Search redirect spyware

[tomicavols]

A cousin sent an email that had a suspicious link. Trying to close the email, I accidentally clicked the link. Since then I've seen several viruses, mostly search engine hijackers. Things like GalaSearch, Search 7, Askthecrew.net. They just keep coming. I've run several scans yet they still persist. My AntiVirus is ESET NOD but I've run Malware, CC Cleaner, Super Antivirus free, etc.

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.16.02

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Tom :: TOM-LAPTOP [administrator]

2/18/2012 5:13:25 PM
mbam-log-2012-02-18 (17-13-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 181771
Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/18/2012 at 04:37 PM

Application Version : 5.0.1144

Core Rules Database Version : 8256
Trace Rules Database Version: 6068

Scan type       : Complete Scan
Total Scan Time : 00:38:32

Operating System Information
Windows 7 Home Premium 64-bit (Build 6.01.7600)
UAC On - Limited User

Memory items scanned      : 578
Memory threats detected   : 0
Registry items scanned    : 66544
Registry threats detected : 0
File items scanned        : 50293
File threats detected     : 0




[year+ old attachment deleted by admin]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL
BHO-X64:     AcroIEHelperStub - No File
BHO-X64: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO-X64:     McAfee Phishing Filter - No File
BHO-X64:     Search Helper - No File
:COMMANDS
[resethosts]
[purity]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
****************************************************************
Download Combofix from any of the links below, and save it to your desktop. 

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

[tomicavols]

ComboFix 12-02-19.02 - Tom 02/20/2012  12:44:04.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.4058.2673 [GMT -5:00]
Running from: c:\users\Tom\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET NOD32 Antivirus 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.drv
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\cb.exe
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\CLSV.tmp
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\delfile.dll
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\dudl.dll
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\dudl.tmp
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\eb.exe
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\eb.sys
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\eb.tmp
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\energy.sys
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\exec.tmp
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\fix.dll
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\FW.drv
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\gid.dll
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\hymt.exe
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\kernel32.drv
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\kernel32.sys
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\ppal.exe
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\ppal.tmp
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.drv
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.exe
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.sys
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\sld.drv
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\sld.sys
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\SM.drv
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\snl2w.dll
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\std.dll
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Recent\std.drv
c:\users\Tom\GoToAssistDownloadHelper.exe
.
.
(((((((((((((((((((((((((   Files Created from 2012-01-20 to 2012-02-20  )))))))))))))))))))))))))))))))
.
.
2012-02-20 17:55 . 2012-02-20 17:55   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-02-20 17:38 . 2012-02-20 17:38   --------   d-----w-   C:\_OTL
2012-02-18 19:10 . 2012-02-18 19:10   --------   d-----w-   c:\program files\CCleaner
2012-02-17 01:39 . 2012-02-17 01:39   --------   d-----w-   c:\users\Tom\AppData\Roaming\SUPERAntiSpyware.com
2012-02-17 01:39 . 2012-02-17 01:40   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-02-17 01:39 . 2012-02-17 01:39   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2012-02-17 01:26 . 2012-02-17 01:26   --------   d-----w-   c:\programdata\PC Tools
2012-02-09 10:26 . 2012-02-09 10:26   --------   d-----w-   c:\users\Tom\AppData\Local\ESET
2012-02-09 03:13 . 2012-02-09 03:13   --------   d-----w-   c:\users\Tom\AppData\Roaming\Malwarebytes
2012-02-09 03:13 . 2012-02-09 03:13   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-09 03:13 . 2012-02-09 03:13   --------   d-----w-   c:\programdata\Malwarebytes
2012-02-09 03:13 . 2011-12-10 20:24   23152   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-02-08 12:54 . 2012-02-08 14:18   --------   d-----w-   c:\programdata\Lavasoft
2012-02-08 11:04 . 2012-02-09 02:49   --------   d-sh--w-   c:\users\Tom\AppData\Roaming\AV Security Essentials
2012-02-08 11:04 . 2012-02-08 11:04   --------   d-sh--w-   c:\programdata\AVUIIMHFCSE
2012-02-08 11:03 . 2012-02-09 10:33   --------   d-sh--w-   c:\programdata\c9693f
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-11 17:10 . 2011-12-11 17:10   414368   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-01-20 5487488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2009-04-09 1762032]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-12-09 237693]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2010-01-07 140520]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-02-18 79192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-13 559616]
.
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Remote Access.lnk - c:\windows\Installer\{F66A31D9-7831-4FBA-BA02-C411C0047CC5}\NewShortcut4_F66A31D978314FBABA02C411C0047CC5.exe [2010-3-28 53248]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-6 1312096]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-07-13 79360]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-07-13 79360]
R3 Sound Blaster X-Fi MB Licensing Service;Sound Blaster X-Fi MB Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\XMBLicensing.exe [2009-07-13 79360]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys

S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys

S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 {1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7};Power Control [2010/06/19 19:24];c:\program files (x86)\CyberLink\PowerDVD DX\000.fcl [2010-01-07 21:11 146928]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\AESTSr64.exe [2009-03-02 89600]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [2009-05-14 731840]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys

S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\SftService.exe [2009-07-16 648432]
S3 netw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys

S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys

.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-03-10 309760]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2692520]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
"RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2009-07-14 45568]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-13 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-13 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-13 365592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\13kytm97.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-DellSupportCenter - c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{1E444BE9-B8EC-4ce6-8C2B-6536FB7F4FB7}]
"ImagePath"="\??\c:\program files (x86)\CyberLink\PowerDVD DX\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
0oc:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\Dell\Advanced Networking Service\hnm_svc.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Dell Remote Access\ezi_ra.exe
.
**************************************************************************
.
Completion time: 2012-02-20  13:12:06 - machine was rebooted
ComboFix-quarantined-files.txt  2012-02-20 18:11
.
Pre-Run: 211,372,298,240 bytes free
Post-Run: 211,238,531,072 bytes free
.
- - End Of File - - FF3846DF65F84E114790DF293BA4D67F



========== OTL ==========
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.33.1 log created on 02202012_123958

[SuperDave]

Please download Rooter and Save it to your desktop.

• Double click it to start the tool.Vista and Windows7 run as administrator.
• Click Scan.
  
• Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.
  

[tomicavols]

Rooter.exe (v1.0.2) by Eric_71
.
The token does not have the SeDebugPrivilege privilege ! (error:1300)
Can not acquire SeDebugPrivilege !
Please run the tool as administrator ..
.
Windows 7 Home Edition (6.1.7600)
[32_bits] - Intel64 Family 6 Model 23 Stepping 10, GenuineIntel
.
Error OpenService (wscsvc) : 6
Error OpenSCManager : 5
Error OpenService (MpsSvc) : 6
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 8.0.7600.16385
Mozilla Firefox 3.6.3 (en-US)
.
C:\  [Fixed-NTFS] .. ( Total:283 Go - Free:196 Go )
D:\  [CD_Rom]
.
Scan : 20:38.53
Path : C:\Users\Tom\Desktop\Rooter.exe
User : Tom ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
Locked smss.exe (308)
Locked csrss.exe (408)
Locked wininit.exe (468)
Locked csrss.exe (480)
Locked services.exe (528)
Locked lsass.exe (536)
Locked lsm.exe (544)
Locked winlogon.exe (608)
Locked svchost.exe (700)
Locked svchost.exe (780)
Locked svchost.exe (868)
Locked svchost.exe (908)
Locked svchost.exe (936)
Locked stacsv64.exe (972)
Locked audiodg.exe (400)
Locked CTAudSvc.exe (396)
Locked svchost.exe (540)
Locked DockLogin.exe (1036)
Locked svchost.exe (1136)
Locked spoolsv.exe (1280)
Locked svchost.exe (1368)
______ ??? (1404)
______ ??? (1444)
______ ??? (1560)
Locked SASCore64.exe (1568)
Locked AESTSr64.exe (1588)
Locked AppleMobileDeviceService.exe (1628)
Locked mDNSResponder.exe (1660)
Locked ekrn.exe (1700)
Locked svchost.exe (1764)
Locked hnm_svc.exe (1788)
Locked IAANTmon.exe (1852)
Locked SeaPort.exe (1920)
Locked SftService.exe (1964)
______ ??? (2764)
______ ??? (2788)
Locked WmiPrvSE.exe (2796)
______ C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe (2828)
______ ??? (2840)
______ ??? (2864)
______ ??? (2892)
______ ??? (2964)
______ ??? (3000)
______ ??? (3008)
______ ??? (3016)
______ C:\Program Files (x86)\Dell Remote Access\ezi_ra.exe (2376)
______ ??? (2396)
______ C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe (2640)
Locked ApMsgFwd.exe (2624)
______ C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe (2760)
______ C:\Program Files (x86)\iTunes\iTunesHelper.exe (3136)
______ C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (3148)
______ C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe (3180)
______ ??? (3248)
______ ??? (3260)
______ ??? (3280)
Locked SearchIndexer.exe (3544)
Locked iPodService.exe (3612)
______ C:\Program Files (x86)\internet explorer\iexplore.exe (3368)
______ C:\Program Files (x86)\internet explorer\iexplore.exe (3764)
Locked svchost.exe (3104)
______ C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe (584)
Locked sppsvc.exe (2160)
Locked wmpnetwk.exe (2736)
______ ??? (4588)
______ C:\Program Files (x86)\internet explorer\iexplore.exe (3688)
______ C:\Users\Tom\Desktop\Rooter.exe (4068)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:41094144)
\Device\Harddisk0\Partition2 (Start_Offset:41943040 | Length:15728640000)
\Device\Harddisk0\Partition3 --[ MBR ]-- (Start_Offset:15770583040 | Length:304301301760)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 20:38.59
.
C:\Rooter$\Rooter_1.txt - (20/02/2012 | 20:38.59)

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[tomicavols]

C:\Users\Tom\Desktop\Setup_FreeConverter.exe   Win32/Adware.Toolbar.Dealio application   deleted - quarantined
C:\Users\Tom\Desktop\VLC_Player_Setup.exe   a variant of Win32/SweetIM.A application   cleaned by deleting - quarantined


-----------------------
Eset is my antivirus software. However, the ESET 4 on my laptop missed these. Thanks.

[SuperDave]

However, the ESET 4 on my laptop missed these. Thanks.

An on-line scan is much more effective because it's operating outside the box. If there are no other issues, we can do some cleanup.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

****************************************************
To remove all of the tools we used and the files and folders they created do the following:
Double click OTL.exe.

• Click the CleanUp button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
*****************************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
********************************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
************************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!