

Firefox is still affected but Internet Explorer does not cause any errors

[Maniac]

Hello JeffW and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Please tick the Scan All users. Next, click the Quick Scan button. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic.
    

[JeffW]

Thanks, we'll try the fix and see how it goes. I'll open a ticket as I see a lot of private information posted here and would prefer not to do that.

[screen317]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.