A simple browser hijacker, I hope.

[ken545]

Lets try a few more things, there will be no extras log on the second run of OTL

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• See this Link for programs that need to be disabled and instruction on how to disable them.
• Remember to re-enable them when we're done.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

[Sniper4]

GooredFix didn't find anything. ComboFix removed a few items, but I'm still being redirected at search engines.

Here is my GooredFix log:

GooredFix by jpshortstuff (03.07.10.1)
Log created at 12:23 on 27/07/2012 (Matthew)
Firefox version 14.0.1 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [01:43 20/05/2009]

C:\Users\Matthew\Application Data\Mozilla\Firefox\Profiles\z7yr9m7x.default\extensions\
ation [13:30 26/07/2012]
{20a82645-c095-46ed-80e3-08825760534b} [03:18 25/06/2010]
{bee6eb20-01e0-ebd1-da83-080329fb9a3a} [13:04 24/07/2012]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [00:09 20/05/2009]
"{D19CA586-DD6C-4a0a-96F8-14644F340D60}"="C:\Program Files (x86)\Common Files\McAfee\SystemCore" [13:00 01/09/2010]

-=E.O.F=-

----------------------------------------------------------------------

Here is my ComboFix log:

ComboFix 12-07-27.03 - Matthew 07/27/2012 15:33:58.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8180.6205 [GMT -5:00]
Running from: c:\users\Matthew\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Spybot - Search and Destroy *Disabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Matthew\AppData\Local\DataSafeOnline\Citrix\fvuldh.dll
c:\users\Matthew\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 )))))))))))))))))))))))))))))))
.
.
2012-07-27 20:43 . 2012-07-27 20:43 -------- d-----w- c:\users\RA Media Server\AppData\Local\temp
2012-07-27 20:43 . 2012-07-27 20:43 -------- d-----w- c:\users\Matthew\AppData\Local\temp
2012-07-27 20:43 . 2012-07-27 20:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-27 20:43 . 2012-07-27 20:43 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-07-27 19:21 . 2012-07-16 07:40 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CE257739-D8EC-4DC0-88EB-59839413F92E}\mpengine.dll
2012-07-27 13:51 . 2012-07-27 13:51 -------- d-----w- C:\_OTL
2012-07-26 13:30 . 2012-07-26 13:30 -------- d-----w- c:\users\Matthew\AppData\Roaming\QFX Software
2012-07-26 13:30 . 2012-07-26 13:30 -------- d-----w- c:\programdata\QFX Software
2012-07-26 13:30 . 2012-07-26 13:30 -------- d-----w- c:\program files (x86)\KeyScrambler
2012-07-26 13:30 . 2011-12-15 00:46 222904 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2012-07-26 04:12 . 2012-07-26 04:12 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-07-23 17:38 . 2010-05-26 15:39 6144 ----a-w- c:\windows\system32\4011.tmp
2012-07-23 17:36 . 2010-05-26 15:39 6144 ----a-w- c:\windows\system32\F23F.tmp
2012-07-23 13:35 . 2010-05-26 15:39 6144 ----a-w- c:\windows\system32\9924.tmp
2012-07-23 13:33 . 2010-05-26 15:39 6144 ----a-w- c:\windows\system32\4E4E.tmp
2012-07-23 13:33 . 2012-07-23 13:33 -------- d-----w- c:\program files (x86)\Sophos
2012-07-21 21:01 . 2012-07-21 21:01 -------- d-----w- c:\users\Matthew\AppData\Roaming\Ad-Aware Antivirus
2012-07-18 22:13 . 2012-07-18 22:15 -------- d-----w- c:\programdata\HitmanPro
2012-07-18 15:59 . 2012-07-18 18:15 -------- d-----w- c:\programdata\MFAData
2012-07-18 15:59 . 2012-07-18 15:59 -------- d--h--w- c:\programdata\Common Files
2012-07-18 13:41 . 2009-01-25 18:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2012-07-18 13:31 . 2012-07-18 13:31 -------- d-----w- c:\users\Matthew\AppData\Roaming\Safer Networking
2012-07-18 13:30 . 2012-07-18 13:30 -------- d-----w- c:\program files (x86)\Safer Networking
2012-07-17 17:30 . 2012-07-17 17:30 -------- d-----w- c:\program files (x86)\NoVirusThanks
2012-07-11 20:39 . 2012-07-11 20:39 -------- d-----w- c:\users\Matthew\AppData\Roaming\XRay Engine
2012-07-10 21:16 . 2012-06-05 16:22 974848 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-27 03:54 . 2012-03-29 12:59 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-27 03:54 . 2011-05-31 13:00 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 00:12 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-07-03 18:46 . 2009-09-04 00:37 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-23 23:25 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 23:26 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 23:26 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 23:26 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 23:25 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-23 23:25 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 23:25 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-23 23:26 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 23:25 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-23 23:25 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 20:19 . 2012-06-23 23:25 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:19 . 2012-06-23 23:25 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 20:15 . 2012-06-23 23:25 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 20:12 . 2012-06-23 23:25 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-05-31 17:25 . 2010-03-09 04:49 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-05-01 14:29 . 2012-06-13 19:17 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XPS Thermal Monitor"="c:\program files\Dell\XPS Thermal Monitor\ThermalApp.exe" [2008-12-09 303104]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"SPIRunE"="SPIRunE.dll" [2007-05-09 18432]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-02-15 636032]
"Logitech G35"="c:\program files (x86)\Logitech\G35\G35.exe" [2010-10-05 1811800]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]
.
c:\users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech blank Product Registration.lnk - c:\program files (x86)\Logitech\G35\eReg.exe [2008-2-13 493832]
.
c:\users\RA Media Server\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-27 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2012-07-18 17:41]
.
2012-07-18 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2012-07-18 17:40]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlienFX Controller"="c:\program files\Alienware\AlienFX\AlienwareAlienFXController.exe" [2008-10-29 79872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DSUpdateLauncher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\runhstart.bat" [2009-02-17 361]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title = ShawneeLink
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MI1933~1\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\BfLLR.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FF9C67AB-5215-40DD-8C79-6340E99DF643}: NameServer = 216.240.66.19
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\z7yr9m7x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-Citrix - c:\users\Matthew\AppData\Local\DataSafeOnline\Citrix\fvuldh.dll
Notify-SDWinLogon - SDWinLogon.dll
HKLM-Run-(Default) - (no file)
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4011.tmp"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3991885356-2454324123-696889439-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:08,96,0f,24,78,e7,56,44,a0,07,fa,c7,5f,10,59,5d,bc,c6,6a,d6,13,2b,c2,
8f,aa,3e,ff,a4,66,76,11,5e,a9,a3,5e,90,04,9d,0c,f1,15,17,a5,a5,c9,53,de,43,\
"??"=hex:65,34,23,f1,ac,3e,ae,99,14,20,f8,2a,53,ca,02,2f
.
[HKEY_USERS\S-1-5-21-3991885356-2454324123-696889439-1000\Software\SecuROM\License information*]
"datasecu"=hex:3c,f8,a4,de,0e,8b,9a,71,a5,43,ff,8f,55,6b,02,c7,ae,d9,3a,f8,79,
37,19,a1,b7,6d,c0,11,8d,d7,36,30,4c,1d,bf,21,bd,63,3d,38,78,ee,7a,52,48,ab,\
"rkeysecu"=hex:75,0a,ce,a6,a0,5f,8b,7b,42,5d,26,2b,f0,54,82,9c
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.9"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2012-07-27 15:45:46
ComboFix-quarantined-files.txt 2012-07-27 20:45
.
Pre-Run: 209,071,542,272 bytes free
Post-Run: 208,851,456,000 bytes free
.
- - End Of File - - D5BBEBCA07E4C7B6B47EA290F2642202

[ken545]

Run this quick scan, I dont believe this is the problem so its just a doublecheck

Download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it
• A window will open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
• Please post the contents of that file.

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Make sure that the option "Remove found threats" is Unchecked
9. Push the Start button.
10. ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
11. When the scan completes, push
12. Push , and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
13. Push the button.
14. Push

Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

[Sniper4]

MBRCheck didn't detect anything, but ESET Online Detector found a redirector trojan.

Here is the log from MBRCheck:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 64-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: XPS 625
Logical Drives Mask: 0x0000003d

Kernel Drivers (total 150):
0x02A00000 \SystemRoot\system32\ntoskrnl.exe
0x02F18000 \SystemRoot\system32\hal.dll
0x0060C000 \SystemRoot\system32\kdcom.dll
0x00616000 \SystemRoot\system32\PSHED.dll
0x0062A000 \SystemRoot\system32\CLFS.SYS
0x00687000 \SystemRoot\system32\CI.dll
0x0080A000 \SystemRoot\system32\drivers\Wdf01000.sys
0x008E4000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x008F2000 \SystemRoot\system32\drivers\acpi.sys
0x00948000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00951000 \SystemRoot\system32\drivers\msisadrv.sys
0x0095B000 \SystemRoot\system32\drivers\pci.sys
0x0098B000 \SystemRoot\System32\drivers\partmgr.sys
0x009A0000 \SystemRoot\system32\drivers\volmgr.sys
0x00739000 \SystemRoot\System32\drivers\volmgrx.sys
0x009B4000 \SystemRoot\system32\drivers\pciide.sys
0x009BB000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x009CB000 \SystemRoot\System32\drivers\mountmgr.sys
0x009DE000 \SystemRoot\system32\drivers\atapi.sys
0x0079F000 \SystemRoot\system32\drivers\ataport.SYS
0x00A05000 \SystemRoot\system32\drivers\fltmgr.sys
0x00A4C000 \SystemRoot\system32\drivers\fileinfo.sys
0x00A60000 \SystemRoot\system32\drivers\mfehidk.sys
0x00AFC000 \SystemRoot\System32\Drivers\PxHlpa64.sys
0x00B08000 \SystemRoot\System32\Drivers\ksecdd.sys
0x00C05000 \SystemRoot\system32\drivers\ndis.sys
0x00B8F000 \SystemRoot\system32\drivers\msrpc.sys
0x00E0A000 \SystemRoot\system32\drivers\NETIO.SYS
0x00E63000 \SystemRoot\System32\Drivers\Ntfs.sys
0x0100D000 \SystemRoot\system32\drivers\volsnap.sys
0x01051000 \SystemRoot\System32\Drivers\spldr.sys
0x01059000 \SystemRoot\System32\Drivers\mup.sys
0x0106B000 \SystemRoot\System32\drivers\ecache.sys
0x01097000 \SystemRoot\system32\drivers\disk.sys
0x010AB000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x010D7000 \SystemRoot\system32\drivers\crcdisk.sys
0x010E1000 \SystemRoot\system32\drivers\ahcix64s.sys
0x0112F000 \SystemRoot\system32\drivers\storport.sys
0x01000000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x011F2000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x00FE3000 \SystemRoot\system32\DRIVERS\processr.sys
0x09003000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x0920D000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x09CCB000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x09DAE000 \SystemRoot\System32\drivers\watchdog.sys
0x09058000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x09145000 \SystemRoot\system32\DRIVERS\Rtlh64.sys
0x09DBE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x09DDA000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x09196000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x09DE5000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x09200000 \SystemRoot\system32\DRIVERS\fdc.sys
0x091DC000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x091EE000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x00DC8000 \SystemRoot\system32\DRIVERS\nv834x64.sys
0x09DF6000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x007C3000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x00DEA000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x09E03000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x09E26000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x09E32000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x09E63000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x09E73000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x09E91000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x09EA9000 \SystemRoot\system32\DRIVERS\termdd.sys
0x09EBC000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x09ECA000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x09F42000 \SystemRoot\system32\DRIVERS\swenum.sys
0x09F44000 \SystemRoot\system32\DRIVERS\ks.sys
0x09F78000 \SystemRoot\system32\DRIVERS\AmdLLD64.sys
0x09F8B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x09F96000 \SystemRoot\system32\drivers\LGBusEnum.sys
0x09F9A000 \SystemRoot\system32\DRIVERS\amdiox64.sys
0x09FAE000 \SystemRoot\system32\DRIVERS\umbus.sys
0x09ED6000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x09F1E000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0x09F29000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x09FBE000 \SystemRoot\system32\drivers\AtihdLH6.sys
0x0C80B000 \SystemRoot\system32\drivers\portcls.sys
0x0C846000 \SystemRoot\system32\drivers\drmk.sys
0x0C869000 \SystemRoot\system32\drivers\ksthunk.sys
0x0C86F000 \SystemRoot\system32\drivers\t3.sys
0x0C90E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x0C918000 \SystemRoot\System32\Drivers\Null.SYS
0x0C92C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x0C94A000 \SystemRoot\System32\drivers\vga.sys
0x0C958000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x0C97D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x0C986000 \SystemRoot\system32\drivers\rdpencdd.sys
0x0C98F000 \SystemRoot\System32\Drivers\Msfs.SYS
0x0C99A000 \SystemRoot\System32\Drivers\Npfs.SYS
0x0C9AB000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x0CC05000 \SystemRoot\System32\drivers\tcpip.sys
0x0CD79000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x0CDA5000 \SystemRoot\system32\drivers\mfewfpk.sys
0x0C9B4000 \SystemRoot\system32\DRIVERS\tdx.sys
0x0C9D1000 \SystemRoot\system32\DRIVERS\smb.sys
0x0CE03000 \SystemRoot\System32\DRIVERS\netbt.sys
0x0CE47000 \SystemRoot\system32\drivers\afd.sys
0x0CEB2000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x0CEBD000 \SystemRoot\system32\DRIVERS\pacer.sys
0x0CEDB000 \SystemRoot\system32\DRIVERS\mfenlfk.sys
0x0CEEC000 \SystemRoot\system32\DRIVERS\netbios.sys
0x0CEFB000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x0CF16000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x0CF63000 \SystemRoot\system32\drivers\nsiproxy.sys
0x0CF6F000 \SystemRoot\System32\Drivers\dfsc.sys
0x0CF8C000 \SystemRoot\system32\drivers\mfeavfk.sys
0x0CFC2000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x0CFCB000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x0CFDD000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x0D008000 \SystemRoot\system32\drivers\mfefirek.sys
0x0D07D000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x0D088000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x0D0A4000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x0D0AF000 \SystemRoot\System32\drivers\keyscrambler.sys
0x0D0E8000 \SystemRoot\System32\Drivers\crashdmp.sys
0x0D0F6000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x0D100000 \SystemRoot\System32\Drivers\dump_ahcix64s.sys
0x000C0000 \SystemRoot\System32\win32k.sys
0x0D14E000 \SystemRoot\System32\drivers\Dxapi.sys
0x0D15A000 \SystemRoot\system32\DRIVERS\monitor.sys
0x004C0000 \SystemRoot\System32\TSDDD.dll
0x00600000 \SystemRoot\System32\cdd.dll
0x0D16D000 \SystemRoot\system32\drivers\luafv.sys
0x0FA06000 \SystemRoot\system32\drivers\spsys.sys
0x0FAA0000 \SystemRoot\system32\DRIVERS\packet.sys
0x0FAAD000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x0FAC1000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x0FAD9000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x0FAF9000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x0FB0F000 \SystemRoot\system32\drivers\HTTP.sys
0x0FBB2000 \SystemRoot\system32\DRIVERS\bowser.sys
0x0FBD0000 \SystemRoot\System32\drivers\mpsdrv.sys
0x0D18F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x0118C000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x0D1B8000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x10005000 \??\C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys
0x10036000 \SystemRoot\System32\Drivers\fastfat.SYS
0x1006B000 \SystemRoot\system32\drivers\peauth.sys
0x10121000 \SystemRoot\System32\Drivers\secdrv.SYS
0x1012C000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x10155000 \SystemRoot\System32\drivers\tcpipreg.sys
0x10165000 \??\C:\Program Files (x86)\CyberLink\PowerDVD DX\000.fcl
0x101C6000 \SystemRoot\System32\DRIVERS\srv2.sys
0x11607000 \SystemRoot\System32\DRIVERS\srv.sys
0x1169A000 \SystemRoot\system32\drivers\mfeapfk.sys
0x116C0000 \SystemRoot\system32\drivers\cfwids.sys
0x116CF000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x777F0000 \Windows\System32\ntdll.dll

Processes (total 75):
0 System Idle Process
4 System
508 C:\Windows\System32\smss.exe
584 csrss.exe
672 C:\Windows\System32\wininit.exe
692 csrss.exe
728 C:\Windows\System32\services.exe
740 C:\Windows\System32\lsass.exe
748 C:\Windows\System32\lsm.exe
892 C:\Windows\System32\winlogon.exe
980 C:\Windows\System32\svchost.exe
272 C:\Windows\System32\svchost.exe
372 C:\Windows\System32\atiesrxx.exe
520 C:\Windows\System32\svchost.exe
556 C:\Windows\System32\svchost.exe
12 C:\Windows\System32\svchost.exe
968 C:\Windows\System32\audiodg.exe
1048 C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
1060 C:\Windows\System32\svchost.exe
1076 C:\Windows\System32\SLsvc.exe
1124 C:\Windows\System32\svchost.exe
1188 C:\Program Files\Dell\DellDock\DockLogin.exe
1244 C:\Windows\System32\svchost.exe
1388 WUDFHost.exe
1528 C:\Windows\System32\spoolsv.exe
1552 C:\Windows\System32\svchost.exe
1636 WUDFHost.exe
1704 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
1744 C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
1760 C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe
1860 C:\Program Files (x86)\Common Files\Dell\apache\bin\httpd.exe
1976 C:\Program Files (x86)\Common Files\Dell\apache\bin\httpd.exe
2916 C:\Program Files (x86)\Common Files\Dell\MySQL\bin\mysqld.exe
2896 C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
1912 C:\Windows\SysWOW64\PnkBstrA.exe
1932 C:\Windows\SysWOW64\PnkBstrB.exe
1804 C:\Windows\System32\svchost.exe
1788 C:\Program Files (x86)\RadeonPro\RadeonProSupport.exe
3372 C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
3396 C:\Windows\System32\taskeng.exe
3432 C:\Windows\System32\svchost.exe
3460 C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
3504 C:\Windows\System32\svchost.exe
3540 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
3572 C:\Windows\System32\SearchIndexer.exe
3660 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
3732 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
3768 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
4092 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
4876 C:\Windows\System32\atieclxx.exe
1884 C:\Windows\System32\dwm.exe
924 C:\Windows\explorer.exe
4820 C:\Windows\System32\taskeng.exe
5796 C:\Program Files\Alienware\AlienFX\AlienwareAlienFXController.exe
5804 C:\Program Files\Dell\XPS Thermal Monitor\ThermalApp.exe
5840 C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
5888 C:\Windows\SysWOW64\svchost.exe
5904 C:\Windows\SysWOW64\rundll32.exe
5920 C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
5940 C:\Program Files\McAfee.com\Agent\mcagent.exe
5980 C:\Program Files (x86)\Logitech\G35\G35.exe
5992 C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
4808 taskeng.exe
4604 C:\Windows\System32\SearchProtocolHost.exe
1292 C:\Program Files\Alienware\AlienFX\AlienFXHook32Mngr.exe
1356 C:\Program Files\Alienware\AlienFX\AlienFXHook64Mngr.exe
5092 C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
5816 C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
4828 C:\Windows\System32\svchost.exe
7164 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
6960 C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
6224 C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
6832 C:\Program Files\Common Files\McAfee\Core\mchost.exe
6168 C:\Windows\System32\SearchFilterHost.exe
6232 C:\Users\Matthew\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`83f00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`03f00000 (NTFS)

PhysicalDrive0 Model Number: HitachiHDS721075KLA3, Rev: GK8O

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 RE: Windows Vista MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979


Done!

-----------------------------------------------------------------------

Here is the log from ESET Online Scanner:

C:\Qoobox\Quarantine\C\Users\Matthew\AppData\Local\DataSafeOnline\Citrix\fvuldh.dll.vir a variant of Win32/Kryptik.AIZP trojan
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\z7yr9m7x.default\extensions\lnmdhusbuh@lnmdhusbuh.org.xpi JS/Redirector.NCA trojan

[ken545]

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Registry::

Code:

Registry::
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\z7yr9m7x.default\extensions\lnmdhusbuh@lnmdhusbuh.org"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[Sniper4]

After running Combofix with the script as specified, Internet Explorer is no longer being redirected. Firefox, however, is still being redirected at search engines.

Here is my Combofix log:

ComboFix 12-07-27.03 - Matthew 07/28/2012 16:22:55.2.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8180.6589 [GMT -5:00]
Running from: c:\users\Matthew\Desktop\ComboFix.exe
Command switches used :: c:\users\Matthew\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Spybot - Search and Destroy *Disabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Matthew\AppData\Roaming\inst.exe
c:\users\Matthew\AppData\Roaming\vso_ts_preview.xml
c:\windows\SysWow64\rnaph.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-28 )))))))))))))))))))))))))))))))
.
.
2012-07-28 21:34 . 2012-07-28 21:34 -------- d-----w- c:\users\RA Media Server\AppData\Local\temp
2012-07-28 21:34 . 2012-07-28 21:34 -------- d-----w- c:\users\Matthew\AppData\Local\temp
2012-07-28 21:34 . 2012-07-28 21:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-28 21:34 . 2012-07-28 21:34 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-07-28 04:24 . 2012-07-28 04:24 -------- d-----w- c:\program files (x86)\ESET
2012-07-27 19:21 . 2012-07-16 07:40 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CE257739-D8EC-4DC0-88EB-59839413F92E}\mpengine.dll
2012-07-27 13:51 . 2012-07-27 13:51 -------- d-----w- C:\_OTL
2012-07-26 13:30 . 2012-07-26 13:30 -------- d-----w- c:\users\Matthew\AppData\Roaming\QFX Software
2012-07-26 13:30 . 2012-07-26 13:30 -------- d-----w- c:\programdata\QFX Software
2012-07-26 13:30 . 2012-07-26 13:30 -------- d-----w- c:\program files (x86)\KeyScrambler
2012-07-26 13:30 . 2011-12-15 00:46 222904 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2012-07-26 04:12 . 2012-07-26 04:12 27256 ----a-w- c:\windows\system32\drivers\FixZeroAccess.sys
2012-07-23 17:38 . 2010-05-26 15:39 6144 ----a-w- c:\windows\system32\4011.tmp
2012-07-23 17:36 . 2010-05-26 15:39 6144 ----a-w- c:\windows\system32\F23F.tmp
2012-07-23 13:35 . 2010-05-26 15:39 6144 ----a-w- c:\windows\system32\9924.tmp
2012-07-23 13:33 . 2010-05-26 15:39 6144 ----a-w- c:\windows\system32\4E4E.tmp
2012-07-23 13:33 . 2012-07-23 13:33 -------- d-----w- c:\program files (x86)\Sophos
2012-07-21 21:01 . 2012-07-21 21:01 -------- d-----w- c:\users\Matthew\AppData\Roaming\Ad-Aware Antivirus
2012-07-18 22:13 . 2012-07-18 22:15 -------- d-----w- c:\programdata\HitmanPro
2012-07-18 15:59 . 2012-07-18 18:15 -------- d-----w- c:\programdata\MFAData
2012-07-18 15:59 . 2012-07-18 15:59 -------- d--h--w- c:\programdata\Common Files
2012-07-18 13:41 . 2009-01-25 18:14 17272 ----a-w- c:\windows\system32\sdnclean64.exe
2012-07-18 13:31 . 2012-07-18 13:31 -------- d-----w- c:\users\Matthew\AppData\Roaming\Safer Networking
2012-07-18 13:30 . 2012-07-18 13:30 -------- d-----w- c:\program files (x86)\Safer Networking
2012-07-17 17:30 . 2012-07-17 17:30 -------- d-----w- c:\program files (x86)\NoVirusThanks
2012-07-11 20:39 . 2012-07-11 20:39 -------- d-----w- c:\users\Matthew\AppData\Roaming\XRay Engine
2012-07-10 21:16 . 2012-06-05 16:22 974848 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-27 03:54 . 2012-03-29 12:59 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-27 03:54 . 2011-05-31 13:00 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 00:12 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-07-03 18:46 . 2009-09-04 00:37 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-02 22:19 . 2012-06-23 23:25 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 23:26 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-23 23:26 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 23:26 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 23:25 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-23 23:25 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 23:25 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-23 23:26 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-23 23:25 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-23 23:25 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 20:19 . 2012-06-23 23:25 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:19 . 2012-06-23 23:25 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 20:15 . 2012-06-23 23:25 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 20:12 . 2012-06-23 23:25 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-05-31 17:25 . 2010-03-09 04:49 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-05-01 14:29 . 2012-06-13 19:17 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-27_20.43.06 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-21 03:20 . 2012-07-27 20:19 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2012-07-28 21:03 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 03:20 . 2012-07-28 21:03 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-07-27 20:19 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-07-28 21:03 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2012-07-27 20:19 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 02:23 . 2012-07-28 21:05 92704 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-07-28 21:05 98934 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-05-19 21:41 . 2012-07-28 21:05 20908 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3991885356-2454324123-696889439-1000_UserData.bin
+ 2009-05-20 01:30 . 2012-07-28 18:57 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-20 01:30 . 2012-07-27 15:10 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-05-19 21:38 . 2012-07-28 21:03 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-05-19 21:38 . 2012-07-27 20:34 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-05-19 21:38 . 2012-07-27 20:34 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-19 21:38 . 2012-07-28 21:03 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-19 21:38 . 2012-07-28 21:03 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-05-19 21:38 . 2012-07-27 20:34 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-07-27 20:19 . 2012-07-27 20:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-28 21:03 . 2012-07-28 21:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-28 21:03 . 2012-07-28 21:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-27 20:19 . 2012-07-27 20:19 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-05-20 00:43 . 2012-07-27 20:19 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-05-20 00:43 . 2012-07-28 21:03 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2010-10-20 04:32 . 2012-07-28 20:12 374192 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-10-20 04:32 . 2012-07-27 20:17 374192 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-07-23 19:36 . 2012-07-27 20:09 4086392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-07-28 05:25 . 2012-07-28 20:12 4086392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-05-15 22:06 . 2012-07-28 05:25 4523168 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3991885356-2454324123-696889439-1000-4096.dat
- 2011-05-15 22:06 . 2012-07-27 17:37 4523168 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3991885356-2454324123-696889439-1000-4096.dat
+ 2011-03-03 22:13 . 2012-07-28 20:12 5720916 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3991885356-2454324123-696889439-1000-12288.dat
- 2011-03-03 22:13 . 2012-07-27 17:37 5720916 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3991885356-2454324123-696889439-1000-12288.dat
- 2010-10-20 04:32 . 2012-07-27 20:17 54924448 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3991885356-2454324123-696889439-1000-8192.dat
+ 2010-10-20 04:32 . 2012-07-28 20:12 54924448 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3991885356-2454324123-696889439-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XPS Thermal Monitor"="c:\program files\Dell\XPS Thermal Monitor\ThermalApp.exe" [2008-12-09 303104]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2007-04-17 184320]
"SPIRunE"="SPIRunE.dll" [2007-05-09 18432]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-02-15 636032]
"Logitech G35"="c:\program files (x86)\Logitech\G35\G35.exe" [2010-10-05 1811800]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]
.
c:\users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech blank Product Registration.lnk - c:\program files (x86)\Logitech\G35\eReg.exe [2008-2-13 493832]
.
c:\users\RA Media Server\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDWinLogon]
SDWinLogon.dll [BU]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-28 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2012-07-18 17:41]
.
2012-07-18 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2012-07-18 17:40]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlienFX Controller"="c:\program files\Alienware\AlienFX\AlienwareAlienFXController.exe" [2008-10-29 79872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DSUpdateLauncher"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\runhstart.bat" [2009-02-17 361]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/ie
mWindow Title = ShawneeLink
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MI1933~1\Office12\EXCEL.EXE/3000
LSP: %SYSTEMROOT%\system32\BfLLR.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FF9C67AB-5215-40DD-8C79-6340E99DF643}: NameServer = 216.240.66.19
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\z7yr9m7x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\4011.tmp"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3991885356-2454324123-696889439-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:08,96,0f,24,78,e7,56,44,a0,07,fa,c7,5f,10,59,5d,bc,c6,6a,d6,13,2b,c2,
8f,aa,3e,ff,a4,66,76,11,5e,a9,a3,5e,90,04,9d,0c,f1,15,17,a5,a5,c9,53,de,43,\
"??"=hex:65,34,23,f1,ac,3e,ae,99,14,20,f8,2a,53,ca,02,2f
.
[HKEY_USERS\S-1-5-21-3991885356-2454324123-696889439-1000\Software\SecuROM\License information*]
"datasecu"=hex:3c,f8,a4,de,0e,8b,9a,71,a5,43,ff,8f,55,6b,02,c7,ae,d9,3a,f8,79,
37,19,a1,b7,6d,c0,11,8d,d7,36,30,4c,1d,bf,21,bd,63,3d,38,78,ee,7a,52,48,ab,\
"rkeysecu"=hex:75,0a,ce,a6,a0,5f,8b,7b,42,5d,26,2b,f0,54,82,9c
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.9"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9f.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9f.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2012-07-28 16:45:41
ComboFix-quarantined-files.txt 2012-07-28 21:45
ComboFix2.txt 2012-07-27 20:45
.
Pre-Run: 206,742,188,032 bytes free
Post-Run: 206,667,771,904 bytes free
.
- - End Of File - - B2002560CEDC4A1C4E2E4471C7EC0E28

[ken545]

Open Firefox and go to Tools > Options > Privacy Tab > Remove Individual Cookies> Remove all cookies

You need to enable windows to Show all Files and Folders
Instructions for your Operating System HERE

Then go here
C:\Users\Matthew\AppData\Roaming\Mozilla\Firefox\Profiles\z7yr9m7x.default\extensions\lnmdhusbuh@lnmdhusbuh.org<--Delete this


Reboot and give Firefox another try

[Sniper4]

The hijacking has stopped on both Firefox and Internet Explorer . Thank you so much for your help. I don't think I could have beaten this one without you.

I'll be standing by for further instructions and/or requests for final logs.

[ken545]

Good Morning,

Glad things are well for you again, nothing else to do, you look fine

• Click START then RUN
• Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  
  
  

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.


Malwarebytes is the free version and yours to keep and will not be removed

• How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Safe Surfn
Ken

[ken545]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.