PDA

View Full Version : Google redirect came back - ken545



AlbertFlorida
2012-09-09, 19:52
Ken -

This is from this thread: http://forums.spybot.info/showthread.php?p=430268#post430268

I didn't see your last post (can't figure out how to get email notification). The other site you suggested was of no help. I did update Java but did not delete combofix yet.

The redirect virus came back ... on firefox. Strange because, defender malwarebytes all show nothing. Guess could be a well entrenched rootkit?

About ready to buy a new laptop and reformat, reload windows & sell this one.

Any ideas?
Albert

ken545
2012-09-10, 01:04
Hello Albert,

Lets start a bit over. You can go ahead and delete Combofix because if we need it again we will just download a new updated copy


aswMBR Log

Important! Please do not perform any fix options offered in aswMBR

Please download aswMBR (http://public.avast.com/%7Egmerek/aswMBR.exe) to your desktop.



Double click the aswMBR icon to run it.
Click the Scan button to start scan.
If you are asked to update the Avast Virus database please allow it to do so.
When it finishes, press the Save Log button, save the logfile to your desktop and post its contents in your next reply.


http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbrscan.jpg (http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbrscan.jpg)




Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).





OTL by OldTimer

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

AlbertFlorida
2012-09-10, 03:56
Hi -
For some reason OTL did not create the extras.txt file this time (others are attached). Do you want me to run OTL again? Also Gooredfix scan was REALLY short ... not sure if it worked.

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-09 20:33:49
-----------------------------
20:33:49.156 OS Version: Windows 6.1.7601 Service Pack 1
20:33:49.156 Number of processors: 4 586 0x2505
20:33:49.156 ComputerName: HP7LAPTOP UserName:
20:33:50.856 Initialize success
20:34:43.617 AVAST engine defs: 12090901
20:34:58.936 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
20:34:58.936 Disk 0 Vendor: Hitachi_ PC2O Size: 238475MB BusType: 3
20:34:58.952 Disk 0 MBR read successfully
20:34:58.952 Disk 0 MBR scan
20:34:58.968 Disk 0 Windows 7 default MBR code
20:34:58.968 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 300 MB offset 2048
20:34:58.983 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 220766 MB offset 616448
20:34:59.014 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 15360 MB offset 452745216
20:34:59.030 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 2043 MB offset 484202496
20:34:59.046 Disk 0 scanning sectors +488386560
20:34:59.077 Disk 0 scanning C:\windows\system32\drivers
20:35:06.003 Service scanning
20:35:16.096 Service MpKsl910d71eb C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B57971A2-C164-4F2E-99A8-51767828CA77}\MpKsl910d71eb.sys **LOCKED** 32
20:35:23.007 Service SafeBoot C:\windows\System32\Drivers\SafeBoot.sys **LOCKED** 32
20:35:30.074 Modules scanning
20:35:35.409 Module: C:\windows\System32\iertutil.dll **SUSPICIOUS**
20:35:35.628 Module: C:\windows\System32\wininet.dll **SUSPICIOUS**
20:35:36.486 Module: C:\windows\System32\urlmon.dll **SUSPICIOUS**
20:35:37.313 Disk 0 trace - called modules:
20:35:37.328 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys halmacpi.dll ACPI.sys iaStor.sys
20:35:37.344 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87e3f678]
20:35:37.344 3 CLASSPNP.SYS[8b7d959e] -> nt!IofCallDriver -> [0x87e3fbd0]
20:35:37.359 5 hpdskflt.sys[8b9f2f92] -> nt!IofCallDriver -> [0x86276a78]
20:35:37.359 7 ACPI.sys[8b0303d4] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8629d028]
20:35:39.325 AVAST engine scan C:\windows
20:35:41.556 AVAST engine scan C:\windows\system32
20:37:43.392 AVAST engine scan C:\windows\system32\drivers
20:37:52.346 AVAST engine scan C:\Users\P Albert Comulada
20:39:31.984 Disk 0 MBR has been saved successfully to "C:\Users\P Albert Comulada\Desktop\MBR.dat"
20:39:31.999 The log file has been saved successfully to "C:\Users\P Albert Comulada\Desktop\aswMBR.txt"

GooredFix by jpshortstuff (03.07.10.1)
Log created at 20:40 on 09/09/2012 (P Albert Comulada)
Firefox version 15.0 (en-US)

========== GooredScan ==========

(none)

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [14:26 07/09/2012]

C:\Users\P Albert Comulada\Application Data\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"otis@digitalpersona.com"="C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt\" [13:10 28/08/2012]

-=E.O.F=-



OTL logfile created on: 9/9/2012 8:43:49 PM - Run 2
OTL by OldTimer - Version 3.2.61.3 Folder = C:\Users\P Albert Comulada\Downloads
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.92 Gb Total Physical Memory | 1.53 Gb Available Physical Memory | 52.44% Memory free
5.84 Gb Paging File | 4.13 Gb Available in Paging File | 70.65% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 215.59 Gb Total Space | 119.16 Gb Free Space | 55.27% Space Free | Partition Type: NTFS
Drive F: | 1.99 Gb Total Space | 1.48 Gb Free Space | 74.56% Space Free | Partition Type: FAT32

Computer Name: HP7LAPTOP | User Name: P Albert Comulada | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\P Albert Comulada\Downloads\OTL(1).exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe (Retrospect, Inc)
PRC - C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.EXE (Microsoft Corporation.)
PRC - C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe (Hewlett-Packard Development Company L.P.)
PRC - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
PRC - C:\Program Files\IDT\WDM\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\IDT\WDM\AEstSrv.exe (Andrea Electronics Corporation)
PRC - C:\Program Files\Hewlett-Packard\HP Support Framework\HPSA_Service.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Common Files\Portrait Displays\Drivers\SDKCOMServer.exe (Portrait Displays, Inc)
PRC - C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe (Portrait Displays, Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe (Hewlett-Packard Development Company, L.P)
PRC - C:\Windows\System32\atieclxx.exe (AMD)
PRC - C:\Windows\System32\atiesrxx.exe (AMD)
PRC - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe (DigitalPersona, Inc.)
PRC - c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe (Hewlett-Packard Company)
PRC - C:\Program Files\DOS2USB\elsvc.exe ()
PRC - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
PRC - C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (McAfee, Inc.)
PRC - C:\Program Files\Hewlett-Packard\File Sanitizer\coreshredder.exe (Hewlett-Packard)
PRC - C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe (Hewlett-Packard)
PRC - C:\Windows\System32\uArcCapture.exe (ArcSoft, Inc.)
PRC - C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files\PDF Complete\pdfsvc.exe (PDF Complete Inc)
PRC - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Modules (No Company Name) ==========

MOD - C:\windows\assembly\GAC_MSIL\CaslShared\3.5.1.1__9c6f83d5b7f3d097\CaslShared.dll ()
MOD - C:\windows\assembly\GAC_MSIL\hpcasl\3.5.1.1__9c6f83d5b7f3d097\hpcasl.dll ()
MOD - C:\windows\assembly\GAC_MSIL\HPCommon\2.0.6.0__89762bc6acc102f8\HPCommon.dll ()
MOD - C:\windows\assembly\GAC_MSIL\HardwareAccess\2.0.6.0__89762bc6acc102f8\HardwareAccess.dll ()
MOD - C:\windows\assembly\GAC_MSIL\Graphs\2.0.6.0__89762bc6acc102f8\Graphs.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\69ca4a43ba14b66689715ad62aed70e6\System.ServiceProcess.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\a501b7960f6c6e2e39162b83f3303aaa\System.Web.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\9b2f17fb61b7197f2a04108f5d1a1cc6\System.Management.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\635b3aec298ad5e8c903b2323d79cc5a\IAStorUtil.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\dfd33f59a5803a3c73cf408362e6e0b7\System.Core.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8e56489276063ededde74e597a121df3\PresentationFramework.Aero.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\168755d010e5a96ac940b0ddd27616a4\System.EnterpriseServices.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\80fae9f16f80075535e72458ef293f7a\System.Transactions.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\f3814b488d9e083cbbc623e01b389f09\System.Data.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll ()
MOD - C:\windows\assembly\GAC_MSIL\HP.SupportFramework\1.0.0.0__2a4860322af7ba08\HP.SupportFramework.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Power Assistant\System.Data.SQLite.DLL ()
MOD - C:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll ()
MOD - C:\windows\assembly\GAC_MSIL\hpCASLLibrary\3.0.1.1__67b8d1b5179ba5f8\hpCASLLibrary.dll ()
MOD - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HardwareAccess.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPCommon.XmlSerializers.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_LogicLayer.dll ()
MOD - C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll ()
MOD - C:\Program Files\Common Files\LightScribe\QtGui4.dll ()
MOD - C:\Program Files\Common Files\LightScribe\QtCore4.dll ()
MOD - C:\Program Files\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll ()
MOD - C:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll ()
MOD - C:\Adobe\Photoshop\psicon.dll ()


========== Services (SafeList) ==========

SRV - (nosGetPlusHelper) -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll File not found
SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (NisSrv) -- C:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (Retrospect Helper) -- C:\Program Files\Retrospect\Retrospect 7.7\rthlpsvc.exe (Retrospect, Inc)
SRV - (RetroLauncher) -- C:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe (Retrospect, Inc)
SRV - (BBUpdate) -- C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.EXE (Microsoft Corporation.)
SRV - (BBSvc) -- C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE (Microsoft Corporation.)
SRV - (HP Power Assistant Service) -- C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe (Hewlett-Packard Company)
SRV - (HPDrvMntSvc.exe) -- C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe (Hewlett-Packard Company)
SRV - (STacSV) -- C:\Program Files\IDT\WDM\stacsv.exe (IDT, Inc.)
SRV - (AESTFilters) -- C:\Program Files\IDT\WDM\AEstSrv.exe (Andrea Electronics Corporation)
SRV - (HP Support Assistant Service) -- C:\Program Files\Hewlett-Packard\HP Support Framework\HPSA_Service.exe (Hewlett-Packard Company)
SRV - (B-Service) -- C:\Users\P Albert Comulada\Downloads\B-Service.exe ()
SRV - (PdiService) -- C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe (Portrait Displays, Inc.)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (HP ProtectTools Service) -- C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe (Hewlett-Packard Development Company, L.P)
SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)
SRV - (HP Wireless Assistant Service) -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe (Hewlett-Packard Company)
SRV - (DpHost) -- C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe (DigitalPersona, Inc.)
SRV - (HPDayStarterService) -- c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe (Hewlett-Packard Company)
SRV - (elAPIsvc) -- C:\Program Files\DOS2USB\elsvc.exe ()
SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (IAStorDataMgrSvc) -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
SRV - (hpHotkeyMonitor) -- C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe (Hewlett-Packard Company)
SRV - (HpFkCryptService) -- C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (McAfee, Inc.)
SRV - (vcsFPService) -- C:\Windows\System32\vcsFPService.exe (Validity Sensors, Inc.)
SRV - (HPFSService) -- C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe (Hewlett-Packard)
SRV - (uArcCapture) -- C:\Windows\System32\uArcCapture.exe (ArcSoft, Inc.)
SRV - (FLCDLOCK) -- C:\Windows\System32\flcdlock.exe (Hewlett-Packard Ltd)
SRV - (UNS) -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (pdfcDispatcher) -- C:\Program Files\PDF Complete\pdfsvc.exe (PDF Complete Inc)
SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (PSI_SVC_2) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- C:\Users\PALBER~1\AppData\Local\Temp\catchme.sys File not found
DRV - (aswMBR) -- C:\Users\PALBER~1\AppData\Local\Temp\aswMBR.sys File not found
DRV - (MpKsl910d71eb) -- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B57971A2-C164-4F2E-99A8-51767828CA77}\MpKsl910d71eb.sys (Microsoft Corporation)
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Qualcomm Atheros Communications, Inc.)
DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (hpdskflt) -- C:\Windows\System32\drivers\hpdskflt.sys (Hewlett-Packard Company)
DRV - (Accelerometer) -- C:\Windows\System32\drivers\Accelerometer.sys (Hewlett-Packard Company)
DRV - (vpcvmm) -- C:\Windows\System32\drivers\vpcvmm.sys (Microsoft Corporation)
DRV - (vpcbus) -- C:\Windows\System32\drivers\vpchbus.sys (Microsoft Corporation)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (vpcusb) -- C:\Windows\System32\drivers\vpcusb.sys (Microsoft Corporation)
DRV - (vpcnfltr) -- C:\Windows\System32\drivers\vpcnfltr.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (amdkmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (amdkmdap) -- C:\Windows\System32\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV - (AtiHdmiService) -- C:\Windows\System32\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Company)
DRV - (SbAlg) -- C:\windows\System32\drivers\SbAlg.sys (McAfee, Inc.)
DRV - (SbFsLock) -- C:\windows\System32\drivers\SbFsLock.sys (McAfee, Inc.)
DRV - (RsvLock) -- C:\windows\System32\drivers\rsvlock.sys (McAfee, Inc.)
DRV - (SafeBoot) -- C:\windows\System32\drivers\SafeBoot.sys ()
DRV - (rtsuvc) -- C:\Windows\System32\drivers\rtsuvc.sys (Realtek Semiconductor Corp.)
DRV - (ARCVCAM) -- C:\Windows\System32\drivers\ArcSoftVCapture.sys (ArcSoft, Inc.)
DRV - (RSUSBSTOR) -- C:\Windows\System32\drivers\RtsUStor.sys (Realtek Semiconductor Corp.)
DRV - (DAMDrv) -- C:\Windows\System32\drivers\DAMDrv.sys (Hewlett-Packard Development Company L.P.)
DRV - (HECI) -- C:\Windows\System32\drivers\HECI.sys (Intel Corporation)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (LSI Corp)
DRV - (Afc) -- C:\Windows\System32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (APL531) -- C:\Windows\System32\drivers\ov550i.sys (Omnivision Technologies, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCOM/1
IE - HKLM\..\SearchScopes,DefaultScope = {8F0EBFE6-B9FA-4DF2-8388-072EFAA0DD50}
IE - HKLM\..\SearchScopes\{8F0EBFE6-B9FA-4DF2-8388-072EFAA0DD50}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CMNTDF&pc=CMNTDF&src=IE-SearchBox


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-615262878-4179979-3482458484-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-615262878-4179979-3482458484-1002\..\SearchScopes,DefaultScope = {8F0EBFE6-B9FA-4DF2-8388-072EFAA0DD50}
IE - HKU\S-1-5-21-615262878-4179979-3482458484-1002\..\SearchScopes\{8F0EBFE6-B9FA-4DF2-8388-072EFAA0DD50}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CMNTDF&pc=CMNTDF&src=IE-SearchBox
IE - HKU\S-1-5-21-615262878-4179979-3482458484-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: emdtjnkrru@emdtjnkrru.org:2.5
FF - prefs.js..extensions.enabledAddons: socialfixer@mattkruse.com:6.502
FF - prefs.js..extensions.enabledAddons: {5546F97E-11A5-46b0-9082-32AD74AAA920}:0.6.3
FF - prefs.js..extensions.enabledAddons: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:2.0.7
FF - prefs.js..extensions.enabledItems: {5546F97E-11A5-46b0-9082-32AD74AAA920}:0.5.5.9
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\P Albert Comulada\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\P Albert Comulada\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\otis@digitalpersona.com: C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt\ [2012/08/28 09:10:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/07 10:27:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/09/07 10:26:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape 7.2\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2011/09/05 13:02:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape 7.2\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2012/09/09 12:38:11 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/07 10:27:13 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/09/07 10:26:42 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 7.2\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2011/09/05 13:02:36 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 7.2\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2012/09/09 12:38:11 | 000,000,000 | ---D | M]

[2010/12/09 18:50:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Extensions
[2012/08/27 16:53:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions
[2009/07/13 19:11:12 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions\emdtjnkrru@emdtjnkrru.org.xpi
[2012/04/23 10:50:07 | 000,141,229 | ---- | M] () (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions\socialfixer@mattkruse.com.xpi
[2011/09/23 13:29:02 | 000,046,721 | ---- | M] () (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions\{5546F97E-11A5-46b0-9082-32AD74AAA920}.xpi
[2012/08/27 16:53:16 | 000,341,143 | ---- | M] () (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}.xpi
[2012/09/09 12:38:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/09/07 10:27:13 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/30 11:22:31 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/08/30 11:22:31 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\P Albert Comulada\AppData\Local\Google\Chrome\Application\21.0.1180.83\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\P Albert Comulada\AppData\Local\Google\Chrome\Application\21.0.1180.89\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\P Albert Comulada\AppData\Local\Google\Chrome\Application\21.0.1180.89\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\P Albert Comulada\AppData\Local\Google\Chrome\Application\21.0.1180.89\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.310.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: McAfee Clinic (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPMGWRAP.DLL
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL
CHR - plugin: RIM Handheld Application Loader (Enabled) = C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Google Update (Enabled) = C:\Users\P Albert Comulada\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll

O1 HOSTS File: ([2012/09/03 16:59:14 | 000,000,098 | ---- | M]) - C:\Windows\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (File Sanitizer for HP ProtectTools) - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll (Hewlett-Packard)
O2 - BHO: (HP ProtectTools Security Manager Extension) - {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpOtsPluginIe8.dll (DigitalPersona, Inc.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (CutePDF Form Filler Helper) - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files\Acro Software\CutePDF Pro\CPFillerCo.dll (Acro Software Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)
O4 - HKLM..\Run: [DTRun] c:\Program Files\Arcsoft\TotalMedia Suite\TotalMedia Theatre 3\uDTRun.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [File Sanitizer] C:\Program Files\Hewlett-Packard\File Sanitizer\coreshredder.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe (Hewlett-Packard Company, L.P.)
O4 - HKLM..\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe ()
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [QLBController] C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKU\S-1-5-21-615262878-4179979-3482458484-1002..\Run: [DOS2USB] C:\Program Files\DOS2USB\DOS2USB.exe (Bhaktee Software)
O4 - HKU\S-1-5-21-615262878-4179979-3482458484-1002..\Run: [NIM] C:\Users\P Albert Comulada\Downloads\AIM\aim.exe -cnetwait.odl File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-615262878-4179979-3482458484-1002\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-615262878-4179979-3482458484-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //FWEvent.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ( http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ( https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} Reg Error: Key error. (Java Plug-in 1.4.1_02)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2BE13B34-942A-4DC0-93A6-709553F4C724}: DhcpNameServer = 205.152.144.23 205.152.132.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DC8094BB-F778-40E9-8105-1B92E4B401BB}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - Winlogon\Notify\DeviceNP: DllName - (DeviceNP.dll) - C:\windows\System32\DeviceNP.dll (Hewlett-Packard Limited)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/09 20:40:08 | 000,000,000 | ---D | C] -- C:\Users\P Albert Comulada\Desktop\GooredFix Backups
[2012/09/09 12:39:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/09/09 12:39:08 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\windows\System32\javaws.exe
[2012/09/09 12:39:03 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\windows\System32\javaw.exe
[2012/09/09 12:39:03 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\windows\System32\java.exe
[2012/09/09 12:39:03 | 000,093,672 | ---- | C] (Oracle Corporation) -- C:\windows\System32\WindowsAccessBridge.dll
[2012/09/08 10:55:48 | 000,000,000 | ---D | C] -- C:\HP_RECOVERY_mountHPSF
[2012/09/07 10:26:40 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/09/05 10:13:19 | 000,000,000 | ---D | C] -- C:\windows\pss
[2012/09/05 10:05:33 | 000,821,736 | ---- | C] (Oracle Corporation) -- C:\windows\System32\npdeployJava1.dll
[2012/09/04 10:29:38 | 000,000,000 | ---D | C] -- C:\Virus removal & logs
[2012/09/03 16:59:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/03 13:42:40 | 000,000,000 | ---D | C] -- C:\windows\temp
[2012/09/03 13:42:40 | 000,000,000 | ---D | C] -- C:\Users\P Albert Comulada\AppData\Local\temp
[2012/08/30 11:39:24 | 000,000,000 | ---D | C] -- C:\Users\P Albert Comulada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012/08/28 09:17:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Portrait Displays
[2012/08/28 09:15:51 | 000,000,000 | ---D | C] -- C:\Users\P Albert Comulada\AppData\Roaming\Hewlett-Packard Company
[2012/08/28 09:10:43 | 000,000,000 | ---D | C] -- C:\windows\DPDrv
[2012/08/28 08:59:08 | 000,000,000 | ---D | C] -- C:\ProgramData\HP
[2012/08/27 20:51:06 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/08/27 18:04:32 | 000,000,000 | ---D | C] -- C:\windows\CheckSur
[2012/08/27 17:33:17 | 000,000,000 | ---D | C] -- C:\Users\P Albert Comulada\AppData\Local\LogMeIn Rescue Applet
[2012/08/27 16:17:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2012/08/27 16:17:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012/08/27 16:17:34 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2012/08/27 16:15:08 | 000,400,896 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\srcore.dll
[2012/08/27 16:15:06 | 000,041,984 | ---- | C] (Microsoft Corporation) -- C:\windows\System32\browcli.dll
[2 C:\Users\P Albert Comulada\AppData\Local\*.tmp files -> C:\Users\P Albert Comulada\AppData\Local\*.tmp -> ]
[1 C:\Users\P Albert Comulada\*.tmp files -> C:\Users\P Albert Comulada\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/09 20:43:01 | 000,000,956 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-615262878-4179979-3482458484-1002UA.job
[2012/09/09 20:39:31 | 000,000,512 | ---- | M] () -- C:\Users\P Albert Comulada\Desktop\MBR.dat
[2012/09/09 20:04:00 | 000,000,830 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2012/09/09 12:38:58 | 000,093,672 | ---- | M] (Oracle Corporation) -- C:\windows\System32\WindowsAccessBridge.dll
[2012/09/09 12:38:55 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\windows\System32\javaws.exe
[2012/09/09 12:38:55 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\windows\System32\javaw.exe
[2012/09/09 12:38:55 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\windows\System32\java.exe
[2012/09/09 12:38:54 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\windows\System32\npdeployJava1.dll
[2012/09/09 12:38:54 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\windows\System32\deployJava1.dll
[2012/09/09 11:43:00 | 000,000,904 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-615262878-4179979-3482458484-1002Core.job
[2012/09/09 10:04:52 | 000,020,944 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/09 10:04:52 | 000,020,944 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/09 09:57:45 | 000,065,536 | ---- | M] () -- C:\windows\System32\Ikeext.etl
[2012/09/09 09:57:30 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/09/09 09:57:26 | 3136,741,376 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/08 11:05:17 | 000,674,860 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2012/09/08 11:05:17 | 000,125,668 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2012/09/08 10:49:40 | 000,000,368 | ---- | M] () -- C:\windows\tasks\HPCeeScheduleForP Albert Comulada.job
[2012/09/08 09:35:57 | 000,001,986 | ---- | M] () -- C:\Users\P Albert Comulada\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/09/07 19:27:26 | 1150,510,346 | ---- | M] () -- C:\Users\P Albert Comulada\Desktop\REA9 Backup 2012-09-07 1917.zip
[2012/09/07 16:25:34 | 000,002,068 | -H-- | M] () -- C:\Users\P Albert Comulada\Documents\Default.rdp
[2012/09/04 15:49:31 | 000,000,000 | ---- | M] () -- C:\Users\P Albert Comulada\dos2usb.spl
[2012/09/03 16:59:14 | 000,000,098 | ---- | M] () -- C:\windows\System32\drivers\etc\Hosts
[2012/08/28 09:16:30 | 000,000,178 | ---- | M] () -- C:\windows\System32\HPPA.ini
[2012/08/27 23:20:28 | 1131,956,838 | ---- | M] () -- C:\Users\P Albert Comulada\Desktop\REA9 Backup 2012-08-27 2310.zip
[2012/08/27 18:39:27 | 000,001,070 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/08/27 18:04:19 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\System32\FlashPlayerApp.exe
[2012/08/27 18:04:19 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\windows\System32\FlashPlayerCPLApp.cpl
[2012/08/27 16:23:44 | 000,688,088 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2 C:\Users\P Albert Comulada\AppData\Local\*.tmp files -> C:\Users\P Albert Comulada\AppData\Local\*.tmp -> ]
[1 C:\Users\P Albert Comulada\*.tmp files -> C:\Users\P Albert Comulada\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/09 20:39:31 | 000,000,512 | ---- | C] () -- C:\Users\P Albert Comulada\Desktop\MBR.dat
[2012/09/08 11:01:28 | 1150,510,346 | ---- | C] () -- C:\Users\P Albert Comulada\Desktop\REA9 Backup 2012-09-07 1917.zip
[2012/08/31 19:23:44 | 000,000,368 | ---- | C] () -- C:\windows\tasks\HPCeeScheduleForP Albert Comulada.job
[2012/08/30 11:38:47 | 000,000,956 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-615262878-4179979-3482458484-1002UA.job
[2012/08/30 11:38:47 | 000,000,904 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-615262878-4179979-3482458484-1002Core.job
[2012/08/28 08:07:01 | 1131,956,838 | ---- | C] () -- C:\Users\P Albert Comulada\Desktop\REA9 Backup 2012-08-27 2310.zip
[2012/08/27 19:38:44 | 000,674,860 | ---- | C] () -- C:\windows\System32\perfh009.dat
[2012/08/27 19:38:44 | 000,291,294 | ---- | C] () -- C:\windows\System32\perfi009.dat
[2012/08/27 19:38:44 | 000,125,668 | ---- | C] () -- C:\windows\System32\perfc009.dat
[2012/08/27 19:38:44 | 000,031,548 | ---- | C] () -- C:\windows\System32\perfd009.dat
[2012/08/27 19:38:44 | 000,000,908 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/08/27 19:38:44 | 000,000,904 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/08/27 19:38:44 | 000,000,830 | ---- | C] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2012/08/27 18:39:27 | 000,001,070 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/08/27 15:53:05 | 3136,741,376 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/11 11:51:17 | 000,015,872 | ---- | C] () -- C:\Users\P Albert Comulada\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/10 06:34:52 | 000,080,416 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
[2011/05/19 08:50:58 | 000,000,256 | ---- | C] () -- C:\windows\System32\DPPassFilter.dll.hpsign
[2011/05/19 08:50:58 | 000,000,256 | ---- | C] () -- C:\windows\System32\DPCrProv.dll.hpsign
[2011/04/08 16:44:49 | 000,001,849 | ---- | C] () -- C:\Users\P Albert Comulada\AppData\Roaming\GhostObjGAFix.xml
[2011/03/23 10:39:27 | 000,000,036 | ---- | C] () -- C:\Users\P Albert Comulada\AppData\Local\housecall.guid.cache
[2011/02/27 10:30:38 | 000,066,048 | ---- | C] () -- C:\windows\System32\PrintBrmUi.exe
[2011/01/20 12:52:30 | 000,010,534 | ---- | C] () -- C:\ProgramData\snddrv.sys
[2011/01/20 12:52:30 | 000,000,000 | ---- | C] () -- C:\Users\P Albert Comulada\dos2usb.spl
[2011/01/20 12:51:52 | 000,001,851 | ---- | C] () -- C:\windows\System32\xpdrvr.exe
[2011/01/20 11:33:48 | 000,000,877 | ---- | C] () -- C:\windows\Printfil.ini
[2011/01/13 15:58:01 | 000,000,335 | ---- | C] () -- C:\windows\nsreg.dat
[2011/01/13 15:57:17 | 000,105,168 | ---- | C] () -- C:\windows\NSUninst.exe
[2011/01/13 15:57:10 | 000,105,168 | ---- | C] () -- C:\windows\GREUninstall.exe
[2011/01/13 15:57:08 | 000,009,584 | ---- | C] () -- C:\windows\mozver.dat
[2011/01/12 21:31:17 | 000,087,544 | ---- | C] () -- C:\windows\System32\cpwmon2k.dll
[2011/01/12 19:24:00 | 000,263,856 | ---- | C] () -- C:\windows\ATMCNTRL.EXE
[2011/01/12 19:23:59 | 000,003,449 | ---- | C] () -- C:\windows\ATM.INI
[2011/01/12 19:21:12 | 000,030,464 | ---- | C] () -- C:\windows\macromix.dll
[2011/01/12 19:18:34 | 000,001,635 | ---- | C] () -- C:\windows\CORELCHT.INI
[2011/01/06 22:52:42 | 000,000,118 | ---- | C] () -- C:\windows\viewer.ini
[2011/01/06 22:52:42 | 000,000,083 | ---- | C] () -- C:\windows\artgalry.ini
[2011/01/06 22:52:04 | 000,003,937 | ---- | C] () -- C:\windows\MSWORKS3.INI
[2011/01/05 18:39:51 | 000,000,503 | ---- | C] () -- C:\windows\htmlasst.ini
[2010/12/19 17:59:00 | 000,003,350 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/12/15 18:06:50 | 000,000,000 | ---- | C] () -- C:\windows\DvyP413.dll
[2010/12/15 18:06:50 | 000,000,000 | ---- | C] () -- C:\windows\161exp2.dll
[2010/12/15 18:06:50 | 000,000,000 | ---- | C] () -- C:\windows\161exp1.dll
[2010/12/15 14:02:56 | 000,000,367 | ---- | C] () -- C:\windows\System32\CNCMFP12.INI
[2010/12/11 20:24:46 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/10/13 01:36:05 | 000,000,000 | ---- | C] () -- C:\windows\ativpsrm.bin

========== LOP Check ==========

[2011/04/13 14:20:34 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\089C8716-52DB-4845-A916-F1F9CFCDFB60
[2011/04/13 14:20:34 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\23653305-B8CB-49D1-9371-F9F598E176E4
[2012/05/04 12:59:18 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\4451474C-BA37-4EF7-9C18-5E7456C43F01
[2011/01/24 14:28:24 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\Acronis
[2011/06/18 09:59:24 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\Blackberry Desktop
[2012/09/09 13:06:10 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\Canon
[2010/12/09 16:38:22 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\DigitalPersona
[2010/12/16 11:18:49 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\OpenOffice.org
[2011/03/14 10:12:49 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\Research In Motion
[2011/03/23 12:51:45 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\TrojanHunter
[2012/08/13 07:44:22 | 000,032,584 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

ken545
2012-09-10, 11:16
Good Morning,

You will only get the extras log from OTL on the first run so not to worry.

You never followed through at WTT, just follow the instructions from Struker, not sure who the other character is, I believe he should not be posting, post back there and let them know its still not working

This is another good site you may want to try
http://www.pcpitstop.com/

Look at your OTL log under Firefox, do you know about both those entries , SocialFixer and EMDTJnkrru ?

Also look under Trusted Sites, do you want to remove those ?


Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)






Now drag your copy of Combofix to the trash and lets get a new updated copy.

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

AlbertFlorida
2012-09-10, 20:13
Hi -
A few things ... I did respond to Ztruker on WTT. Then that other guy remarked and said to delete IE8 - but Ztrucker said not to so I didn't but I also replied. But I think it's best to finish up w/you 1st before I go back and try to get him to respnd again ..

Also SocialFixer is a little app for facebook so you can see who unfriends you or goes in active. It was recommended to me by another friend and seems to work well .. doubt it is bad. The other EMDTJnkrru - I have no clue. In fact I opened an old version of netscape I keep w/java and flash disabled, and tried to go to the page ... dead link. Might be from a company that I used an ap with that is no longer in business ... no clue though.

Logs below (or attached), and BTW - redirect is still active.


ComboFix 12-09-10.03 - P Albert Comulada 09/10/2012 12:48:52.3.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2991.1948 [GMT -4:00]
Running from: c:\users\P Albert Comulada\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\P Albert Comulada\dos2usb.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-08-10 to 2012-09-10 )))))))))))))))))))))))))))))))
.
.
2012-09-10 16:54 . 2012-09-10 16:54 -------- d-----w- c:\users\P Albert Comulada\AppData\Local\temp
2012-09-10 16:54 . 2012-09-10 16:54 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-09-10 16:54 . 2012-09-10 16:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-09-10 00:48 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FE9AC4F3-3BCC-4D07-BE05-31DED177E73C}\mpengine.dll
2012-09-09 16:39 . 2012-09-09 16:39 -------- d-----w- c:\program files\Common Files\Java
2012-09-09 16:39 . 2012-09-09 16:38 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-08 14:55 . 2012-09-08 14:55 -------- d-----w- C:\HP_RECOVERY_mountHPSF
2012-09-08 14:19 . 2012-08-23 07:15 7022536 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-09-05 14:05 . 2012-09-09 16:38 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-04 14:29 . 2012-09-04 14:31 -------- d-----w- C:\Virus removal & logs
2012-09-03 20:59 . 2012-09-03 20:59 -------- d-----w- C:\_OTL
2012-08-28 13:17 . 2012-08-28 13:17 -------- d-----w- c:\program files\Common Files\Portrait Displays
2012-08-28 13:15 . 2012-08-28 13:15 -------- d-----w- c:\users\P Albert Comulada\AppData\Roaming\Hewlett-Packard Company
2012-08-28 13:10 . 2012-08-28 13:10 -------- d-----w- c:\windows\DPDrv
2012-08-28 12:59 . 2012-08-28 12:59 -------- d-----w- c:\programdata\HP
2012-08-28 00:51 . 2012-08-28 00:51 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-27 22:04 . 2012-08-27 22:04 -------- d-----w- c:\windows\CheckSur
2012-08-27 21:33 . 2012-08-28 12:04 -------- d-----w- c:\users\P Albert Comulada\AppData\Local\LogMeIn Rescue Applet
2012-08-27 20:18 . 2012-07-06 19:23 393728 ----a-w- c:\windows\system32\drivers\bthport.sys
2012-08-27 20:17 . 2012-08-27 20:17 -------- d-----w- c:\program files\Common Files\Skype
2012-08-27 20:17 . 2012-08-27 20:17 -------- d-----r- c:\program files\Skype
2012-08-27 20:15 . 2012-05-05 07:46 400896 ----a-w- c:\windows\system32\srcore.dll
2012-08-27 20:15 . 2012-07-04 21:14 102912 ----a-w- c:\windows\system32\browser.dll
2012-08-27 20:15 . 2012-07-04 21:14 41984 ----a-w- c:\windows\system32\browcli.dll
2012-08-27 20:15 . 2012-05-14 04:33 769024 ----a-w- c:\windows\system32\localspl.dll
2012-08-27 20:15 . 2012-02-11 05:43 492032 ----a-w- c:\windows\system32\win32spl.dll
2012-08-27 20:15 . 2012-02-11 05:37 317440 ----a-w- c:\windows\system32\spoolsv.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-09 16:38 . 2011-01-02 18:27 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-27 22:04 . 2012-03-30 10:58 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-27 22:04 . 2011-05-17 13:04 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46 . 2011-09-15 12:14 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-20 13:43 . 2012-06-20 13:43 2957312 ----a-w- c:\windows\system32\drivers\athr.sys
2012-09-07 14:27 . 2012-09-07 14:26 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-09-29 1685048]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]
"NIM"="c:\users\P Albert Comulada\Downloads\AIM\aim.exe" [2001-03-15 24576]
"DOS2USB"="c:\program files\DOS2USB\DOS2USB.exe" [2010-05-14 228584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QLBController"="c:\program files\Hewlett-Packard\HP HotKey Support\QLBController.exe" [2010-03-01 256056]
"IAStorIcon"="c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-04 1791272]
"File Sanitizer"="c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2009-12-12 11265536]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-05 98304]
"DTRun"="c:\program files\ArcSoft\TotalMedia Suite\TotalMedia Theatre 3\uDTRun.exe" [2009-11-19 518656]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-07-21 8192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"RIMBBLaunchAgent.exe"="c:\program files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-08-21 495708]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-07-05 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"HPPowerAssistant"="c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe" [2011-09-12 14904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2009-11-17 21:39 75320 ----a-w- c:\windows\System32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ DPPassFilter scecli
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDF Complete]
2009-10-23 18:52 563736 ----a-w- c:\program files\PDF Complete\pdfsty.exe
.
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.361.0\BBSvc.exe [x]
R2 elAPIsvc;elAPI - Service Server;c:\program files\DOS2USB\elSVC.exe [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 APL531;OVT Scanner;c:\windows\system32\Drivers\ov550i.sys [x]
R3 B-Service;B-Service;c:\users\P Albert Comulada\Downloads\B-Service.exe [x]
R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv.sys [x]
R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 netr28;Ralink 802.11n Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr28.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 SafeBoot;SafeBoot; [x]
S0 SbAlg;SbAlg; [x]
S0 SbFsLock;SbFsLock; [x]
S1 RsvLock;RsvLock; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [x]
S2 HP ProtectTools Service;HP ProtectTools Service;c:\program files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [x]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [x]
S2 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 MSSQL$REA9;SQL Server (REA9);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [x]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [x]
S2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [x]
S2 uArcCapture;ArcCapture;c:\windows\system32\uArcCapture.exe [x]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 ARCVCAM;ARCVCAM, ArcSoft Webcam Sharing Manager Driver;c:\windows\system32\DRIVERS\ArcSoftVCapture.sys [x]
S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.361.0\SeaPort.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
S3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\DRIVERS\rtsuvc.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 61949813
*Deregistered* - 61949813
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 22:04]
.
2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-27 00:03]
.
2012-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-27 00:03]
.
2012-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-615262878-4179979-3482458484-1002Core.job
- c:\users\P Albert Comulada\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-30 15:38]
.
2012-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-615262878-4179979-3482458484-1002UA.job
- c:\users\P Albert Comulada\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-30 15:38]
.
2012-09-08 c:\windows\Tasks\HPCeeScheduleForP Albert Comulada.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_11_3_300_271_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\system32\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\Flash32_11_3_300_271.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\system32\\Macromed\\Flash\\Flash32_11_3_300_271.ocx, 1"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\softwareRetroHlpSvc\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(596)
c:\windows\system32\DPFPApi.DLL
.
Completion time: 2012-09-10 12:57:08
ComboFix-quarantined-files.txt 2012-09-10 16:57
.
Pre-Run: 128,013,459,456 bytes free
Post-Run: 127,727,853,568 bytes free
.
- - End Of File - - AB8EC40D8FA43B0BAC64877807EBC7E6

ken545
2012-09-10, 23:43
Hello Albert,

Where are you being redirected to, dont paste the link , just tell me


You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , if it says this file has been checked before, have them recheck it. When the scan is done just copy and paste the link back to this forum for me to see.

C:\windows\system32\drivers\SafeBoot.sys
c:\program files\DOS2USB\DOS2USB.exe
c:\program files\DOS2USB\elSVC.exe


If the site is busy you can try this one
http://virusscan.jotti.org/en






Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

AlbertFlorida
2012-09-11, 07:53
Hi -
The redirect sends me all over ... it just sent me to 'kidgroup.com'. But it's weird, it only does it the FIRST time I click on a link in the search results. If I just close the window then I can click on the links normally. It's like ... it doesn't want to piss you off that badly.

Also doubt DOS2USB is bad, it's a little program I bought that allows me to print from a dos program to a USB printer, been using it for over a year. Also SAFEBOOT would not let me scan it (said a process was using it), but I remembered I made a backup yesterday so I just recovered a copy and scanned it. The links for all 3 are below, but they didn't find anything. GMER log is below.

https://www.virustotal.com/file/347174dbf234c03b664c572f75be8f6024e2b71f4d0502e146b0df753f55edd1/analysis/

https://www.virustotal.com/file/7cfc747d4ef3371a97f13e7e2de8fab967aebaf1adf0301a2b60936ee3e75005/analysis/

https://www.virustotal.com/file/b014aed260e5e38d57ad32890ef229e39a5548b06dc6f7bf0908a53c745097c3/analysis/

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-11 00:12:53
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PC2O
Running: gmer.exe; Driver: C:\Users\PALBER~1\AppData\Local\Temp\uwddipod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E7A3C9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB3D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\windows\System32\Drivers\SafeBoot.sys The process cannot access the file because it is being used by another process.
.text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9182E000, 0x2FBFFA, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000055 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395745d82
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395745d82 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

AlbertFlorida
2012-09-11, 08:03
Just wanted to add that this is the DOS2USB link http://www.dos2usb.com/

I paid 19.99 for the program in feb 2010.

ken545
2012-09-11, 11:09
Hi,

I was looking at some other threads in relation to safeboot and it looks like if it was infected that Combofix would have tried to fix it, when you run CF it will also detect a rootkit and give a warning and your log does not show that, GMER looks fine also.

Run these through VirusTotal

C:\windows\System32\iertutil.dll
C:\windows\System32\wininet.dll
C:\windows\System32\urlmon.dll

Please download SuperAntiSpyware Free (http://www.superantispyware.com/superantispyware.html)
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your next reply



Then reboot and run a new scan with OTL and post that log please

AlbertFlorida
2012-09-11, 20:58
Hi -

OK scaned the files, links below. Had SASW installed already but updated and ran the deep scan (took over an hour). It found 3 old Trojans in an old directory I saved for Instant Messenger. But I doubt that was the problem. Ran OTL again scan logs attached. Rebooted etc..

Redirect is still active.

I am able to copy one of the complete redirects it gives me though, thought it might be helpful. I got this after typing in "test" on google ...

http://66.246.72.42/c.php?p=l0xq4m9RR-v8b5xN5lR1x-p1gqdPhaEpQyMfcz-GRrCHQu0TCeUPLpYz5EHLdH6q49I5MzvoVWPHCD6ARX9eoO0OVGU-wdaNSJo5nHe60h124sbNKOeM1pLABj44X6m6D0G2xT13Yy16p44Q1X2Q7yCfi3BeSlMPhg9gSZGf3DL4y7-41OyXI2T7o-GG6TwiimF-uHvEBXqklsle58ipskO24Zlwi3obcjKzCt7AOhDNYD0fqYNHZOhNL0RkObk1KiHRB9lpSaIk1yYYrGfsoVUMR7ONoxgDyDqwRuITltwSwmBvPC_JiXMwVgHzZC0iWCry4jktfo_jFRBc68_41gLIIwSf7BPN2xtKtCXURqTGmRQH_pyqKBb2unps6JEwlshDFfnNM7k-4SqY_CbVhsNHCjS2mI1hNR6-7sYaNQQnTPukTqekJlxirtDUVdMDvCxc1dm6Og3QhwMGv07i5CkFjzWvUNu7iu_Vw-ooSL_-0wsZrHvTrz_jJBNEIHx0USn-tp17e88yWVsYNMmL1eUNcYr7c4w_xg1ukfN5gE0xn6DKeobIpdqGGsMvzR79JQ2GXaI12RtANmjkNbjjjEbs0WtZ6uRNYI-l_N8JUAo9CRzH4vkNOqKqcpxMJm_gTidEaK_cnXdxD9SuDc3Y7BMo_48EpTEFWFjozqcHlyZY76VZCHEToLujsvnS8BUIfa9V3dM4xrG9nAEORghYWKk4tLDfYMNGemjAKJr27V0&o=http%3A%2F%2Fsearchsteps.com%2Fsearch%3Fq%3Dtest

I am amazed at how well these jerks write these things. They get so entrenched (HAS to be a rootkit) that even guys that know what they're doing can't get rid of them!

Albert


https://www.virustotal.com/file/e2aca3fa0f4352ae90c25541577ff8dab826754f5024b9f25eb5419ebea58f14/analysis/
https://www.virustotal.com/file/9018f87b323fd25d7e366f4f0f5c9796bfe54663367ce878f62b0973afc9c3c8/analysis/
https://www.virustotal.com/file/7431a104af720aa2e731a80ecaac1e0048d3ee392feecff5321b1018af521647/analysis/


OTL logfile created on: 9/11/2012 1:42:41 PM - Run 3
OTL by OldTimer - Version 3.2.61.3 Folder = C:\Users\P Albert Comulada\Downloads
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.92 Gb Total Physical Memory | 1.86 Gb Available Physical Memory | 63.54% Memory free
5.84 Gb Paging File | 4.44 Gb Available in Paging File | 76.07% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 215.59 Gb Total Space | 118.52 Gb Free Space | 54.97% Space Free | Partition Type: NTFS
Drive F: | 1.99 Gb Total Space | 1.48 Gb Free Space | 74.56% Space Free | Partition Type: FAT32

Computer Name: HP7LAPTOP | User Name: P Albert Comulada | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\P Albert Comulada\Downloads\OTL(1).exe (OldTimer Tools)
PRC - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe (Retrospect, Inc)
PRC - C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.EXE (Microsoft Corporation.)
PRC - C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE (Microsoft Corporation.)
PRC - C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe (Hewlett-Packard Development Company L.P.)
PRC - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
PRC - C:\Program Files\IDT\WDM\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\IDT\WDM\AEstSrv.exe (Andrea Electronics Corporation)
PRC - C:\Program Files\Hewlett-Packard\HP Support Framework\HPSA_Service.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Common Files\Portrait Displays\Drivers\SDKCOMServer.exe (Portrait Displays, Inc)
PRC - C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe (Portrait Displays, Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe (Hewlett-Packard Development Company, L.P)
PRC - C:\Windows\System32\atieclxx.exe (AMD)
PRC - C:\Windows\System32\atiesrxx.exe (AMD)
PRC - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe (DigitalPersona, Inc.)
PRC - C:\Program Files\DOS2USB\DOS2USB.exe (Bhaktee Software)
PRC - c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe (Hewlett-Packard Company)
PRC - C:\Program Files\DOS2USB\elsvc.exe ()
PRC - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
PRC - C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe (Hewlett-Packard Company)
PRC - C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (McAfee, Inc.)
PRC - C:\Program Files\Hewlett-Packard\File Sanitizer\coreshredder.exe (Hewlett-Packard)
PRC - C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe (Hewlett-Packard)
PRC - C:\Windows\System32\uArcCapture.exe (ArcSoft, Inc.)
PRC - C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files\PDF Complete\pdfsvc.exe (PDF Complete Inc)
PRC - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Modules (No Company Name) ==========

MOD - C:\windows\assembly\GAC_MSIL\CaslShared\3.5.1.1__9c6f83d5b7f3d097\CaslShared.dll ()
MOD - C:\windows\assembly\GAC_MSIL\hpcasl\3.5.1.1__9c6f83d5b7f3d097\hpcasl.dll ()
MOD - C:\windows\assembly\GAC_MSIL\HPCommon\2.0.6.0__89762bc6acc102f8\HPCommon.dll ()
MOD - C:\windows\assembly\GAC_MSIL\HardwareAccess\2.0.6.0__89762bc6acc102f8\HardwareAccess.dll ()
MOD - C:\windows\assembly\GAC_MSIL\Graphs\2.0.6.0__89762bc6acc102f8\Graphs.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\69ca4a43ba14b66689715ad62aed70e6\System.ServiceProcess.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\a501b7960f6c6e2e39162b83f3303aaa\System.Web.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e717a230496832656b05b515eb9f3bc5\PresentationFramework.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\7b7fbe651c6e72f12099a298654c9594\System.Windows.Forms.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6bb439b3f87736d3248ae27d43e2c0d6\System.Drawing.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\14a87218ea49639f38097e278b98a3da\PresentationCore.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\9b2f17fb61b7197f2a04108f5d1a1cc6\System.Management.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\635b3aec298ad5e8c903b2323d79cc5a\IAStorUtil.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\dfd33f59a5803a3c73cf408362e6e0b7\System.Core.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8e56489276063ededde74e597a121df3\PresentationFramework.Aero.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\03dee80574f4ec770b6f77ca030ded6c\System.Runtime.Remoting.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\168755d010e5a96ac940b0ddd27616a4\System.EnterpriseServices.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\80fae9f16f80075535e72458ef293f7a\System.Transactions.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\f3814b488d9e083cbbc623e01b389f09\System.Data.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\46fce56db7685a586d3eeb7c373e3c1c\WindowsBase.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\ba3d70b651454c7d49b407b93663bfed\System.Xml.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\cfa9c506bfb9254c89dace7b83bc9f9d\System.Configuration.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\System\ce9ff6baf9053ed2ed673d948179195c\System.ni.dll ()
MOD - C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\acfc1391e45fedd2a359778ea57d914c\mscorlib.ni.dll ()
MOD - C:\windows\assembly\GAC_MSIL\HP.SupportFramework\1.0.0.0__2a4860322af7ba08\HP.SupportFramework.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Power Assistant\System.Data.SQLite.DLL ()
MOD - C:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll ()
MOD - C:\windows\assembly\GAC_MSIL\hpCASLLibrary\3.0.1.1__67b8d1b5179ba5f8\hpCASLLibrary.dll ()
MOD - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HardwareAccess.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPCommon.XmlSerializers.dll ()
MOD - C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_LogicLayer.dll ()
MOD - C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll ()
MOD - C:\Program Files\Common Files\LightScribe\QtGui4.dll ()
MOD - C:\Program Files\Common Files\LightScribe\QtCore4.dll ()
MOD - C:\Program Files\Common Files\LightScribe\plugins\imageformats\qjpeg4.dll ()
MOD - C:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll ()


========== Services (SafeList) ==========

SRV - (nosGetPlusHelper) -- C:\Program Files\NOS\bin\getPlus_Helper_3004.dll File not found
SRV - (!SASCORE) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE (SUPERAntiSpyware.com)
SRV - (MozillaMaintenance) -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (NisSrv) -- C:\Program Files\Microsoft Security Client\NisSrv.exe (Microsoft Corporation)
SRV - (MsMpSvc) -- C:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (Retrospect Helper) -- C:\Program Files\Retrospect\Retrospect 7.7\rthlpsvc.exe (Retrospect, Inc)
SRV - (RetroLauncher) -- C:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe (Retrospect, Inc)
SRV - (BBUpdate) -- C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.EXE (Microsoft Corporation.)
SRV - (BBSvc) -- C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE (Microsoft Corporation.)
SRV - (HP Power Assistant Service) -- C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe (Hewlett-Packard Company)
SRV - (HPDrvMntSvc.exe) -- C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe (Hewlett-Packard Company)
SRV - (STacSV) -- C:\Program Files\IDT\WDM\stacsv.exe (IDT, Inc.)
SRV - (AESTFilters) -- C:\Program Files\IDT\WDM\AEstSrv.exe (Andrea Electronics Corporation)
SRV - (HP Support Assistant Service) -- C:\Program Files\Hewlett-Packard\HP Support Framework\HPSA_Service.exe (Hewlett-Packard Company)
SRV - (B-Service) -- C:\Users\P Albert Comulada\Downloads\B-Service.exe ()
SRV - (PdiService) -- C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe (Portrait Displays, Inc.)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (HP ProtectTools Service) -- C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe (Hewlett-Packard Development Company, L.P)
SRV - (AMD External Events Utility) -- C:\Windows\System32\atiesrxx.exe (AMD)
SRV - (HP Wireless Assistant Service) -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe (Hewlett-Packard Company)
SRV - (DpHost) -- C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe (DigitalPersona, Inc.)
SRV - (HPDayStarterService) -- c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe (Hewlett-Packard Company)
SRV - (elAPIsvc) -- C:\Program Files\DOS2USB\elsvc.exe ()
SRV - (ACDaemon) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (ArcSoft Inc.)
SRV - (IAStorDataMgrSvc) -- C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
SRV - (hpHotkeyMonitor) -- C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe (Hewlett-Packard Company)
SRV - (HpFkCryptService) -- C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (McAfee, Inc.)
SRV - (vcsFPService) -- C:\Windows\System32\vcsFPService.exe (Validity Sensors, Inc.)
SRV - (HPFSService) -- C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe (Hewlett-Packard)
SRV - (uArcCapture) -- C:\Windows\System32\uArcCapture.exe (ArcSoft, Inc.)
SRV - (FLCDLOCK) -- C:\Windows\System32\flcdlock.exe (Hewlett-Packard Ltd)
SRV - (UNS) -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (pdfcDispatcher) -- C:\Program Files\PDF Complete\pdfsvc.exe (PDF Complete Inc)
SRV - (StorSvc) -- C:\Windows\System32\StorSvc.dll (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (PSI_SVC_2) -- c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)


========== Driver Services (SafeList) ==========

DRV - (catchme) -- C:\Users\PALBER~1\AppData\Local\Temp\catchme.sys File not found
DRV - (athr) -- C:\Windows\System32\drivers\athr.sys (Qualcomm Atheros Communications, Inc.)
DRV - (NisDrv) -- C:\Windows\System32\drivers\NisDrvWFP.sys (Microsoft Corporation)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (hpdskflt) -- C:\Windows\System32\drivers\hpdskflt.sys (Hewlett-Packard Company)
DRV - (Accelerometer) -- C:\Windows\System32\drivers\Accelerometer.sys (Hewlett-Packard Company)
DRV - (vpcvmm) -- C:\Windows\System32\drivers\vpcvmm.sys (Microsoft Corporation)
DRV - (vpcbus) -- C:\Windows\System32\drivers\vpchbus.sys (Microsoft Corporation)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (vpcusb) -- C:\Windows\System32\drivers\vpcusb.sys (Microsoft Corporation)
DRV - (vpcnfltr) -- C:\Windows\System32\drivers\vpcnfltr.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (amdkmdag) -- C:\Windows\System32\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV - (amdkmdap) -- C:\Windows\System32\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV - (AtiHdmiService) -- C:\Windows\System32\drivers\AtiHdmi.sys (ATI Technologies, Inc.)
DRV - (HpqKbFiltr) -- C:\Windows\System32\drivers\HpqKbFiltr.sys (Hewlett-Packard Company)
DRV - (SbAlg) -- C:\windows\System32\drivers\SbAlg.sys (McAfee, Inc.)
DRV - (SbFsLock) -- C:\windows\System32\drivers\SbFsLock.sys (McAfee, Inc.)
DRV - (RsvLock) -- C:\windows\System32\drivers\rsvlock.sys (McAfee, Inc.)
DRV - (SafeBoot) -- C:\windows\System32\drivers\SafeBoot.sys ()
DRV - (rtsuvc) -- C:\Windows\System32\drivers\rtsuvc.sys (Realtek Semiconductor Corp.)
DRV - (ARCVCAM) -- C:\Windows\System32\drivers\ArcSoftVCapture.sys (ArcSoft, Inc.)
DRV - (RSUSBSTOR) -- C:\Windows\System32\drivers\RtsUStor.sys (Realtek Semiconductor Corp.)
DRV - (DAMDrv) -- C:\Windows\System32\drivers\DAMDrv.sys (Hewlett-Packard Development Company L.P.)
DRV - (HECI) -- C:\Windows\System32\drivers\HECI.sys (Intel Corporation)
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (AgereSoftModem) -- C:\Windows\System32\drivers\AGRSM.sys (LSI Corp)
DRV - (Afc) -- C:\Windows\System32\drivers\afc.sys (Arcsoft, Inc.)
DRV - (APL531) -- C:\Windows\System32\drivers\ov550i.sys (Omnivision Technologies, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCOM/1
IE - HKLM\..\SearchScopes,DefaultScope = {8F0EBFE6-B9FA-4DF2-8388-072EFAA0DD50}
IE - HKLM\..\SearchScopes\{8F0EBFE6-B9FA-4DF2-8388-072EFAA0DD50}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CMNTDF&pc=CMNTDF&src=IE-SearchBox

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {8F0EBFE6-B9FA-4DF2-8388-072EFAA0DD50}
IE - HKCU\..\SearchScopes\{8F0EBFE6-B9FA-4DF2-8388-072EFAA0DD50}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CMNTDF&pc=CMNTDF&src=IE-SearchBox
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: emdtjnkrru@emdtjnkrru.org:2.5
FF - prefs.js..extensions.enabledAddons: socialfixer@mattkruse.com:6.502
FF - prefs.js..extensions.enabledAddons: {5546F97E-11A5-46b0-9082-32AD74AAA920}:0.6.3
FF - prefs.js..extensions.enabledAddons: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:2.0.7
FF - prefs.js..extensions.enabledItems: {5546F97E-11A5-46b0-9082-32AD74AAA920}:0.5.5.9
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.0: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\P Albert Comulada\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\P Albert Comulada\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\otis@digitalpersona.com: C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt\ [2012/08/28 09:10:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/07 10:27:13 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/09/07 10:26:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape 7.2\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2011/09/05 13:02:36 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Netscape 7.2\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2012/09/09 12:38:11 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/07 10:27:13 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/09/07 10:26:42 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 7.2\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2011/09/05 13:02:36 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Netscape 7.2\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2012/09/09 12:38:11 | 000,000,000 | ---D | M]

[2010/12/09 18:50:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Extensions
[2012/08/27 16:53:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions
[2009/07/13 19:11:12 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions\emdtjnkrru@emdtjnkrru.org.xpi
[2012/04/23 10:50:07 | 000,141,229 | ---- | M] () (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions\socialfixer@mattkruse.com.xpi
[2011/09/23 13:29:02 | 000,046,721 | ---- | M] () (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions\{5546F97E-11A5-46b0-9082-32AD74AAA920}.xpi
[2012/08/27 16:53:16 | 000,341,143 | ---- | M] () (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}.xpi
[2012/09/09 12:38:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/09/07 10:27:13 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/30 11:22:31 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/08/30 11:22:31 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage:
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage:
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\P Albert Comulada\AppData\Local\Google\Chrome\Application\21.0.1180.83\PepperFlash\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\P Albert Comulada\AppData\Local\Google\Chrome\Application\21.0.1180.89\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\windows\system32\Macromed\Flash\NPSWF32_11_3_300_271.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\P Albert Comulada\AppData\Local\Google\Chrome\Application\21.0.1180.89\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\P Albert Comulada\AppData\Local\Google\Chrome\Application\21.0.1180.89\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.310.5 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: McAfee Clinic (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPMGWRAP.DLL
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL
CHR - plugin: RIM Handheld Application Loader (Enabled) = C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: VLC Web Plugin (Enabled) = C:\Program Files\VideoLAN\VLC\npvlc.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Google Update (Enabled) = C:\Users\P Albert Comulada\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll

O1 HOSTS File: ([2012/09/10 12:54:55 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (File Sanitizer for HP ProtectTools) - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll (Hewlett-Packard)
O2 - BHO: (HP ProtectTools Security Manager Extension) - {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpOtsPluginIe8.dll (DigitalPersona, Inc.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (CutePDF Form Filler Helper) - {D41289F2-69C6-417B-897E-C653D677CBAF} - C:\Program Files\Acro Software\CutePDF Pro\CPFillerCo.dll (Acro Software Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\7.1.361.0\BingExt.dll (Microsoft Corporation.)
O4 - HKLM..\Run: [DTRun] c:\Program Files\Arcsoft\TotalMedia Suite\TotalMedia Theatre 3\uDTRun.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [File Sanitizer] C:\Program Files\Hewlett-Packard\File Sanitizer\coreshredder.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPPowerAssistant] C:\Program Files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe (Hewlett-Packard Company, L.P.)
O4 - HKLM..\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe ()
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [QLBController] C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe (Hewlett-Packard Company)
O4 - HKLM..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (Research In Motion Limited)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKCU..\Run: [DOS2USB] C:\Program Files\DOS2USB\DOS2USB.exe (Bhaktee Software)
O4 - HKCU..\Run: [NIM] C:\Users\P Albert Comulada\Downloads\AIM\aim.exe -cnetwait.odl File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //FWEvent.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ( http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafee.com ( https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([betavscan] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([vs] https in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] http in Trusted sites)
O15 - HKLM\..Trusted Domains: mcafeeasap.com ([www] https in Trusted sites)
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} Reg Error: Key error. (Java Plug-in 1.4.1_02)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2BE13B34-942A-4DC0-93A6-709553F4C724}: DhcpNameServer = 205.152.144.23 205.152.132.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DC8094BB-F778-40E9-8105-1B92E4B401BB}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - Winlogon\Notify\DeviceNP: DllName - (DeviceNP.dll) - C:\windows\System32\DeviceNP.dll (Hewlett-Packard Limited)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/09/10 12:57:11 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/09/10 12:57:10 | 000,000,000 | ---D | C] -- C:\windows\temp
[2012/09/10 12:57:10 | 000,000,000 | ---D | C] -- C:\Users\P Albert Comulada\AppData\Local\temp
[2012/09/10 12:47:27 | 000,518,144 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2012/09/10 12:47:27 | 000,406,528 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2012/09/10 12:47:27 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2012/09/10 12:47:20 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/09/09 20:40:08 | 000,000,000 | ---D | C] -- C:\Users\P Albert Comulada\Desktop\GooredFix Backups
[2012/09/09 12:39:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/09/08 10:55:48 | 000,000,000 | ---D | C] -- C:\HP_RECOVERY_mountHPSF
[2012/09/07 10:26:40 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/09/05 10:13:19 | 000,000,000 | ---D | C] -- C:\windows\pss
[2012/09/04 10:29:38 | 000,000,000 | ---D | C] -- C:\Virus removal & logs
[2012/09/03 16:59:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/08/30 11:39:24 | 000,000,000 | ---D | C] -- C:\Users\P Albert Comulada\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012/08/28 09:17:02 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Portrait Displays
[2012/08/28 09:15:51 | 000,000,000 | ---D | C] -- C:\Users\P Albert Comulada\AppData\Roaming\Hewlett-Packard Company
[2012/08/28 09:10:43 | 000,000,000 | ---D | C] -- C:\windows\DPDrv
[2012/08/28 08:59:08 | 000,000,000 | ---D | C] -- C:\ProgramData\HP
[2012/08/27 20:51:06 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/08/27 18:04:32 | 000,000,000 | ---D | C] -- C:\windows\CheckSur
[2012/08/27 17:33:17 | 000,000,000 | ---D | C] -- C:\Users\P Albert Comulada\AppData\Local\LogMeIn Rescue Applet
[2012/08/27 16:17:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2012/08/27 16:17:38 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2012/08/27 16:17:34 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2 C:\Users\P Albert Comulada\AppData\Local\*.tmp files -> C:\Users\P Albert Comulada\AppData\Local\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/09/11 13:43:00 | 000,000,956 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-615262878-4179979-3482458484-1002UA.job
[2012/09/11 13:36:37 | 000,020,944 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/09/11 13:36:37 | 000,020,944 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/09/11 13:29:20 | 000,065,536 | ---- | M] () -- C:\windows\System32\Ikeext.etl
[2012/09/11 13:29:07 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2012/09/11 13:29:05 | 3136,741,376 | -HS- | M] () -- C:\hiberfil.sys
[2012/09/11 13:04:20 | 000,000,830 | ---- | M] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2012/09/11 12:11:16 | 000,002,068 | -H-- | M] () -- C:\Users\P Albert Comulada\Documents\Default.rdp
[2012/09/11 11:43:00 | 000,000,904 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-615262878-4179979-3482458484-1002Core.job
[2012/09/10 23:20:55 | 000,313,064 | ---- | M] () -- C:\911.JPG
[2012/09/10 23:18:29 | 000,106,137 | ---- | M] () -- C:\911pic.JPG
[2012/09/10 23:04:40 | 003,059,866 | ---- | M] () -- C:\911.PSD
[2012/09/10 22:53:36 | 000,118,043 | ---- | M] () -- C:\la-911-memorial-33-lrdnbjnc.jpg
[2012/09/10 13:12:50 | 000,028,722 | ---- | M] () -- C:\TDSSKiller.2.8.8.0_10.09.2012_12.46.07_log.zip
[2012/09/10 13:11:38 | 000,005,847 | ---- | M] () -- C:\ComboFix.zip
[2012/09/10 12:54:55 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts
[2012/09/10 11:50:52 | 000,674,860 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2012/09/10 11:50:52 | 000,125,668 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2012/09/10 11:46:20 | 000,000,000 | ---- | M] () -- C:\Users\P Albert Comulada\dos2usb.spl
[2012/09/09 20:55:51 | 000,013,637 | ---- | M] () -- C:\Users\P Albert Comulada\Desktop\OTL.zip
[2012/09/09 20:39:31 | 000,000,512 | ---- | M] () -- C:\Users\P Albert Comulada\Desktop\MBR.dat
[2012/09/08 10:49:40 | 000,000,368 | ---- | M] () -- C:\windows\tasks\HPCeeScheduleForP Albert Comulada.job
[2012/09/08 09:35:57 | 000,001,986 | ---- | M] () -- C:\Users\P Albert Comulada\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/09/07 19:27:26 | 1150,510,346 | ---- | M] () -- C:\Users\P Albert Comulada\Desktop\REA9 Backup 2012-09-07 1917.zip
[2012/08/28 09:16:30 | 000,000,178 | ---- | M] () -- C:\windows\System32\HPPA.ini
[2012/08/27 23:20:28 | 1131,956,838 | ---- | M] () -- C:\Users\P Albert Comulada\Desktop\REA9 Backup 2012-08-27 2310.zip
[2012/08/27 18:39:27 | 000,001,070 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/08/27 16:23:44 | 000,688,088 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT
[2 C:\Users\P Albert Comulada\AppData\Local\*.tmp files -> C:\Users\P Albert Comulada\AppData\Local\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/09/10 23:18:27 | 000,106,137 | ---- | C] () -- C:\911pic.JPG
[2012/09/10 23:09:38 | 000,313,064 | ---- | C] () -- C:\911.JPG
[2012/09/10 23:01:31 | 003,059,866 | ---- | C] () -- C:\911.PSD
[2012/09/10 22:53:35 | 000,118,043 | ---- | C] () -- C:\la-911-memorial-33-lrdnbjnc.jpg
[2012/09/10 13:12:50 | 000,028,722 | ---- | C] () -- C:\TDSSKiller.2.8.8.0_10.09.2012_12.46.07_log.zip
[2012/09/10 13:11:38 | 000,005,847 | ---- | C] () -- C:\ComboFix.zip
[2012/09/10 12:47:27 | 000,256,000 | ---- | C] () -- C:\windows\PEV.exe
[2012/09/10 12:47:27 | 000,208,896 | ---- | C] () -- C:\windows\MBR.exe
[2012/09/10 12:47:27 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2012/09/10 12:47:27 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2012/09/10 12:47:27 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2012/09/09 20:55:51 | 000,013,637 | ---- | C] () -- C:\Users\P Albert Comulada\Desktop\OTL.zip
[2012/09/09 20:39:31 | 000,000,512 | ---- | C] () -- C:\Users\P Albert Comulada\Desktop\MBR.dat
[2012/09/08 11:01:28 | 1150,510,346 | ---- | C] () -- C:\Users\P Albert Comulada\Desktop\REA9 Backup 2012-09-07 1917.zip
[2012/08/31 19:23:44 | 000,000,368 | ---- | C] () -- C:\windows\tasks\HPCeeScheduleForP Albert Comulada.job
[2012/08/30 11:38:47 | 000,000,956 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-615262878-4179979-3482458484-1002UA.job
[2012/08/30 11:38:47 | 000,000,904 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-615262878-4179979-3482458484-1002Core.job
[2012/08/28 08:07:01 | 1131,956,838 | ---- | C] () -- C:\Users\P Albert Comulada\Desktop\REA9 Backup 2012-08-27 2310.zip
[2012/08/27 19:38:44 | 000,674,860 | ---- | C] () -- C:\windows\System32\perfh009.dat
[2012/08/27 19:38:44 | 000,291,294 | ---- | C] () -- C:\windows\System32\perfi009.dat
[2012/08/27 19:38:44 | 000,125,668 | ---- | C] () -- C:\windows\System32\perfc009.dat
[2012/08/27 19:38:44 | 000,031,548 | ---- | C] () -- C:\windows\System32\perfd009.dat
[2012/08/27 19:38:44 | 000,000,908 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/08/27 19:38:44 | 000,000,904 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/08/27 19:38:44 | 000,000,830 | ---- | C] () -- C:\windows\tasks\Adobe Flash Player Updater.job
[2012/08/27 18:39:27 | 000,001,070 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/08/27 15:53:05 | 3136,741,376 | -HS- | C] () -- C:\hiberfil.sys
[2011/06/11 11:51:17 | 000,015,872 | ---- | C] () -- C:\Users\P Albert Comulada\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/10 06:34:52 | 000,080,416 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
[2011/05/19 08:50:58 | 000,000,256 | ---- | C] () -- C:\windows\System32\DPPassFilter.dll.hpsign
[2011/05/19 08:50:58 | 000,000,256 | ---- | C] () -- C:\windows\System32\DPCrProv.dll.hpsign
[2011/04/08 16:44:49 | 000,001,849 | ---- | C] () -- C:\Users\P Albert Comulada\AppData\Roaming\GhostObjGAFix.xml
[2011/03/23 10:39:27 | 000,000,036 | ---- | C] () -- C:\Users\P Albert Comulada\AppData\Local\housecall.guid.cache
[2011/02/27 10:30:38 | 000,066,048 | ---- | C] () -- C:\windows\System32\PrintBrmUi.exe
[2011/01/20 12:52:30 | 000,010,534 | ---- | C] () -- C:\ProgramData\snddrv.sys
[2011/01/20 12:52:30 | 000,000,000 | ---- | C] () -- C:\Users\P Albert Comulada\dos2usb.spl
[2011/01/20 12:51:52 | 000,001,851 | ---- | C] () -- C:\windows\System32\xpdrvr.exe
[2011/01/20 11:33:48 | 000,000,877 | ---- | C] () -- C:\windows\Printfil.ini
[2011/01/13 15:58:01 | 000,000,335 | ---- | C] () -- C:\windows\nsreg.dat
[2011/01/13 15:57:17 | 000,105,168 | ---- | C] () -- C:\windows\NSUninst.exe
[2011/01/13 15:57:10 | 000,105,168 | ---- | C] () -- C:\windows\GREUninstall.exe
[2011/01/13 15:57:08 | 000,009,584 | ---- | C] () -- C:\windows\mozver.dat
[2011/01/12 21:31:17 | 000,087,544 | ---- | C] () -- C:\windows\System32\cpwmon2k.dll
[2011/01/12 19:24:00 | 000,263,856 | ---- | C] () -- C:\windows\ATMCNTRL.EXE
[2011/01/12 19:23:59 | 000,003,449 | ---- | C] () -- C:\windows\ATM.INI
[2011/01/12 19:21:12 | 000,030,464 | ---- | C] () -- C:\windows\macromix.dll
[2011/01/12 19:18:34 | 000,001,635 | ---- | C] () -- C:\windows\CORELCHT.INI
[2011/01/06 22:52:42 | 000,000,118 | ---- | C] () -- C:\windows\viewer.ini
[2011/01/06 22:52:42 | 000,000,083 | ---- | C] () -- C:\windows\artgalry.ini
[2011/01/06 22:52:04 | 000,003,937 | ---- | C] () -- C:\windows\MSWORKS3.INI
[2011/01/05 18:39:51 | 000,000,503 | ---- | C] () -- C:\windows\htmlasst.ini
[2010/12/19 17:59:00 | 000,003,350 | -HS- | C] () -- C:\ProgramData\KGyGaAvL.sys
[2010/12/15 18:06:50 | 000,000,000 | ---- | C] () -- C:\windows\DvyP413.dll
[2010/12/15 18:06:50 | 000,000,000 | ---- | C] () -- C:\windows\161exp2.dll
[2010/12/15 18:06:50 | 000,000,000 | ---- | C] () -- C:\windows\161exp1.dll
[2010/12/15 14:02:56 | 000,000,367 | ---- | C] () -- C:\windows\System32\CNCMFP12.INI
[2010/12/11 20:24:46 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/10/13 01:36:05 | 000,000,000 | ---- | C] () -- C:\windows\ativpsrm.bin

========== LOP Check ==========

[2011/04/13 14:20:34 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\089C8716-52DB-4845-A916-F1F9CFCDFB60
[2011/04/13 14:20:34 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\23653305-B8CB-49D1-9371-F9F598E176E4
[2012/05/04 12:59:18 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\4451474C-BA37-4EF7-9C18-5E7456C43F01
[2011/01/24 14:28:24 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\Acronis
[2011/06/18 09:59:24 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\Blackberry Desktop
[2012/09/09 13:06:10 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\Canon
[2010/12/09 16:38:22 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\DigitalPersona
[2010/12/16 11:18:49 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\OpenOffice.org
[2011/03/14 10:12:49 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\Research In Motion
[2011/03/23 12:51:45 | 000,000,000 | ---D | M] -- C:\Users\P Albert Comulada\AppData\Roaming\TrojanHunter
[2012/08/13 07:44:22 | 000,032,584 | ---- | M] () -- C:\windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >

ken545
2012-09-11, 21:21
Are you getting the redirects from all browsers ?

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL




:processes
killallprocesses

:OTL


:Services

:Reg

:Files
ipconfig /flushdns /c


:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces

AlbertFlorida
2012-09-11, 22:08
Hi -

I did what you said. Redirect still active.

Getting worse I think... I checked other browsers and found it 'tries' to redirect explorer, then explorer crashes. The times it doesn't redirect explorer, it works. I also found some of the buttons (like bookmarks) are disabled now in explorer. But of course I never use Explorer so don't know if that occurred when MS removed IE9 remotely a few weeks ago. Anyway ... it does NOT redirect in Chrome.

All processes killed
========== PROCESSES ==========
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\P Albert Comulada\Downloads\cmd.bat deleted successfully.
C:\Users\P Albert Comulada\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User

User: P Albert Comulada
->Temp folder emptied: 365089037 bytes
->Temporary Internet Files folder emptied: 510355 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 217841419 bytes
->Google Chrome cache emptied: 51150842 bytes
->Flash cache emptied: 8265 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 20232 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 605.00 mb


OTL by OldTimer - Version 3.2.60.0 log created on 09112012_145345

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

ken545
2012-09-11, 22:32
Open Internet Explorer and go to Tools > Internet Options > Advanced Tab > Reset Internet Explorer Setting > Reset.....this will take a few seconds, when its done close IE and then reopen it and see if it helped

AlbertFlorida
2012-09-11, 22:55
Hi -

The buttons do not work on IE8 now. And out of curiosity I went to CP and clicked internet options. It does nothing now. Disabled.

ken545
2012-09-12, 00:04
See if you can do that in Safemode

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)


Are you accessing the internet through a Router, are other computers connected to your router being redirected also ?




Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

AlbertFlorida
2012-09-12, 05:41
Hi -
There is a router, but no other computers have the problem.
Booted in safe mode, but buttons still didn't work in IE. I opened CP but 'internet options' wasn't there. I have a feeling this Trojan or whatever has damaged system files. Amazing ...

MBR log below

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows 7 Professional
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: Hewlett-Packard
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP ProBook 4520s
Logical Drives Mask: 0x00000064

Kernel Drivers (total 203):
0x82E43000 \SystemRoot\system32\ntkrnlpa.exe
0x82E0C000 \SystemRoot\system32\halmacpi.dll
0x80B97000 \SystemRoot\system32\kdcom.dll
0x8AE23000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8AEA8000 \SystemRoot\system32\PSHED.dll
0x8AEB9000 \SystemRoot\system32\BOOTVID.dll
0x8AEC1000 \SystemRoot\system32\CLFS.SYS
0x8AF03000 \SystemRoot\system32\CI.dll
0x8B021000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8B092000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8B0A0000 \SystemRoot\system32\drivers\ACPI.sys
0x8B0E8000 \SystemRoot\system32\drivers\WMILIB.SYS
0x8B0F1000 \SystemRoot\system32\drivers\msisadrv.sys
0x8B0F9000 \SystemRoot\system32\drivers\pci.sys
0x8B123000 \SystemRoot\system32\drivers\vdrvroot.sys
0x8B12E000 \SystemRoot\System32\drivers\partmgr.sys
0x8B13F000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x8B147000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8B152000 \SystemRoot\system32\drivers\volmgr.sys
0x8B162000 \SystemRoot\System32\drivers\volmgrx.sys
0x8B1AD000 \SystemRoot\System32\drivers\mountmgr.sys
0x8B1C3000 \SystemRoot\system32\drivers\vmbus.sys
0x8B1ED000 \SystemRoot\system32\drivers\winhv.sys
0x8B226000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x8B3DB000 \SystemRoot\system32\drivers\amdxata.sys
0x8B3E4000 \SystemRoot\System32\Drivers\SbAlg.sys
0x8AFAE000 \SystemRoot\system32\drivers\fltmgr.sys
0x8B3EF000 \SystemRoot\system32\drivers\fileinfo.sys
0x8B200000 \SystemRoot\System32\Drivers\SbFsLock.sys
0x8B436000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0x8B45E000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8B58D000 \SystemRoot\System32\Drivers\msrpc.sys
0x8B5B8000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8B62F000 \SystemRoot\System32\Drivers\cng.sys
0x8B68C000 \SystemRoot\System32\drivers\pcw.sys
0x8B69A000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8B6A3000 \SystemRoot\system32\drivers\ndis.sys
0x8B75A000 \SystemRoot\system32\drivers\NETIO.SYS
0x8B798000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8B836000 \SystemRoot\System32\drivers\tcpip.sys
0x8B981000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8B9B2000 \SystemRoot\system32\drivers\vmstorfl.sys
0x8B9BB000 \SystemRoot\system32\drivers\volsnap.sys
0x8B800000 \SystemRoot\System32\Drivers\spldr.sys
0x8B808000 \SystemRoot\System32\Drivers\SafeBoot.sys
0x8B7BD000 \SystemRoot\System32\drivers\rdyboost.sys
0x8B821000 \SystemRoot\System32\Drivers\mup.sys
0x8B7EA000 \SystemRoot\System32\drivers\hwpolicy.sys
0x8B7F2000 \SystemRoot\system32\DRIVERS\hpdskflt.sys
0x8B5CB000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8B600000 \SystemRoot\system32\DRIVERS\disk.sys
0x8B400000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x905E0000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x90400000 \SystemRoot\System32\Drivers\Null.SYS
0x90407000 \SystemRoot\System32\Drivers\Beep.SYS
0x8B61E000 \SystemRoot\System32\drivers\vga.sys
0x8B202000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8B425000 \SystemRoot\System32\drivers\watchdog.sys
0x9040E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8B000000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8B008000 \SystemRoot\system32\drivers\rdprefmp.sys
0x8B010000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8AFE2000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8AE00000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8AE17000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8FC14000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8FC46000 \SystemRoot\system32\drivers\afd.sys
0x8FCA0000 \SystemRoot\system32\drivers\ws2ifsl.sys
0x8FCA9000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8FCB0000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8FCCF000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x8FCE0000 \SystemRoot\system32\DRIVERS\vpcnfltr.sys
0x8FCF0000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8FCFE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8FD11000 \SystemRoot\system32\drivers\vpcvmm.sys
0x8FD58000 \SystemRoot\system32\drivers\termdd.sys
0x8FD69000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0x8FD8B000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0x8FD91000 \SystemRoot\System32\Drivers\RsvLock.SYS
0x8FD9A000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8FDDB000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8FDE5000 \SystemRoot\system32\drivers\mssmbios.sys
0x8FDEF000 \SystemRoot\System32\drivers\discache.sys
0x90C38000 \SystemRoot\system32\drivers\csc.sys
0x90C9C000 \SystemRoot\System32\Drivers\dfsc.sys
0x90CB4000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x90CC2000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x90CE3000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x90CF5000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x91001000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x915A4000 \SystemRoot\System32\Drivers\fastfat.SYS
0x90D2E000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x91833000 \SystemRoot\System32\drivers\dxgmms1.sys
0x9186C000 \SystemRoot\system32\drivers\HDAudBus.sys
0x9188B000 \SystemRoot\system32\DRIVERS\HECI.sys
0x91896000 \SystemRoot\system32\drivers\usbehci.sys
0x918A5000 \SystemRoot\system32\drivers\USBPORT.SYS
0x91C0F000 \SystemRoot\system32\DRIVERS\athr.sys
0x91EF1000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x91EFB000 \SystemRoot\system32\DRIVERS\Rt86win7.sys
0x91F5D000 \SystemRoot\system32\drivers\i8042prt.sys
0x91F75000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x91F7E000 \SystemRoot\system32\drivers\kbdclass.sys
0x92000000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x9213D000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x9213F000 \SystemRoot\system32\drivers\mouclass.sys
0x9214C000 \SystemRoot\system32\drivers\Afc.sys
0x92154000 \SystemRoot\system32\DRIVERS\Accelerometer.sys
0x92160000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x92164000 \SystemRoot\system32\drivers\wmiacpi.sys
0x9216D000 \SystemRoot\system32\drivers\CompositeBus.sys
0x9217A000 \SystemRoot\system32\DRIVERS\ArcSoftVCapture.sys
0x92180000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0x9218E000 \SystemRoot\system32\DRIVERS\ks.sys
0x921C2000 \SystemRoot\System32\Drivers\RootMdm.sys
0x921CA000 \SystemRoot\system32\drivers\modem.sys
0x921D7000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x91F8B000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x921E9000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x91FA3000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x91FC5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x91FDD000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x918F0000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x921F4000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0x91FF4000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x921FB000 \SystemRoot\system32\drivers\swenum.sys
0x91C00000 \SystemRoot\system32\drivers\umbus.sys
0x91907000 \SystemRoot\system32\DRIVERS\vpcusb.sys
0x9191F000 \SystemRoot\system32\DRIVERS\usbrpm.sys
0x9192C000 \SystemRoot\system32\DRIVERS\vpchbus.sys
0x91962000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x919A6000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x919B7000 \SystemRoot\system32\drivers\AtiHdmi.sys
0x91800000 \SystemRoot\system32\drivers\portcls.sys
0x919D5000 \SystemRoot\system32\drivers\drmk.sys
0x94600000 \SystemRoot\system32\DRIVERS\stwrt.sys
0x9A430000 \SystemRoot\System32\win32k.sys
0x9466E000 \SystemRoot\System32\drivers\Dxapi.sys
0x94678000 \SystemRoot\System32\Drivers\crashdmp.sys
0x90416000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x94685000 \SystemRoot\System32\Drivers\dump_SbHiber.sys
0x94686000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x94697000 \SystemRoot\system32\DRIVERS\monitor.sys
0x9A6A0000 \SystemRoot\System32\TSDDD.dll
0x9A6D0000 \SystemRoot\System32\cdd.dll
0x9A6F0000 \SystemRoot\System32\ATMFD.DLL
0x946A2000 \SystemRoot\system32\drivers\luafv.sys
0x946BD000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x946D4000 \SystemRoot\system32\drivers\WudfPf.sys
0x946EE000 \SystemRoot\system32\DRIVERS\rtsuvc.sys
0x94700000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x94710000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x94756000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x94766000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x94779000 \SystemRoot\system32\drivers\HTTP.sys
0x915CE000 \SystemRoot\system32\DRIVERS\bowser.sys
0x919EE000 \SystemRoot\System32\drivers\mpsdrv.sys
0x90C00000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9CE07000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9CE42000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9CE75000 \SystemRoot\system32\drivers\peauth.sys
0x9CF0C000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9CF16000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9CF37000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9CF44000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9CF94000 \SystemRoot\System32\DRIVERS\srv.sys
0xAA621000 \SystemRoot\system32\drivers\spsys.sys
0x77840000 \Windows\System32\ntdll.dll
0x47950000 \Windows\System32\smss.exe
0x77A80000 \Windows\System32\apisetschema.dll
0x00500000 \Windows\System32\autochk.exe
0x77720000 \Windows\System32\urlmon.dll
0x77A30000 \Windows\System32\ws2_32.dll
0x779D0000 \Windows\System32\difxapi.dll
0x779C0000 \Windows\System32\nsi.dll
0x77990000 \Windows\System32\imagehlp.dll
0x776D0000 \Windows\System32\gdi32.dll
0x77620000 \Windows\System32\rpcrt4.dll
0x77590000 \Windows\System32\clbcatq.dll
0x774F0000 \Windows\System32\usp10.dll
0x774D0000 \Windows\System32\imm32.dll
0x77370000 \Windows\System32\ole32.dll
0x77290000 \Windows\System32\kernel32.dll
0x771E0000 \Windows\System32\msvcrt.dll
0x77150000 \Windows\System32\oleaut32.dll
0x77980000 \Windows\System32\normaliz.dll
0x77080000 \Windows\System32\msctf.dll
0x76F60000 \Windows\System32\wininet.dll
0x76DC0000 \Windows\System32\setupapi.dll
0x76170000 \Windows\System32\shell32.dll
0x76160000 \Windows\System32\psapi.dll
0x76140000 \Windows\System32\sechost.dll
0x75F80000 \Windows\System32\iertutil.dll
0x75EB0000 \Windows\System32\user32.dll
0x75E30000 \Windows\System32\comdlg32.dll
0x75D90000 \Windows\System32\advapi32.dll
0x75D80000 \Windows\System32\lpk.dll
0x75D30000 \Windows\System32\Wldap32.dll
0x75CD0000 \Windows\System32\shlwapi.dll
0x75C40000 \Windows\System32\comctl32.dll
0x75B20000 \Windows\System32\crypt32.dll
0x75B00000 \Windows\System32\devobj.dll
0x75AD0000 \Windows\System32\wintrust.dll

Processes (total 95):
0 System Idle Process
4 System
332 C:\Windows\System32\smss.exe
452 csrss.exe
524 C:\Windows\System32\wininit.exe
532 csrss.exe
580 C:\Windows\System32\services.exe
600 C:\Windows\System32\lsass.exe
608 C:\Windows\System32\lsm.exe
728 C:\Windows\System32\svchost.exe
788 C:\Windows\System32\winlogon.exe
836 C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
872 C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
920 C:\Windows\System32\svchost.exe
988 C:\Program Files\Microsoft Security Client\MsMpEng.exe
1068 C:\Windows\System32\atiesrxx.exe
1108 C:\Windows\System32\svchost.exe
1156 C:\Windows\System32\svchost.exe
1188 C:\Windows\System32\svchost.exe
1248 C:\Program Files\IDT\WDM\stacsv.exe
1296 C:\Windows\System32\audiodg.exe
1588 C:\Windows\System32\svchost.exe
1628 C:\Windows\System32\svchost.exe
1704 C:\Windows\System32\atieclxx.exe
1724 C:\Windows\System32\hpservice.exe
1936 C:\Windows\System32\svchost.exe
116 C:\Windows\System32\spoolsv.exe
400 C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe
1004 C:\Windows\System32\svchost.exe
1836 C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
1812 C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
1860 C:\Program Files\IDT\WDM\AEstSrv.exe
1924 C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE
2104 C:\Program Files\DOS2USB\elsvc.exe
2124 C:\Windows\System32\svchost.exe
2156 C:\Program Files\Hewlett-Packard\2009 Password Filter for HP ProtectTools\PTChangeFilterService.exe
2224 C:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe
2252 C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
2276 C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe
2308 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2364 C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
2388 C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
2564 C:\Program Files\PDF Complete\pdfsvc.exe
2628 C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
2660 C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
2704 C:\Program Files\Retrospect\Retrospect 7.7\retrorun.exe
2804 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
2832 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2884 C:\Windows\System32\svchost.exe
2932 C:\Windows\System32\uArcCapture.exe
2972 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
3292 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
3348 unsecapp.exe
3424 WmiPrvSE.exe
3592 C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
3840 C:\Windows\System32\svchost.exe
2412 C:\Windows\System32\taskhost.exe
3516 C:\Windows\System32\dwm.exe
2784 C:\Windows\explorer.exe
4072 C:\Program Files\Hewlett-Packard\HP HotKey Support\QLBController.exe
4080 C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
1568 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
4148 C:\Program Files\Hewlett-Packard\File Sanitizer\coreshredder.exe
4364 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
4452 C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
4464 C:\Program Files\IDT\WDM\sttray.exe
4512 C:\Program Files\Microsoft Security Client\msseces.exe
4556 C:\Program Files\Common Files\Java\Java Update\jusched.exe
4676 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
4748 C:\Program Files\DOS2USB\DOS2USB.exe
4816 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
4960 C:\Windows\System32\SearchIndexer.exe
5584 C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
6012 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
6092 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
4800 C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe
5400 C:\Program Files\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
584 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
5508 C:\Windows\System32\sppsvc.exe
5656 WmiPrvSE.exe
2248 C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
3568 C:\Program Files\Windows Media Player\wmpnetwk.exe
5160 C:\Windows\System32\taskeng.exe
2196 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
5216 C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe
5512 C:\Program Files\Common Files\Portrait Displays\Drivers\SDKCOMServer.exe
1756 C:\Program Files\Hewlett-Packard\Shared\hpCaslNotification.exe
368 C:\Windows\System32\notepad.exe
2800 C:\Windows\System32\wuauclt.exe
5732 C:\Windows\System32\SearchProtocolHost.exe
1332 C:\Windows\System32\SearchFilterHost.exe
844 dllhost.exe
6084 dllhost.exe
932 C:\Users\P Albert Comulada\Downloads\MBRCheck.exe
2072 C:\Windows\System32\conhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`12d00000 (NTFS)
\\.\F: --> \\.\PhysicalDrive0 at offset 0x00000039`b8b00000 (FAT32)

PhysicalDrive0 Model Number: HitachiHTS725025A9A364, Rev: PC2OCH0A

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!

ken545
2012-09-12, 10:52
Theres an infection going around that sometimes infects your MBR (Master Boot Record) and with the last scan we ran yours looks fine. Run one more quick scan and lets see if there by chance is a hidden partition we cant see.

Download ListParts (http://download.bleepingcomputer.com/farbar/ListParts64.exe)

ListParts is a small utility that will create a log that contains a listing of all the hard drive partitions on your computer, which can then be posted on the forum that you are receiving help. This tool is useful for diagnosing rootkit infections that create additional hidden partitions on your computer.

Note: There are both 32-bit and 64-bit versions of GrantPerms available. Please pick the version that matches your operating system's bit type.

AlbertFlorida
2012-09-12, 15:10
Hi -
The link you provided was only for the 64 bit version. I tried changing the link to ... 32.exe but no luck LOL. Do you have a link for the 32 bit version?
Thanks

ken545
2012-09-12, 16:58
Here ya go

http://www.bleepingcomputer.com/download/listparts/

AlbertFlorida
2012-09-12, 17:32
ListParts by Farbar Version: 10-08-2012
Ran by P Albert Comulada (administrator) on 12-09-2012 at 10:30:15
Windows 7 (X86)
Running From: C:\Users\P Albert Comulada\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 35%
Total physical RAM: 2991.43 MB
Available physical RAM: 1926.06 MB
Total Pagefile: 5981.14 MB
Available Pagefile: 4522.49 MB
Total Virtual: 2047.88 MB
Available Virtual: 1957.12 MB

======================= Partitions =========================

1 Drive c: (SYSTEM2) (Fixed) (Total:215.59 GB) (Free:118.94 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive f: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.48 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 300 MB 1024 KB
Partition 2 Primary 215 GB 301 MB
Partition 3 Primary 15 GB 215 GB
Partition 4 Primary 2043 MB 230 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 SYSTEM NTFS Partition 300 MB Healthy System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C SYSTEM2 NTFS Partition 215 GB Healthy Boot

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 HP_RECOVERY NTFS Partition 15 GB Healthy

======================================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 2043 MB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=\Device\HarddiskVolume1
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
extendedinput Yes
default {1e72e31b-d696-11df-aa0d-9b5dbc1d65fb}
resumeobject {1e72e31a-d696-11df-aa0d-9b5dbc1d65fb}
displayorder {1e72e31b-d696-11df-aa0d-9b5dbc1d65fb}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30
customactions 0x1000085000001
0x5400000f
custom:5400000f {1e72e31c-d696-11df-aa0d-9b5dbc1d65fb}

Windows Boot Loader
-------------------
identifier {1e72e31b-d696-11df-aa0d-9b5dbc1d65fb}
device partition=C:
path \windows\system32\winload.exe
description Windows 7
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {1e72e31c-d696-11df-aa0d-9b5dbc1d65fb}
recoveryenabled Yes
osdevice partition=C:
systemroot \windows
resumeobject {1e72e31a-d696-11df-aa0d-9b5dbc1d65fb}
nx OptIn
detecthal Yes

Windows Boot Loader
-------------------
identifier {1e72e31c-d696-11df-aa0d-9b5dbc1d65fb}
device ramdisk=[\Device\HarddiskVolume3]\Recovery\WindowsRE\Winre.wim,{1e72e31d-d696-11df-aa0d-9b5dbc1d65fb}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[\Device\HarddiskVolume3]\Recovery\WindowsRE\Winre.wim,{1e72e31d-d696-11df-aa0d-9b5dbc1d65fb}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Resume from Hibernate
---------------------
identifier {1e72e31a-d696-11df-aa0d-9b5dbc1d65fb}
device partition=C:
path \windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=C:
filepath \hiberfil.sys
pae Yes
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=\Device\HarddiskVolume1
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {1e72e31d-d696-11df-aa0d-9b5dbc1d65fb}
description Ramdisk Options
ramdisksdidevice partition=\Device\HarddiskVolume3
ramdisksdipath \Recovery\WindowsRE\boot.sdi


****** End Of Log ******

ken545
2012-09-12, 17:51
Looks ok,

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)

AlbertFlorida
2012-09-12, 20:06
Attached

ken545
2012-09-12, 20:39
Well, we have run a lot of scanners checking for rootkits and viruses and none are found, I could be wrong but safeboot may be causing you problems, but if it was infected Combofix would have found it and tried to replace it, I am not clear exactly what you did with this file if you removed it and redownloaded it. I am going to have someone else take a peak and see if they see something I have missed, do you have your windows CD or the Recovery Disk that came with your computer ?

In the mean time run this free online virus scanner and lets see if it finds anything

I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

AlbertFlorida
2012-09-13, 05:17
Hi -
I ran it, but found no threats and it did not have a button that said 'list of threats' (maybe because it didn't find anything). It did not offer an option then to save a log or a text file.

Regarding your comments, I personally doubt it's 'safeboot' because as you recall I pulled a copy from a backup done the day before, and uploaded the file to that scan site that you suggested (virustotal). It did upload and said the file was clean.

That same site said the the 2 DOS2USB files were suspicious (https://www.virustotal.com/file/347174dbf234c03b664c572f75be8f6024e2b71f4d0502e146b0df753f55edd1/analysis/) - I wonder if I should contact DOS2USB and ask them to explain why their program file is showing as a virus.

More than likely though, from what I've read, I have a bad rootkit that has successfully buried itself in a system file. I read that when they do that, virus scanners can't see them.

But I do have one (obviously) -
- Google on firefox redirects my searches from the links.
- Once I am redirected, I cannot go 'back' ... all I can do is close the window.
- I cannot install a IE9 upgrade, nor ONE particular windows security update.
- IE8 is disabled, and almost useless.

This is more than just 'damaged' files ... otherwise firefox would not be redirecting.

Don't get me wrong, I appreciate your help. I'm just in awe of the expertise of these a-holes that write these things.

Albert

ken545
2012-09-13, 11:23
Good Morning Albert,

Just hang on a bit and let me get another set of eyes on this one. Be back as soon as I can

ken545
2012-09-13, 14:29
Give this a shot and lets see what it finds, I am also looking at a questionable entry for FF

Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) to your desktop




Option 1 (SCAN)

In this mode, the program will only kill the infectious process and inform the user of the infected registry keys, but no changes shall be made. In this way you can safely generated report and post it

AlbertFlorida
2012-09-13, 17:21
Great. All this did is add a bunch of weird icons (download free music, games) and 'un-unzip' program to my computer .. no scanner. I deleted what I could ... probably added a bunch of spywear.

....

ken545
2012-09-13, 18:06
The tools we use remove malware, they dont add it

Try this link
http://majorgeeks.com/RogueKiller_d6983.html

http://support.mozilla.org/en-US/kb/disable-or-remove-add-ons
Open Firefox and disable this add on
Performance Cache 1.0 addon



Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL




:processes
killallprocesses

:OTL
[2009/07/13 19:11:12 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\P Albert Comulada\AppData\Roaming\Mozilla\Firefox\Profiles\q1flcmy0.default\extensions\emdtjnkrru@emdtjnkrru.org.xpi


:Services

:Reg

:Files
ipconfig /flushdns /c


:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces
Then rescan with OTL and post a new log please

AlbertFlorida
2012-09-13, 18:33
Think I'll pass at this point. Thanks for your help.

ken545
2012-09-13, 19:12
Your call but that FF extension is the culprit, it most likely will stop the redirects

https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fTracur.AV