Jump to content

IE browser searches redirect to Newsbusters etc.


Recommended Posts

I've been working at correcting this redirect problem for 2 days now. I have found a few trojans and lots of adware, all have been removed by various malware removal programs. But after 2 days of research and work, the problem still presists.

Using Internet Explorer and a search engine such as yahoo.com or google.com causes all search results to redirect to newsbusters.org. Periodically it will redirect to some kind of shopping search site, but its rare and I can't get the name to come up now. Some kind of help whipping this thing would be very much appreciated.

Here are my reports:

DDS (Ver_2012-11-20.01) - NTFS_AMD64

Internet Explorer: 10.0.9200.16438 BrowserJavaVersion: 1.6.0_30

Run by LBM2 at 15:29:22 on 2012-12-31

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3991.2326 [GMT -6:00]

.

SP: Trend Micro Client/Server Security Agent Anti-spyware *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}

.

============== Running Processes ===============

.

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\rundll32.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe

C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe

C:\Program Files (x86)\Intel\AMT\LMS.exe

C:\Program Files (x86)\Trend Micro\Client Server Security Agent\ntrtscan.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe

C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmlisten.exe

c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\System32\alg.exe

C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Authentication\Hp.SkyRoom.Windows.RgsPlugin.Authentication.exe

c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Lens\Hp.SkyRoom.Windows.RgsPlugin.Lens.exe

c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\plugins\ice\Hp.SkyRoom.Windows.RgsPlugin.Licensing\Hp.SkyRoom.Windows.RgsPlugin.Licensing.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

c:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsender_gui.exe

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Trend Micro\BM\TMBMSRV.exe

C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe

C:\Program Files\ActivIdentity\ActivClient\acevents.exe

C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe

C:\Windows\System32\igfxtray.exe

C:\Windows\System32\hkcmd.exe

C:\Windows\System32\igfxpers.exe

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPfw.exe

C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\coreshredder.exe

C:\Program Files (x86)\Trend Micro\Client Server Security Agent\PccNTMon.exe

C:\Windows\system32\SearchIndexer.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Creative\Creative Live! Cam\Live! Central\CTLVCentral.exe

C:\Program Files (x86)\Citrix\ICA Client\concentr.exe

C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe

C:\Users\LBM2\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Program Files (x86)\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe

C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe

C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\System32\cscript.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.yahoo.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1003\TmIEPlg32.dll

BHO: File Sanitizer for HP ProtectTools: {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\IEBHO.dll

BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe

mRun: [File Sanitizer] C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe

mRun: [OfficeScanNT Monitor] "C:\Program Files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow

mRun: [switchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Live! Central] "C:\Program Files (x86)\Creative\Creative Live! Cam\Live! Central\CTLVCentral.exe" /mode2

mRun: [ConnectionCenter] "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup

mRun: [AdobeCS5ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin

mRun: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

StartupFolder: C:\Users\LBM2\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

StartupFolder: C:\Users\LBM2\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\LBM2\AppData\Roaming\Dropbox\bin\Dropbox.exe

StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ONLINE~1.LNK - C:\Windows\Installer\{0F1F7A90-E71B-4E45-A066-2891619F22E1}\pnaico.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe

uPolicies-Explorer: NoDriveTypeAutoRun = dword:145

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDrives = dword:0

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: SoftwareSASGeneration = dword:3

IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll

.

INFO: HKCU has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

.

INFO: HKLM has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://lb0.luber.com:4343/officescan/console/ClientInstall/WinNTChk.cab

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab

DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} - hxxps://lb0.luber.com:4343/officescan/console/ClientInstall/setupini.cab

DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://lb0.luber.com:4343/officescan/console/ClientInstall/setup.cab

DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} - hxxps://lb0.luber.com:4343/officescan/console/ClientInstall/RemoveCtrl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://textron.webex.com/client/T26L10NSP49EP10-textron/webex/ieatgpc1.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: NameServer = 192.168.3.105 68.12.16.30 68.1.208.30

TCP: Interfaces\{4195E8C2-93E9-43D1-944A-ED6DD61DD0D5} : DHCPNameServer = 192.168.3.105 68.12.16.30 68.1.208.30

TCP: Interfaces\{4A2F6C34-88F6-410A-8F98-2A447C355C30} : DHCPNameServer = 192.168.3.100 68.238.96.12 68.238.64.12

Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll

Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1003\TmIEPlg32.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

Notify: igfxcui - <no file>

SSODL: WebCheck - <orphaned>

x64-BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1003\TmIEPlg.dll

x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

x64-Run: [picon] "C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup

x64-Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe"

x64-Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"

x64-Run: [igfxTray] C:\Windows\System32\igfxtray.exe

x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe

x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe

x64-Run: [OfficeScanNT Monitor] -HideWindow

x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

x64-Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

.

INFO: x64-HKLM has more than 50 listed domains.

If you wish to scan all of them, select the 'Force scan all domains' option.

.

x64-Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - <orphaned>

x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files (x86)\Trend Micro\Client Server Security Agent\bho\1003\TmIEPlg.dll

x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>

x64-SSODL: WebCheck - <orphaned>

x64-mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - C:\Windows\System32\rundll32.exe C:\Windows\System32\advpack.dll,LaunchINFSectionEx C:\Program Files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\LBM2\AppData\Roaming\Mozilla\Firefox\Profiles\jo6hnl2w.default\

FF - prefs.js: network.proxy.type - 0

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npicaN.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\LBM2\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_135.dll

FF - ExtSQL: 2012-12-13 10:24; {34f16eca-5790-95e4-1d09-264e2f59518e}; C:\Users\LBM2\AppData\Roaming\Mozilla\Firefox\Profiles\jo6hnl2w.default\extensions\{34f16eca-5790-95e4-1d09-264e2f59518e}

FF - ExtSQL: 2012-12-13 10:24; {46d606b0-a645-11df-981c-0800200c9a66}; C:\Users\LBM2\AppData\Roaming\Mozilla\Firefox\Profiles\jo6hnl2w.default\extensions\{46d606b0-a645-11df-981c-0800200c9a66}

FF - ExtSQL: 2012-12-13 10:24; {5C46D283-ABDE-4dce-B83C-08881401921C}; C:\Users\LBM2\AppData\Roaming\Mozilla\Firefox\Profiles\jo6hnl2w.default\extensions\{5C46D283-ABDE-4dce-B83C-08881401921C}

.

============= SERVICES / DRIVERS ===============

.

R1 ctxusbm;Citrix USB Monitor Driver;C:\Windows\System32\drivers\ctxusbm.sys [2010-7-14 87600]

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;C:\Windows\System32\drivers\tmlwf.sys [2009-7-15 200720]

R2 ac.sharedstore;ActivIdentity Shared Store Service;C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-6-3 277032]

R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]

R2 Hp.Skyroom.Windows.Service;HP SkyRoom;C:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2010-3-3 124472]

R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-3-28 94264]

R2 HPFSService;File Sanitizer for HP ProtectTools;C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2010-1-19 297984]

R2 rgsender;Remote Graphics Sender Service;C:\Program Files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2010-8-17 379904]

R2 TmFilter;Trend Micro Filter;C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2009-12-4 344376]

R2 TmPreFilter;Trend Micro PreFilter;C:\Program Files (x86)\Trend Micro\Client Server Security Agent\tmpreflt.sys [2009-12-4 42808]

R2 tmwfp;Trend Micro WFP Callout Driver;C:\Windows\System32\drivers\tmwfp.sys [2009-7-15 339984]

R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2010-8-17 2066968]

R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2010-8-17 281568]

R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2010-8-17 56344]

R3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2010-8-17 702976]

R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;C:\Windows\System32\drivers\livecamv.sys [2012-1-13 49664]

R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPfw.exe [2009-7-15 595960]

R3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [2009-7-15 917768]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 CryptSvc32;Cryptographic Services ;C:\Windows\System32\WSManMigrationPlugin32.exe --> C:\Windows\System32\WSManMigrationPlugin32.exe [?]

S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-12-31 1153368]

S2 SCardSvr32;Smart Card ;C:\ProgramData\imagesp132.exe --> C:\ProgramData\imagesp132.exe [?]

S3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\System32\drivers\CtClsFlt.sys [2012-1-13 169472]

S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-6-29 48488]

S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-22 1493352]

S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]

S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-1 59392]

S3 V0560Vid;Creative Live! Cam Optia AF Driver;C:\Windows\System32\drivers\V0560Vid.sys [2009-6-16 343360]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-8-17 1255736]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== File Associations ===============

.

ShellExec: dreamweaver.exe: Open="C:\Program Files (x86)\Adobe\Adobe Dreamweaver CS4\dreamweaver.exe", "%1"

ShellExec: pdfvista.exe: Open="C:\Program Files (x86)\PDF Complete\pdfvista.exe"

ShellExec: pdfvista.exe: Read="C:\Program Files (x86)\PDF Complete\pdfvista.exe"

.

=============== Created Last 30 ================

.

2012-12-31 20:28:20 909312 ----a-w- C:\Windows\System32\wbem\fastprox.dll

2012-12-31 20:27:07 505856 ----a-w- C:\Windows\System32\wbem\wbemess.dll

2012-12-31 18:05:26 -------- d-----w- C:\Program Files (x86)\ESET

2012-12-31 16:56:32 -------- d-sh--w- C:\$RECYCLE.BIN

2012-12-31 15:55:26 -------- d-----w- C:\Windows\pss

2012-12-31 15:02:30 98816 ----a-w- C:\Windows\sed.exe

2012-12-31 15:02:30 256000 ----a-w- C:\Windows\PEV.exe

2012-12-31 15:02:30 208896 ----a-w- C:\Windows\MBR.exe

2012-12-31 13:01:39 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy

2012-12-31 13:01:39 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy

2012-12-28 20:45:02 -------- d-----w- C:\Users\LBM2\AppData\Local\Programs

2012-12-21 13:35:51 46080 ----a-w- C:\Windows\System32\atmlib.dll

2012-12-21 13:35:51 367616 ----a-w- C:\Windows\System32\atmfd.dll

2012-12-21 13:35:51 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll

2012-12-21 13:35:51 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll

2012-12-12 22:03:49 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2012-12-12 22:03:49 2706432 ----a-w- C:\Windows\System32\mshtml.tlb

2012-12-12 21:28:15 2048 ----a-w- C:\Windows\SysWow64\tzres.dll

2012-12-12 21:28:15 2048 ----a-w- C:\Windows\System32\tzres.dll

2012-12-12 21:28:03 3149824 ----a-w- C:\Windows\System32\win32k.sys

.

==================== Find3M ====================

.

2012-12-13 17:22:07 73656 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-12-13 17:22:07 697272 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-11-27 20:50:07 131072 --sha-r- C:\Windows\SysWow64\sysprints.dll

2012-11-26 15:08:01 226304 ----a-w- C:\Windows\System32\elshyph.dll

2012-11-26 15:08:01 185344 ----a-w- C:\Windows\SysWow64\elshyph.dll

2012-11-26 15:08:01 1054720 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe

2012-11-26 15:08:00 718336 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll

2012-11-26 15:08:00 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe

2012-11-26 15:08:00 525312 ----a-w- C:\Windows\SysWow64\vbscript.dll

2012-11-26 15:08:00 1772032 ----a-w- C:\Windows\SysWow64\wininet.dll

2012-11-26 15:08:00 158720 ----a-w- C:\Windows\SysWow64\msls31.dll

2012-11-26 15:08:00 150528 ----a-w- C:\Windows\SysWow64\iexpress.exe

2012-11-26 15:08:00 137216 ----a-w- C:\Windows\SysWow64\ieUnatt.exe

2012-11-26 15:08:00 135680 ----a-w- C:\Windows\SysWow64\wextract.exe

2012-11-26 15:06:52 9728 ---ha-w- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2012-11-02 05:59:11 478208 ----a-w- C:\Windows\System32\dpnet.dll

2012-11-02 05:11:31 376832 ----a-w- C:\Windows\SysWow64\dpnet.dll

2012-10-16 08:38:37 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll

2012-10-16 08:38:34 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll

2012-10-16 07:39:52 561664 ----a-w- C:\Windows\apppatch\AcLayers.dll

2012-10-09 18:17:13 55296 ----a-w- C:\Windows\System32\dhcpcsvc6.dll

2012-10-09 18:17:13 226816 ----a-w- C:\Windows\System32\dhcpcore6.dll

2012-10-09 17:40:31 44032 ----a-w- C:\Windows\SysWow64\dhcpcsvc6.dll

2012-10-09 17:40:31 193536 ----a-w- C:\Windows\SysWow64\dhcpcore6.dll

2012-10-04 17:46:16 362496 ----a-w- C:\Windows\System32\wow64win.dll

2012-10-04 17:46:15 243200 ----a-w- C:\Windows\System32\wow64.dll

2012-10-04 17:46:15 13312 ----a-w- C:\Windows\System32\wow64cpu.dll

2012-10-04 17:45:55 215040 ----a-w- C:\Windows\System32\winsrv.dll

2012-10-04 17:43:28 16384 ----a-w- C:\Windows\System32\ntvdm64.dll

2012-10-04 17:41:16 424960 ----a-w- C:\Windows\System32\KernelBase.dll

2012-10-04 16:47:41 5120 ----a-w- C:\Windows\SysWow64\wow32.dll

2012-10-04 16:47:41 274944 ----a-w- C:\Windows\SysWow64\KernelBase.dll

2012-10-04 15:21:55 338432 ----a-w- C:\Windows\System32\conhost.exe

2012-10-04 14:46:46 7680 ----a-w- C:\Windows\SysWow64\instnm.exe

2012-10-04 14:46:46 25600 ----a-w- C:\Windows\SysWow64\setup16.exe

2012-10-04 14:46:44 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll

2012-10-04 14:46:43 2048 ----a-w- C:\Windows\SysWow64\user.exe

2012-10-04 14:41:50 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll

2012-10-04 14:41:50 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll

2012-10-04 14:41:50 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll

2012-10-04 14:41:50 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll

2012-10-03 17:56:54 1914248 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-10-03 17:44:21 70656 ----a-w- C:\Windows\System32\nlaapi.dll

2012-10-03 17:44:21 303104 ----a-w- C:\Windows\System32\nlasvc.dll

2012-10-03 17:44:17 246272 ----a-w- C:\Windows\System32\netcorehc.dll

2012-10-03 17:44:17 18944 ----a-w- C:\Windows\System32\netevent.dll

2012-10-03 17:44:16 216576 ----a-w- C:\Windows\System32\ncsi.dll

2012-10-03 17:42:16 569344 ----a-w- C:\Windows\System32\iphlpsvc.dll

2012-10-03 16:42:24 18944 ----a-w- C:\Windows\SysWow64\netevent.dll

2012-10-03 16:42:24 175104 ----a-w- C:\Windows\SysWow64\netcorehc.dll

2012-10-03 16:42:23 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll

2012-10-03 16:07:26 45568 ----a-w- C:\Windows\System32\drivers\tcpipreg.sys

.

============= FINISH: 15:29:46.88 ==============

Second log here:

DDS (Ver_2012-11-20.01)

.

Microsoft Windows 7 Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 8/17/2010 10:22:48 AM

System Uptime: 12/31/2012 3:06:50 PM (0 hours ago)

.

Motherboard: Hewlett-Packard | | 3646h

Processor: Intel® Core™2 Quad CPU Q8400 @ 2.66GHz | XU1 PROCESSOR | 2667/1333mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 290 GiB total, 203.056 GiB free.

D: is FIXED (NTFS) - 6 GiB total, 0.774 GiB free.

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}

Description: PS/2 Compatible Mouse

Device ID: ACPI\PNP0F13\4&6847F13&0

Manufacturer: Microsoft

Name: PS/2 Compatible Mouse

PNP Device ID: ACPI\PNP0F13\4&6847F13&0

Service: i8042prt

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

Update for Microsoft Office 2007 (KB2508958)

2007 Microsoft Office system

7-Zip 4.65

ActivClient x64

Adobe AIR

Adobe Anchor Service CS4

Adobe Bridge 1.0

Adobe Bridge CS4

Adobe CMaps CS4

Adobe Common File Installer

Adobe Community Help

Adobe CSI CS4

Adobe CSI CS4 x64

Adobe Default Language CS4

Adobe Device Central CS4

Adobe Dreamweaver CS4

Adobe ExtendScript Toolkit CS4

Adobe Extension Manager CS4

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Flash Professional CS5

Adobe Help Center 1.0

Adobe Illustrator CS2

Adobe Media Player

Adobe Output Module

Adobe PDF Library Files CS4

Adobe Photoshop CS2

Adobe Reader X (10.1.4)

Adobe Search for Help

Adobe Service Manager Extension

Adobe Setup

Adobe Stock Photos 1.0

Adobe SVG Viewer 3.0

Adobe Type Support CS4

Adobe Update Manager CS4

Adobe XMP Panels CS4

Advanced Audio FX Engine

Cisco WebEx Meetings

Citrix online plug-in

Citrix online plug-in (DV)

Citrix online plug-in (HDX)

Citrix online plug-in (PNA)

Citrix online plug-in (SSON)

Citrix online plug-in (USB)

Citrix online plug-in (Web)

Connect

Creative Live! Cam Optia AF (VF0560) Driver (1.01.03.00)

Creative Live! Central

Creative System Information

D3DX10

DHTML Editing Component

Dropbox

File Sanitizer For HP ProtectTools

FileZilla Client 3.5.3

Hewlett-Packard ACLM.NET v1.1.2.0

HP Customer Experience Enhancements

HP SkyRoom

HP Support Assistant

Intel® Graphics Media Accelerator Driver

Intel® Active Management Technology

Itibiti RTC

Java Auto Updater

Java Card Security for HP ProtectTools

Java™ 6 Update 30

Junk Mail filter update

kuler

Mesh Runtime

Messenger Companion

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Application Error Reporting

Microsoft MapPoint North America 2010

Microsoft Office 2007 Service Pack 3 (SP3)

Microsoft Office Access database engine 2007 (English)

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office File Validation Add-In

Microsoft Office Office 64-bit Components 2007

Microsoft Office Outlook Connector

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Professional Hybrid 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared 64-bit MUI (English) 2007

Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft SQL Server Management Studio Express

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161

Microsoft Visual C++ 2008 Redistributable Package

Microsoft_VC80_ATL_x86

Microsoft_VC80_CRT_x86

Microsoft_VC80_MFC_x86

Microsoft_VC80_MFCLOC_x86

Microsoft_VC90_ATL_x86

Microsoft_VC90_ATL_x86_x64

Microsoft_VC90_CRT_x86

Microsoft_VC90_CRT_x86_x64

Microsoft_VC90_MFC_x86

Microsoft_VC90_MFC_x86_x64

Mozilla Firefox 17.0.1 (x86 en-US)

Mozilla Maintenance Service

MSVCRT

MSVCRT_amd64

PDF Settings CS5

Photoshop Camera Raw

Picasa 3

Realtek High Definition Audio Driver

Remote Graphics Receiver

Remote Graphics Sender

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596856) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition

Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition

Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition

Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition

Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition

Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition

Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition

Spybot - Search & Destroy

Suite Shared Configuration CS4

Trend Micro Client/Server Security Agent

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

Update for Microsoft Office 2007 Help for Common Features (KB963673)

Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition

Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition

Update for Microsoft Office Access 2007 Help (KB963663)

Update for Microsoft Office Excel 2007 Help (KB963678)

Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition

Update for Microsoft Office Outlook 2007 Help (KB963677)

Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2760573) 32-Bit Edition

Update for Microsoft Office Powerpoint 2007 Help (KB963669)

Update for Microsoft Office Publisher 2007 Help (KB963667)

Update for Microsoft Office Script Editor Help (KB963671)

Update for Microsoft Office Word 2007 Help (KB963665)

VLC media player 2.0.1

Windows Live Communications Platform

Windows Live Essentials

Windows Live Family Safety

Windows Live ID Sign-in Assistant

Windows Live Installer

Windows Live Language Selector

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live MIME IFilter

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live Remote Client

Windows Live Remote Client Resources

Windows Live Remote Service

Windows Live Remote Service Resources

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Wondershare Video Converter Platinum(Build 5.1.3.1)

Yahoo! BrowserPlus 2.9.8

Yahoo! Detect

Yahoo! Software Update

.

==== Event Viewer Messages From Past Week ========

.

12/31/2012 9:13:29 AM, Error: Service Control Manager [7000] - The HP Support Assistant Service service failed to start due to the following error: A device attached to the system is not functioning.

12/31/2012 9:08:01 AM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

12/31/2012 3:07:08 PM, Error: Service Control Manager [7001] - The SBSD Security Center Service service depends on the Security Center service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

12/31/2012 2:04:40 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

12/31/2012 2:04:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

12/31/2012 2:04:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

12/31/2012 2:04:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

12/31/2012 2:04:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

12/31/2012 2:04:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

12/31/2012 2:04:32 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

12/31/2012 2:04:10 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CSC ctxusbm DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr tdx tmlwf tmtdi vwififlt Wanarpv6 WfpLwf ws2ifsl

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The Trend Micro Client/Server Security Agent Listener service depends on the Network Connections service which failed to start because of the following error: The dependency service or group failed to start.

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

12/31/2012 2:04:10 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

12/31/2012 2:04:10 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}

12/31/2012 10:15:41 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

12/31/2012 1:54:04 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B68-F52A-11D8-B9A5-505054503030}

12/27/2012 7:58:48 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Support Assistant Service service to connect.

12/27/2012 7:58:48 AM, Error: Service Control Manager [7000] - The HP Support Assistant Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

.

==== End Of File ===========================

Link to post
Share on other sites

  • Staff

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-

  • Download Security Check by screen317 from
here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

  • Please download
AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+

Gringo

Link to post
Share on other sites

Thanks a ton for the help! I got an email notification that I had a reply to my help request so I turned on this computer today to run the tests you requested. I'm not sure what has changed, but the computer is noticibly more sluggish today than yesterday. Also, when I tried a Firefox search to get to the Malwarebytes forum page I got a redirect to some kind of babylon search. This is a new development. After running the programs you requested, IE will load to yahoo.com and I can do a web search from there. When I click on a link, the page goes blank and never loads anything. Not sure if this is scan related or not.

Just to be clear, I have run AdwCleaner previously and it removed a significant number of items. I searched for the previous log and couldn't find it, I posted here the currect log.

Here are my logs:

Results of screen317's Security Check version 0.99.56

Windows 7 Service Pack 1 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Spybot - Search & Destroy

Java 6 Update 30

Java version out of Date!

Adobe Flash Player 11.5.502.135

Adobe Reader 10.1.4 Adobe Reader out of Date!

Mozilla Firefox (17.0.1)

````````Process Check: objlist.exe by Laurent````````

Trend Micro Client Server Security Agent Misc xpupg.exe

Trend Micro Client Server Security Agent pccntupd.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 0%

````````````````````End of Log``````````````````````

# AdwCleaner v2.104 - Logfile created 01/01/2013 at 16:07:21

# Updated 29/12/2012 by Xplode

# Operating system : Windows 7 Professional Service Pack 1 (64 bits)

# User : LBM2 - LBM2-HP

# Boot Mode : Normal

# Running from : C:\Users\LBM2\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

***** [Registry] *****

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16438

[OK] Registry is clean.

-\\ Mozilla Firefox v17.0.1 (en-US)

File : C:\Users\LBM2\AppData\Roaming\Mozilla\Firefox\Profiles\jo6hnl2w.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[s2].txt - [666 octets] - [01/01/2013 16:07:21]

########## EOF - C:\AdwCleaner[s2].txt - [725 octets] ##########

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : LBM2 [Admin rights]

Mode : Scan -- Date : 01/01/2013 16:21:51

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320418AS +++++

--- User ---

[MBR] d10507a6a71586640f75304a3770c5ae

[bSP] 15570c8fbc19eda053e65ba8216f3e27 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 2047 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 4194304 | Size: 296734 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 611905536 | Size: 6453 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_01012013_02d1621.txt >>

RKreport[1]_S_01012013_02d1621.txt

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

Started in : Normal mode

User : LBM2 [Admin rights]

Mode : Remove -- Date : 01/01/2013 16:22:25

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3320418AS +++++

--- User ---

[MBR] d10507a6a71586640f75304a3770c5ae

[bSP] 15570c8fbc19eda053e65ba8216f3e27 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 2047 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 4194304 | Size: 296734 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 611905536 | Size: 6453 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[2]_D_01012013_02d1622.txt >>

RKreport[1]_S_01012013_02d1621.txt ; RKreport[2]_D_01012013_02d1622.txt

Link to post
Share on other sites

  • Staff

Hello

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

I have now run Combofix. I've checked IE and it is still functioning as before. I can search from the homepage yahoo.com and search results are shown. When you click on a link, the page goes blank and nothing loads, the back button doesn't work either. The same happened after running the previous scans. I tried searching with Firefox and results come back normally. When I click on a link I'm redirected to ihavenet or newsbusters.

Here is the combofix log:

ComboFix 13-01-01.02 - LBM2 01/01/2013 17:34:46.3.4 - x64

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3991.2637 [GMT -6:00]

Running from: c:\users\LBM2\Desktop\ComboFix.exe

FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}

SP: Trend Micro Client/Server Security Agent Anti-spyware *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

* Created a new restore point

* Resident AV is active

.

.

.

((((((((((((((((((((((((( Files Created from 2012-12-01 to 2013-01-01 )))))))))))))))))))))))))))))))

.

.

2013-01-01 23:40 . 2013-01-01 23:40 -------- d-----w- c:\users\Default\AppData\Local\temp

2013-01-01 21:30 . 2013-01-01 21:30 -------- d-----w- c:\users\LBM2\AppData\Local\Diagnostics

2012-12-31 20:28 . 2009-07-14 01:40 909312 ----a-w- c:\windows\system32\wbem\fastprox.dll

2012-12-31 20:27 . 2009-07-14 01:41 505856 ----a-w- c:\windows\system32\wbem\wbemess.dll

2012-12-31 18:05 . 2012-12-31 18:05 -------- d-----w- c:\program files (x86)\ESET

2012-12-31 13:01 . 2012-12-31 13:23 -------- d-----w- c:\programdata\Spybot - Search & Destroy

2012-12-31 13:01 . 2012-12-31 13:03 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy

2012-12-28 20:45 . 2012-12-28 20:45 -------- d-----w- c:\users\LBM2\AppData\Local\Programs

2012-12-21 13:35 . 2012-12-16 17:11 46080 ----a-w- c:\windows\system32\atmlib.dll

2012-12-21 13:35 . 2012-12-16 14:45 367616 ----a-w- c:\windows\system32\atmfd.dll

2012-12-21 13:35 . 2012-12-16 14:13 295424 ----a-w- c:\windows\SysWow64\atmfd.dll

2012-12-21 13:35 . 2012-12-16 14:13 34304 ----a-w- c:\windows\SysWow64\atmlib.dll

2012-12-14 20:25 . 2012-12-14 20:25 -------- d-----w- c:\users\support

2012-12-12 22:03 . 2012-11-14 03:51 19450880 ----a-w- c:\windows\system32\mshtml.dll

2012-12-12 22:03 . 2012-11-14 03:25 2706432 ----a-w- c:\windows\system32\mshtml.tlb

2012-12-12 22:03 . 2012-11-14 01:14 2706432 ----a-w- c:\windows\SysWow64\mshtml.tlb

2012-12-12 21:28 . 2012-11-09 05:45 2048 ----a-w- c:\windows\system32\tzres.dll

2012-12-12 21:28 . 2012-11-09 04:42 2048 ----a-w- c:\windows\SysWow64\tzres.dll

2012-12-12 21:28 . 2012-11-22 03:26 3149824 ----a-w- c:\windows\system32\win32k.sys

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-12-28 13:08 . 2010-08-17 20:26 67413224 ----a-w- c:\windows\system32\MRT.exe

2012-12-13 17:22 . 2012-04-18 12:03 697272 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-12-13 17:22 . 2011-08-17 11:54 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-11-26 15:08 . 2012-11-26 15:08 226304 ----a-w- c:\windows\system32\elshyph.dll

2012-11-26 15:08 . 2012-11-26 15:08 185344 ----a-w- c:\windows\SysWow64\elshyph.dll

2012-11-26 15:08 . 2012-11-26 15:08 1054720 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe

2012-11-26 15:08 . 2012-11-26 15:08 718336 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll

2012-11-26 15:08 . 2012-11-26 15:08 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe

2012-11-26 15:08 . 2012-11-26 15:08 525312 ----a-w- c:\windows\SysWow64\vbscript.dll

2012-11-26 15:08 . 2012-11-26 15:08 1772032 ----a-w- c:\windows\SysWow64\wininet.dll

2012-11-26 15:08 . 2012-11-26 15:08 158720 ----a-w- c:\windows\SysWow64\msls31.dll

2012-11-26 15:08 . 2012-11-26 15:08 150528 ----a-w- c:\windows\SysWow64\iexpress.exe

2012-11-26 15:08 . 2012-11-26 15:08 137216 ----a-w- c:\windows\SysWow64\ieUnatt.exe

2012-11-26 15:08 . 2012-11-26 15:08 135680 ----a-w- c:\windows\SysWow64\wextract.exe

2012-11-26 15:07 . 2012-11-26 15:07 73728 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe

2012-11-26 15:07 . 2012-11-26 15:07 61952 ----a-w- c:\windows\SysWow64\tdc.ocx

2012-11-26 15:07 . 2012-11-26 15:07 61440 ----a-w- c:\windows\SysWow64\iesetup.dll

2012-11-26 15:07 . 2012-11-26 15:07 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll

2012-11-26 15:07 . 2012-11-26 15:07 38400 ----a-w- c:\windows\SysWow64\imgutil.dll

2012-11-26 15:07 . 2012-11-26 15:07 361984 ----a-w- c:\windows\SysWow64\html.iec

2012-11-26 15:07 . 2012-11-26 15:07 2882048 ----a-w- c:\windows\SysWow64\jscript9.dll

2012-11-26 15:07 . 2012-11-26 15:07 23040 ----a-w- c:\windows\SysWow64\licmgr10.dll

2012-11-26 15:07 . 2012-11-26 15:07 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl

2012-11-26 15:07 . 2012-11-26 15:07 12800 ----a-w- c:\windows\SysWow64\mshta.exe

2012-11-26 15:07 . 2012-11-26 15:07 111104 ----a-w- c:\windows\SysWow64\IEAdvpack.dll

2012-11-26 15:07 . 2012-11-26 15:07 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll

2012-11-26 15:07 . 2012-11-26 15:07 89600 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

2012-11-26 15:07 . 2012-11-26 15:07 81408 ----a-w- c:\windows\system32\icardie.dll

2012-11-26 15:07 . 2012-11-26 15:07 762368 ----a-w- c:\windows\system32\ieapfltr.dll

2012-11-26 15:07 . 2012-11-26 15:07 53760 ----a-w- c:\windows\system32\jsproxy.dll

2012-11-26 15:07 . 2012-11-26 15:07 50688 ----a-w- c:\windows\system32\ie4uinit.exe

2012-11-26 15:07 . 2012-11-26 15:07 453120 ----a-w- c:\windows\system32\dxtmsft.dll

2012-11-26 15:07 . 2012-11-26 15:07 441856 ----a-w- c:\windows\system32\html.iec

2012-11-26 15:07 . 2012-11-26 15:07 39936 ----a-w- c:\windows\system32\iernonce.dll

2012-11-26 15:07 . 2012-11-26 15:07 281600 ----a-w- c:\windows\system32\dxtrans.dll

2012-11-26 15:07 . 2012-11-26 15:07 2670080 ----a-w- c:\windows\system32\iertutil.dll

2012-11-26 15:07 . 2012-11-26 15:07 2245120 ----a-w- c:\windows\system32\wininet.dll

2012-11-26 15:07 . 2012-11-26 15:07 216576 ----a-w- c:\windows\system32\msls31.dll

2012-11-26 15:07 . 2012-11-26 15:07 197120 ----a-w- c:\windows\system32\msrating.dll

2012-11-26 15:07 . 2012-11-26 15:07 1400416 ----a-w- c:\windows\system32\ieapfltr.dat

2012-11-26 15:07 . 2012-11-26 15:07 1352192 ----a-w- c:\windows\system32\urlmon.dll

2012-11-26 15:07 . 2012-11-26 15:07 97280 ----a-w- c:\windows\system32\mshtmled.dll

2012-11-26 15:07 . 2012-11-26 15:07 92160 ----a-w- c:\windows\system32\SetIEInstalledDate.exe

2012-11-26 15:07 . 2012-11-26 15:07 905216 ----a-w- c:\windows\system32\mshtmlmedia.dll

2012-11-26 15:07 . 2012-11-26 15:07 854528 ----a-w- c:\windows\system32\jscript.dll

2012-11-26 15:07 . 2012-11-26 15:07 77312 ----a-w- c:\windows\system32\tdc.ocx

2012-11-26 15:07 . 2012-11-26 15:07 67072 ----a-w- c:\windows\system32\iesetup.dll

2012-11-26 15:07 . 2012-11-26 15:07 62976 ----a-w- c:\windows\system32\pngfilt.dll

2012-11-26 15:07 . 2012-11-26 15:07 603136 ----a-w- c:\windows\system32\msfeeds.dll

2012-11-26 15:07 . 2012-11-26 15:07 593408 ----a-w- c:\windows\system32\vbscript.dll

2012-11-26 15:07 . 2012-11-26 15:07 531456 ----a-w- c:\windows\system32\ieui.dll

2012-11-26 15:07 . 2012-11-26 15:07 52224 ----a-w- c:\windows\system32\msfeedsbs.dll

2012-11-26 15:07 . 2012-11-26 15:07 51200 ----a-w- c:\windows\system32\imgutil.dll

2012-11-26 15:07 . 2012-11-26 15:07 48640 ----a-w- c:\windows\system32\mshtmler.dll

2012-11-26 15:07 . 2012-11-26 15:07 3966976 ----a-w- c:\windows\system32\jscript9.dll

2012-11-26 15:07 . 2012-11-26 15:07 27648 ----a-w- c:\windows\system32\licmgr10.dll

2012-11-26 15:07 . 2012-11-26 15:07 270848 ----a-w- c:\windows\system32\iedkcs32.dll

2012-11-26 15:07 . 2012-11-26 15:07 247296 ----a-w- c:\windows\system32\webcheck.dll

2012-11-26 15:07 . 2012-11-26 15:07 235008 ----a-w- c:\windows\system32\url.dll

2012-11-26 15:07 . 2012-11-26 15:07 173568 ----a-w- c:\windows\system32\ieUnatt.exe

2012-11-26 15:07 . 2012-11-26 15:07 167424 ----a-w- c:\windows\system32\iexpress.exe

2012-11-26 15:07 . 2012-11-26 15:07 15418368 ----a-w- c:\windows\system32\ieframe.dll

2012-11-26 15:07 . 2012-11-26 15:07 1509376 ----a-w- c:\windows\system32\inetcpl.cpl

2012-11-26 15:07 . 2012-11-26 15:07 149504 ----a-w- c:\windows\system32\occache.dll

2012-11-26 15:07 . 2012-11-26 15:07 142848 ----a-w- c:\windows\system32\wextract.exe

2012-11-26 15:07 . 2012-11-26 15:07 13824 ----a-w- c:\windows\system32\mshta.exe

2012-11-26 15:07 . 2012-11-26 15:07 136704 ----a-w- c:\windows\system32\iesysprep.dll

2012-11-26 15:07 . 2012-11-26 15:07 136192 ----a-w- c:\windows\system32\iepeers.dll

2012-11-26 15:07 . 2012-11-26 15:07 136192 ----a-w- c:\windows\system32\IEAdvpack.dll

2012-11-26 15:07 . 2012-11-26 15:07 12800 ----a-w- c:\windows\system32\msfeedssync.exe

2012-11-26 15:07 . 2012-11-26 15:07 102912 ----a-w- c:\windows\system32\inseng.dll

2012-11-26 15:06 . 2012-11-26 15:06 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll

2012-11-26 15:06 . 2012-11-26 15:06 465920 ----a-w- c:\windows\system32\WMPhoto.dll

2012-11-26 15:06 . 2012-11-26 15:06 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll

2012-11-26 15:06 . 2012-11-26 15:06 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 3928064 ----a-w- c:\windows\system32\d2d1.dll

2012-11-26 15:06 . 2012-11-26 15:06 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll

2012-11-26 15:06 . 2012-11-26 15:06 363008 ----a-w- c:\windows\system32\dxgi.dll

2012-11-26 15:06 . 2012-11-26 15:06 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 2776576 ----a-w- c:\windows\system32\msmpeg2vdec.dll

2012-11-26 15:06 . 2012-11-26 15:06 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll

2012-11-26 15:06 . 2012-11-26 15:06 2434560 ----a-w- c:\windows\system32\d3d10warp.dll

2012-11-26 15:06 . 2012-11-26 15:06 2284544 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll

2012-11-26 15:06 . 2012-11-26 15:06 1682432 ----a-w- c:\windows\system32\XpsPrint.dll

2012-11-26 15:06 . 2012-11-26 15:06 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll

2012-11-26 15:06 . 2012-11-26 15:06 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll

2012-11-26 15:06 . 2012-11-26 15:06 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"OfficeScanNT Monitor"="c:\program files (x86)\Trend Micro\Client Server Security Agent\pccntmon.exe" [2009-10-08 1484080]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 5 (0x5)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableUIADesktopToggle"= 0 (0x0)

"SoftwareSASGeneration"= 3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfxcui]

[bU]

.

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]

R2 CryptSvc32;Cryptographic Services ;c:\windows\system32\WSManMigrationPlugin32.exe [x]

R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]

R2 SCardSvr32;Smart Card ;c:\programdata\imagesp132.exe [x]

R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-05-07 169472]

R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]

R3 V0560Vid;Creative Live! Cam Optia AF Driver;c:\windows\system32\DRIVERS\V0560Vid.sys [2009-06-16 343360]

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-08-17 1255736]

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]

S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [2010-07-14 87600]

S1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\DRIVERS\tmlwf.sys [2009-07-15 200720]

S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-06-03 277032]

S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]

S2 Hp.Skyroom.Windows.Service;HP SkyRoom;c:\program files (x86)\Hewlett-Packard\HP SkyRoom\Hp.Skyroom.Windows.Service.exe [2010-03-03 124472]

S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-03-28 94264]

S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [2010-01-19 297984]

S2 rgsender;Remote Graphics Sender Service;c:\program files (x86)\Hewlett-Packard\HP SkyRoom\remote graphics sender\rgsendersvc.exe [2009-11-19 379904]

S2 TmFilter;Trend Micro Filter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys [2012-07-17 344376]

S2 TmPreFilter;Trend Micro PreFilter;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys [2012-07-17 42808]

S2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\DRIVERS\tmwfp.sys [2009-07-15 339984]

S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2009-07-24 2066968]

S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k62x64.sys [2009-10-01 281568]

S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-07-24 56344]

S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [2009-05-19 702976]

S3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\DRIVERS\livecamv.sys [2007-02-05 49664]

S3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmPfw.exe [2009-07-15 595960]

S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files (x86)\Trend Micro\Client Server Security Agent\TmProxy.exe [2009-07-15 917768]

.

.

Contents of the 'Scheduled Tasks' folder

.

2013-01-01 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-18 17:22]

.

2012-12-28 c:\windows\Tasks\HPCeeScheduleForLBM2.job

- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 04:15]

.

2013-01-01 c:\windows\Tasks\Rhmbyo.job

- c:\windows\system32\rundll32.exe [2009-07-13 01:14]

.

.

--------- X64 Entries -----------

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\LBM2\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\LBM2\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\LBM2\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 162552 ----a-w- c:\users\LBM2\AppData\Roaming\Dropbox\bin\DropboxExt64.17.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"picon"="c:\program files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" [2009-07-24 796696]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-11-04 162584]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-11-04 386840]

"Persistence"="c:\windows\system32\igfxpers.exe" [2011-11-04 417560]

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService

FontCache

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uLocal Page = c:\windows\system32\blank.htm

uDefault_Search_URL = hxxp://www.google.com/ie

mLocal Page = c:\windows\SysWOW64\blank.htm

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11

FF - ProfilePath - c:\users\LBM2\AppData\Roaming\Mozilla\Firefox\Profiles\jo6hnl2w.default\

FF - prefs.js: network.proxy.type - 0

FF - ExtSQL: 2012-12-13 10:24; {34f16eca-5790-95e4-1d09-264e2f59518e}; c:\users\LBM2\AppData\Roaming\Mozilla\Firefox\Profiles\jo6hnl2w.default\extensions\{34f16eca-5790-95e4-1d09-264e2f59518e}

FF - ExtSQL: 2012-12-13 10:24; {46d606b0-a645-11df-981c-0800200c9a66}; c:\users\LBM2\AppData\Roaming\Mozilla\Firefox\Profiles\jo6hnl2w.default\extensions\{46d606b0-a645-11df-981c-0800200c9a66}

FF - ExtSQL: 2012-12-13 10:24; {5C46D283-ABDE-4dce-B83C-08881401921C}; c:\users\LBM2\AppData\Roaming\Mozilla\Firefox\Profiles\jo6hnl2w.default\extensions\{5C46D283-ABDE-4dce-B83C-08881401921C}

.

- - - - ORPHANS REMOVED - - - -

.

AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_5_502_135_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Shockwave Flash Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]

@="0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]

@="ShockwaveFlash.ShockwaveFlash.11"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="ShockwaveFlash.ShockwaveFlash"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]

@Denied: (A 2) (Everyone)

@="Macromedia Flash Factory Object"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx"

"ThreadingModel"="Apartment"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]

@="FlashFactory.FlashFactory.1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]

@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_5_502_135.ocx, 1"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]

@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]

@="1.0"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]

@="FlashFactory.FlashFactory"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

Completion time: 2013-01-01 17:43:10

ComboFix-quarantined-files.txt 2013-01-01 23:43

ComboFix2.txt 2012-12-31 15:18

.

Pre-Run: 218,014,330,880 bytes free

Post-Run: 217,928,515,584 bytes free

.

- - End Of File - - DD6319DBA9C2B4743212332327CC28B1

Link to post
Share on other sites

  • Staff

Greetings,

first I would like you to go here and click on the fixit button - http://support.microsoft.com/kb/923737

 

Then I want you to do the following

  • Start Internet Explorer.
  • click on "safety"
  • click on "Delete Browsing History"
  • make sure all boxes are checked
  • click on "Delete"
  • click on "Tools",
  • click "Internet Options".
  • On the "Advanced" tab, click "Reset"
  • put a check mark next to "Delete Personal Settings"
  • click "Reset" to confirm
  • when complete click the "Close" button
  • restart IE

 

Gringo

Link to post
Share on other sites

I did the reset. I was about to post that IE was working normally, but it won't do anything now. The homepage reset to msn.com during the reset which is not a problem. I got it to load and was able to go to google.com to do a search. The first search result I clicked on took me to newsbusters.com. Now I try to load IE and the homepage won't even load.

Link to post
Share on other sites

Ok, Adobe Flash Player appears to have been the culprit. I have uninstalled it for now. Also I have disabled all other addons for IE for right now.

Google search and Bing search are redirecting me to Newsbusters in IE every time I try to use a search link. In Firefox, google search results sometimes go to the proper site, sometimes go to ihavenet.com.

Link to post
Share on other sites

  • Staff

Greetings

I want you to run these next,

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Put a checkmark beside loaded modules.
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.

  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo

Link to post
Share on other sites

Both scans completed. Both browsers are still redirecting to newsbusters from various search engines.

TDSS spit out 2 reports, I have both here.

13:37:20.0034 4652 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35

13:37:22.0047 4652 ============================================================

13:37:22.0047 4652 Current date / time: 2013/01/02 13:37:22.0047

13:37:22.0047 4652 SystemInfo:

13:37:22.0047 4652

13:37:22.0047 4652 OS Version: 6.1.7601 ServicePack: 1.0

13:37:22.0047 4652 Product type: Workstation

13:37:22.0047 4652 ComputerName: LBM2-HP

13:37:22.0047 4652 UserName: LBM2

13:37:22.0047 4652 Windows directory: C:\Windows

13:37:22.0047 4652 System windows directory: C:\Windows

13:37:22.0047 4652 Running under WOW64

13:37:22.0047 4652 Processor architecture: Intel x64

13:37:22.0047 4652 Number of processors: 4

13:37:22.0047 4652 Page size: 0x1000

13:37:22.0047 4652 Boot type: Normal boot

13:37:22.0047 4652 ============================================================

13:37:22.0359 4652 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040

13:37:22.0359 4652 ============================================================

13:37:22.0359 4652 \Device\Harddisk0\DR0:

13:37:22.0359 4652 MBR partitions:

13:37:22.0359 4652 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3FF800

13:37:22.0359 4652 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x400000, BlocksNum 0x2438F000

13:37:22.0359 4652 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x2478F000, BlocksNum 0xC9A800

13:37:22.0359 4652 ============================================================

13:37:22.0390 4652 C: <-> \Device\Harddisk0\DR0\Partition2

13:37:22.0421 4652 D: <-> \Device\Harddisk0\DR0\Partition3

13:37:22.0421 4652 ============================================================

13:37:22.0421 4652 Initialize success

13:37:22.0421 4652 ============================================================

13:37:45.0494 1348 Deinitialize success

Link to post
Share on other sites

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2013-01-02 13:44:15

-----------------------------

13:44:15.652 OS Version: Windows x64 6.1.7601 Service Pack 1

13:44:15.652 Number of processors: 4 586 0x170A

13:44:15.652 ComputerName: LBM2-HP UserName: LBM2

13:44:20.846 Initialize success

13:45:10.659 AVAST engine defs: 13010200

13:45:16.696 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

13:45:16.696 Disk 0 Vendor: ST332041 HP35 Size: 305245MB BusType: 3

13:45:16.712 Disk 0 MBR read successfully

13:45:16.712 Disk 0 MBR scan

13:45:16.712 Disk 0 Windows 7 default MBR code

13:45:16.727 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 2047 MB offset 2048

13:45:16.727 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 296734 MB offset 4194304

13:45:16.758 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 6453 MB offset 611905536

13:45:16.790 Disk 0 scanning C:\Windows\system32\drivers

13:45:36.555 Service scanning

13:45:54.620 Service TmFilter C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys **LOCKED** 32

13:45:54.932 Service TmPreFilter C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys **LOCKED** 32

13:45:57.163 Service VSApiNt C:\Program Files (x86)\Trend Micro\Client Server Security Agent\VSApiNt.sys **LOCKED** 32

13:46:00.173 Modules scanning

13:46:00.173 Disk 0 trace - called modules:

13:46:00.189 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iastor.sys hal.dll

13:46:00.205 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800521e060]

13:46:00.205 3 CLASSPNP.SYS[fffff88001bc343f] -> nt!IofCallDriver -> [0xfffffa800362ce40]

13:46:00.205 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004bb7050]

13:46:16.210 AVAST engine scan C:\Windows

13:46:20.219 Disk 0 MBR has been saved successfully to "C:\Users\LBM2\Desktop\MBR.dat"

13:46:20.235 The log file has been saved successfully to "C:\Users\LBM2\Desktop\aswMBR.txt"

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software

Run date: 2013-01-02 13:44:15

-----------------------------

13:44:15.652 OS Version: Windows x64 6.1.7601 Service Pack 1

13:44:15.652 Number of processors: 4 586 0x170A

13:44:15.652 ComputerName: LBM2-HP UserName: LBM2

13:44:20.846 Initialize success

13:45:10.659 AVAST engine defs: 13010200

13:45:16.696 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

13:45:16.696 Disk 0 Vendor: ST332041 HP35 Size: 305245MB BusType: 3

13:45:16.712 Disk 0 MBR read successfully

13:45:16.712 Disk 0 MBR scan

13:45:16.712 Disk 0 Windows 7 default MBR code

13:45:16.727 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 2047 MB offset 2048

13:45:16.727 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 296734 MB offset 4194304

13:45:16.758 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 6453 MB offset 611905536

13:45:16.790 Disk 0 scanning C:\Windows\system32\drivers

13:45:36.555 Service scanning

13:45:54.620 Service TmFilter C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmXPFlt.sys **LOCKED** 32

13:45:54.932 Service TmPreFilter C:\Program Files (x86)\Trend Micro\Client Server Security Agent\TmPreFlt.sys **LOCKED** 32

13:45:57.163 Service VSApiNt C:\Program Files (x86)\Trend Micro\Client Server Security Agent\VSApiNt.sys **LOCKED** 32

13:46:00.173 Modules scanning

13:46:00.173 Disk 0 trace - called modules:

13:46:00.189 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iastor.sys hal.dll

13:46:00.205 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800521e060]

13:46:00.205 3 CLASSPNP.SYS[fffff88001bc343f] -> nt!IofCallDriver -> [0xfffffa800362ce40]

13:46:00.205 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004bb7050]

13:46:16.210 AVAST engine scan C:\Windows

13:46:20.219 Disk 0 MBR has been saved successfully to "C:\Users\LBM2\Desktop\MBR.dat"

13:46:20.235 The log file has been saved successfully to "C:\Users\LBM2\Desktop\aswMBR.txt"

13:46:21.637 AVAST engine scan C:\Windows\system32

13:50:46.915 AVAST engine scan C:\Windows\system32\drivers

13:51:05.058 AVAST engine scan C:\Users\LBM2

14:00:58.905 AVAST engine scan C:\ProgramData

14:02:46.373 Scan finished successfully

14:04:19.708 Disk 0 MBR has been saved successfully to "C:\Users\LBM2\Desktop\MBR.dat"

14:04:19.739 The log file has been saved successfully to "C:\Users\LBM2\Desktop\aswMBR.txt"

Link to post
Share on other sites

  • Staff

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later

    [*]Please post the contents of OTL.txt in your next reply.

Gringo

Link to post
Share on other sites

  • Staff

Greetings

 

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

 

 

 

Gringo

Link to post
Share on other sites

I apologize for the delay here. The computer lost the ability to download files from IE or Firefox. I spent an entire morning working on that problem alone, even installing web browsers via flash drive with no improvements. At that point my uncle and I decided that the time invested was exceeding what it would cost to get a new computer to use and then wipe this one and do a fresh install. We were wanting to save Adobe Photoshop and the related files, but decided that it was time to upgrade to the newest version anyway and it was simpler to go with a little more horsepower and a fresh start. I'm going to keep this computer disconnected from my network and use it as reference for the next few weeks, then I'll do a full wipe on the drive to clear whatever infection it has. A fresh install of Win 7 Pro and I've now got a backup incase something crazy happens again.

I apologize again for the slow response here, the last week has been busy. I wish this had been a simpler fix, but it seems that I got one hell of a bug this time. I do thank you for the help. Hopefully the major anivirus groups get this one figured out soon and get it in the protection.

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.