[Inactive] Has OmniTech taken control of my security?

[bertrgo]

Here are the results from combofix. I will now try to copy and paste the results from TDSSkiller in the next reply.

ComboFix 12-03-28.02 - Bertrand 03/28/2012   8:07.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.3874.2662 [GMT -7:00]
Running from: c:\users\Bertrand\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\somototoolbar\vmNTemplatex.dll
c:\programdata\Roaming
c:\users\Bertrand\AppData\Local\TempDIR
c:\users\Bertrand\AppData\Local\TempDIR\BetterInstaller.exe
c:\users\Bertrand\AppData\Roaming\Mozilla\Firefox\Profiles\3q8u8udt.default\searchplugins\bing-zugo.xml
c:\windows\SysWow64\tooldownloadreadme.htm
.
.
(((((((((((((((((((((((((   Files Created from 2012-02-28 to 2012-03-28  )))))))))))))))))))))))))))))))
.
.
2012-03-28 15:12 . 2012-03-28 15:12   --------   d-----w-   c:\users\Default\AppData\Local\temp
2012-03-27 20:52 . 2012-03-14 03:27   8669240   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{C2505D00-167E-40D3-ACF3-4889F8A89A8A}\mpengine.dll
2012-03-25 21:38 . 2010-05-12 10:11   480784   ----a-w-   c:\program files (x86)\Mozilla Firefox\32bit\vsapiins.exe
2012-03-19 02:00 . 2011-03-11 06:23   1657216   ----a-w-   c:\windows\system32\drivers\ntfs.sys
2012-03-19 01:58 . 2011-03-25 03:23   343040   ----a-w-   c:\windows\system32\drivers\usbhub.sys
2012-03-19 01:58 . 2011-03-25 03:23   98816   ----a-w-   c:\windows\system32\drivers\usbccgp.sys
2012-03-19 01:58 . 2011-03-25 03:23   324608   ----a-w-   c:\windows\system32\drivers\usbport.sys
2012-03-19 01:58 . 2011-03-25 03:22   52224   ----a-w-   c:\windows\system32\drivers\usbehci.sys
2012-03-19 01:58 . 2011-03-25 03:22   25600   ----a-w-   c:\windows\system32\drivers\usbohci.sys
2012-03-19 01:58 . 2011-03-25 03:22   30720   ----a-w-   c:\windows\system32\drivers\usbuhci.sys
2012-03-19 01:58 . 2011-03-25 03:22   7936   ----a-w-   c:\windows\system32\drivers\usbd.sys
2012-03-19 01:58 . 2011-04-28 03:58   552448   ----a-w-   c:\windows\system32\drivers\bthport.sys
2012-03-19 01:58 . 2011-04-28 03:58   80384   ----a-w-   c:\windows\system32\drivers\BTHUSB.SYS
2012-03-15 01:31 . 2011-11-19 18:30   5504880   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-03-15 01:31 . 2011-11-19 14:25   3957616   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2012-03-15 01:31 . 2011-11-19 14:25   3902320   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2012-03-15 01:05 . 2012-02-15 06:27   1031680   ----a-w-   c:\windows\system32\rdpcore.dll
2012-03-15 01:05 . 2012-02-15 05:44   826368   ----a-w-   c:\windows\SysWow64\rdpcore.dll
2012-03-15 01:05 . 2012-02-15 04:47   204800   ----a-w-   c:\windows\system32\drivers\rdpwd.sys
2012-03-15 01:05 . 2012-02-15 04:46   23552   ----a-w-   c:\windows\system32\drivers\tdtcp.sys
2012-03-15 01:05 . 2012-01-25 06:27   76288   ----a-w-   c:\windows\system32\rdpwsx.dll
2012-03-15 01:05 . 2012-01-25 06:27   149504   ----a-w-   c:\windows\system32\rdpcorekmts.dll
2012-03-15 01:05 . 2012-01-25 06:20   9216   ----a-w-   c:\windows\system32\rdrmemptylst.exe
2012-03-12 17:31 . 2010-09-14 06:45   367104   ----a-w-   c:\windows\system32\wcncsvc.dll
2012-03-12 17:31 . 2010-09-14 06:07   276992   ----a-w-   c:\windows\SysWow64\wcncsvc.dll
2012-03-12 17:21 . 2009-09-10 06:28   311808   ----a-w-   c:\windows\system32\msv1_0.dll
2012-03-12 17:21 . 2009-09-10 05:52   257024   ----a-w-   c:\windows\SysWow64\msv1_0.dll
2012-03-12 17:15 . 2012-03-11 18:31   --------   d-----w-   c:\windows\Panther
2012-03-12 17:01 . 2012-03-12 12:38   --------   d-----w-   C:\$WINDOWS.~Q
2012-03-12 16:58 . 2012-03-12 17:00   --------   d-----w-   C:\$INPLACE.~TR
2012-03-12 16:55 . 2010-03-04 04:32   243712   ----a-w-   c:\windows\system32\drivers\ks.sys
2012-03-12 12:33 . 2012-03-12 12:33   --------   d-----w-   c:\users\Default\Roaming
2012-03-12 12:33 . 2012-03-12 12:33   --------   d-----w-   c:\users\Default\AppData\Local\Microsoft Help
2012-03-12 12:22 . 2012-03-11 20:36   --------   d-----w-   c:\users\Bertrand
2012-03-12 12:22 . 2012-03-25 21:15   --------   d-----w-   c:\users\Administrator
2012-03-12 12:19 . 2012-03-12 12:19   --------   d-----w-   c:\programdata\SonicFocus
2012-03-12 12:19 . 2012-03-12 12:19   --------   d-----w-   c:\windows\SysWow64\RTCOM
2012-03-12 12:19 . 2012-03-12 12:19   --------   d-----w-   c:\program files\Realtek
2012-03-12 12:19 . 2012-03-12 12:19   --------   d-----w-   c:\program files\Synaptics
2012-03-12 11:39 . 2011-10-01 05:28   886784   ----a-w-   c:\program files\Common Files\System\wab32.dll
2012-03-12 11:38 . 2010-01-19 09:05   424960   ----a-w-   c:\windows\system32\secproc.dll
2012-03-12 11:37 . 2011-03-12 12:03   662528   ----a-w-   c:\windows\system32\XpsPrint.dll
2012-03-12 11:36 . 2011-04-22 20:18   27008   ----a-w-   c:\windows\system32\drivers\Diskdump.sys
2012-03-12 11:35 . 2011-08-17 05:32   613888   ----a-w-   c:\windows\system32\psisdecd.dll
2012-03-12 11:34 . 2011-02-05 12:41   556928   ----a-w-   c:\windows\system32\winresume.efi
2012-03-12 11:33 . 2011-11-05 05:17   2048   ----a-w-   c:\windows\system32\tzres.dll
2012-03-11 23:27 . 2011-10-30 20:24   477   ----a-w-   c:\windows\system32\reset.cmd
2012-03-11 22:21 . 2012-03-11 22:21   --------   d-----w-   c:\program files (x86)\Microsoft Analysis Services
2012-03-11 22:09 . 2012-03-11 22:09   --------   d-----w-   c:\windows\PCHEALTH
2012-03-11 22:06 . 2012-03-11 22:06   --------   d-----r-   C:\MSOCache
2012-03-11 22:01 . 2012-03-11 22:01   --------   d-----w-   c:\program files (x86)\MSBuild
2012-03-11 22:01 . 2012-03-11 22:01   --------   d-----w-   c:\program files\MSBuild
2012-03-11 18:42 . 2009-12-29 08:03   220672   ----a-w-   c:\windows\system32\wintrust.dll
2012-03-11 18:42 . 2009-12-29 06:55   172032   ----a-w-   c:\windows\SysWow64\wintrust.dll
2012-03-11 18:42 . 2010-01-09 07:19   139264   ----a-w-   c:\windows\system32\cabview.dll
2012-03-11 18:42 . 2010-01-09 06:52   132608   ----a-w-   c:\windows\SysWow64\cabview.dll
2012-03-11 18:32 . 2009-11-25 19:47   99176   ----a-w-   c:\windows\SysWow64\PresentationHostProxy.dll
2012-03-11 18:32 . 2009-11-25 19:47   49472   ----a-w-   c:\windows\SysWow64\netfxperf.dll
2012-03-11 18:32 . 2009-11-25 19:47   48960   ----a-w-   c:\windows\system32\netfxperf.dll
2012-03-11 18:32 . 2009-11-25 19:47   297808   ----a-w-   c:\windows\SysWow64\mscoree.dll
2012-03-11 18:32 . 2009-11-25 19:47   295264   ----a-w-   c:\windows\SysWow64\PresentationHost.exe
2012-03-11 18:32 . 2009-11-25 19:47   1130824   ----a-w-   c:\windows\SysWow64\dfshim.dll
2012-03-11 18:32 . 2009-11-25 19:47   109912   ----a-w-   c:\windows\system32\PresentationHostProxy.dll
2012-03-11 18:32 . 2009-11-25 19:47   444752   ----a-w-   c:\windows\system32\mscoree.dll
2012-03-11 18:32 . 2009-11-25 19:47   320352   ----a-w-   c:\windows\system32\PresentationHost.exe
2012-03-11 18:32 . 2009-11-25 19:47   1942856   ----a-w-   c:\windows\system32\dfshim.dll
2012-03-11 00:43 . 2012-03-12 12:25   --------   d-----w-   c:\program files (x86)\Belarc
2012-03-10 20:33 . 2012-03-10 20:33   --------   d-----w-   C:\Temp
2012-02-28 21:57 . 2012-03-12 12:26   --------   d-----w-   c:\programdata\ASUS
2012-02-28 07:27 . 2010-08-03 18:30   196224   ----a-w-   c:\program files\Windows Sidebar\Shared Gadgets\P4GUpdate.Gadget\P4GUpdate.dll
2012-02-28 07:27 . 2012-03-12 12:26   --------   d-----w-   c:\programdata\P4G
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-12 11:16 . 2011-07-31 23:11   45056   ----a-w-   c:\windows\system32\acovcnt.exe
2012-02-23 16:18 . 2011-12-07 19:21   279656   ------w-   c:\windows\system32\MpSigStub.exe
2012-02-23 16:11 . 2012-02-26 22:32   53080   ----a-w-   c:\windows\system32\drivers\aswRdr2.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;c:\windows\system32\DRIVERS\SiSG664.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

R4 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe

R4 AMPPALR3;Intel® Centrino® Bluetooth 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [2011-03-22 1136128]
R4 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [2011-02-11 907600]
R4 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [2011-02-11 1304912]
R4 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [2011-02-11 997712]
R4 BTHSSecurityMgr;Intel(R) Centrino(R) Wireless Bluetooth(R) 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [2011-02-24 134928]
R4 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-03 135664]
R4 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-02-03 135664]
R4 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2011-02-04 340240]
R4 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-02-01 2656280]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S1 ATKWMIACPIIO;ATKWMIACPI Driver;c:\program files (x86)\ASUS\ATK Package\ATK WMIACPI\atkwmiacpi64.sys [2010-07-26 17024]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys

S2 ASMMAP64;ASMMAP64;c:\program files (x86)\ASUS\ATK Package\ATKGFNEX\ASMMAP64.sys [2009-07-03 15416]
S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys

S3 iBtFltCoex;iBtFltCoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys

S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys

S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys

S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys

S3 NETwNs64;___ Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys

.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 50315714
*Deregistered* - 50315714
*Deregistered* - tmtdi
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_B]
@="{6D4133E5-0742-4ADC-8A8C-9303440F7190}"
[HKEY_CLASSES_ROOT\CLSID\{6D4133E5-0742-4ADC-8A8C-9303440F7190}]
2009-11-26 05:49   70656   ----a-w-   c:\program files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AsusWSShellExt_O]
@="{64174815-8D98-4CE6-8646-4C039977D808}"
[HKEY_CLASSES_ROOT\CLSID\{64174815-8D98-4CE6-8646-4C039977D808}]
2009-11-26 05:49   70656   ----a-w-   c:\program files (x86)\ASUS\ASUS WebStorage\SERVICE\AsusWSShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://asus.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Bertrand\AppData\Roaming\Mozilla\Firefox\Profiles\3q8u8udt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/?pc=Z133&ocid=zdhp&install_date=20111207
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=Z133&form=ZGAADF&install_date=20111207&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-28  08:15:23
ComboFix-quarantined-files.txt  2012-03-28 15:15
.
Pre-Run: 558,870,020,096 bytes free
Post-Run: 560,058,155,008 bytes free
.
- - End Of File - - 219B68D784C763F0E8B321A5D677E71F

[bertrgo]

I ran TDSSKiller scan again, but I was unable to copy the report in order to paste it on this forum.

[Hoov]

Are you getting an error, or is it just not working? Does Avast work now? How about TrendMicro, can you uninstall it normally? Also try running DDS again and see if you get both logs. If you do copy and paste both of them. If not, just let me know you still only got one.

[bertrgo]

No, when I run TDSSkiller I do not get an error message. I get the report, which includes "no errors found," but I cannot copy the highlighted text in order to paste it in the forum.

Trend Micro continues to create duplicate versions of itself rather than uninstalling.

I thought AVAST was loading properly: A window appeared after I ran the download that said, "creating a restore point," and just above that, "Install Progress." However, at about the 50% progress mark the "Install Progress" message suddenly changed to say, "Uninstall Progress."

DDS continues to produce just the single log that I have previously posted on the forum.

The computer does appear to be acting a little differently however. For example, when I log on to firefox a message appears that asks me if I want to make firefox my default.

Anyway, sorry for the lack of progress.

[Hoov]

Not your fault, I just needed to make sure there was some progress after combofix.

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista, right-click on it and Run As Administrator.
  
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  
• If not, delete the file, then download and use the one provided in Link 2.
  
• A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot''s Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes'' Anti-Malware
  
• Launch Malwarebytes'' Anti-Malware

• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Full Scan" option is selected.
  
• Then click on the Scan button.
  
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  
• When the scan is finished, a message box will say "The scan completed successfully. Click ''Show Results'' to display all objects found".
  
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM''s database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.[/list]

[bertrgo]

There were three malware items detected. I was instructed to restart my computer. When the I opened up the log report, two items were present. I opened these (as I think this is what I was supposed to do), and copied and pasted them below:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.29.01

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Bertrand :: BERTRAND-PC [administrator]

Protection: Enabled

3/28/2012 8:36:46 PM
mbam-log-2012-03-28 (20-36-46).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 360761
Time elapsed: 32 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Qoobox\Quarantine\C\Users\Bertrand\AppData\Local\TempDIR\BetterInstaller.exe.vir (PUP.BundleInstaller.Somoto) -> Quarantined and deleted successfully.
C:\Users\Bertrand\Downloads\Install-Chess-Free.exe (PUP.BundleInstaller.Somoto) -> Quarantined and deleted successfully.
C:\Users\Bertrand\Downloads\ToolbarBrowser.exe (Adware.Dropper) -> Quarantined and deleted successfully.

(end)

2012/03/28 20:35:33 -0700   BERTRAND-PC   Bertrand   MESSAGE   Executing scheduled update:  Daily
2012/03/28 20:35:33 -0700   BERTRAND-PC   Bertrand   MESSAGE   Starting protection
2012/03/28 20:35:34 -0700   BERTRAND-PC   Bertrand   MESSAGE   Database already up-to-date
2012/03/28 20:35:35 -0700   BERTRAND-PC   Bertrand   MESSAGE   Protection started successfully
2012/03/28 20:35:38 -0700   BERTRAND-PC   Bertrand   MESSAGE   Starting IP protection
2012/03/28 20:35:39 -0700   BERTRAND-PC   Bertrand   MESSAGE   IP Protection started successfully
2012/03/28 21:13:12 -0700   BERTRAND-PC   Bertrand   MESSAGE   Starting protection
2012/03/28 21:13:14 -0700   BERTRAND-PC   Bertrand   MESSAGE   Protection started successfully
2012/03/28 21:13:17 -0700   BERTRAND-PC   Bertrand   MESSAGE   Starting IP protection
2012/03/28 21:13:18 -0700   BERTRAND-PC   Bertrand   MESSAGE   IP Protection started successfully

Thank you for your continued help,

Bert

[Hoov]

Can you open the trend micro program and take a screenshot of it using the windows snipping tool, and post it up?

[bertrgo]

I'm learning how to use the snipping tool, so I'll get back to you Hoov in the morning. Thank you for your help.

Bert

[bertrgo]

I'm stuck when it come to knowing how exactly to access and open TrendMicro. I've been using the link you provided me in rely #3 because going to the search menu (goto start and type in trendmicro) does not get me to my downloads. In any event, I have some attached documents that I hope will proved you with something that enables us to move forward.

[Hoov]

That is the uninstall procedure. When the TrendMicro Diagnostic Toolkit opens, do you go to the uninstall tab and run the uninstall procedures?

Please download RunScanner

• Save it to a folder you create such as C:\Runscanner (this assumes Windows is installed on your C: drive).
  
• Launch Runscanner by double-clicking runscanner.exe within the C:\Runscanner folder.
• Vista users must also click Continue to open Runscanner when prompted by User Account Control (UAC)
• Check Beginner Mode
• Click Scan computer
• Your will see a "Runscanner scan in progress" window displayed while Runscanner scans your system
• At the conclusion of the scan, save the run file called runscanner.run to your documents folder or directly to the Runscanner folder. This is the file you will need to upload.
• A runscanner.log file will automatically open in Notepad. Just close the Notepad window because, it is ONLY the runscanner.run file that we are interested in.
• Next, zip up the runscanner.run file that you just saved.
• I want you to upload the zipped runscanner.run file as an attachment in your next reply
• To do that choose "Additional Options" under "Post Reply"
• Browse to the zipped RUN file location and then click the "Post" button to attach the file.
• I will review the run file, and then upload it back to you with items marked for deletion.
• Please await my directions and the returned RUN file, and do not delete anything in the interim

[bertrgo]

I hope this is done as you asked? I only knew to save runscanner to desktop in order to attach it to this message, but my thinking is that the file is actually still stored in c drive.

[Hoov]

I need the runscanner.run file not the runscanner.log file. Saving it to the desktop so you can attach it is fine. You can delete it latter.

[bertrgo]

Okay, I hope this works.

[Hoov]

Nope. You sent me the link to runscanner. When you run runscanner, try saving the .run file to the desktop. It usually makes it easier.

[bertrgo]

I'm fumbling as I go. When the scan completed, I clicked on save run file, and then saved that file to my documents. I then uploaded that respective file to this post. I hope that this is correct.