Author Topic: [Resolved]Redirecting to happili.com website (Read 1732 times)

mms · « **Reply #15 on:** April 21, 2012, 07:31:30 PM »

And the ESET Log...

ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internet# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=79578d82de8a354d88a443a87aace7e6
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-04-22 01:09:56
# local_time=2012-04-21 09:09:56 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=5121 16777213 100 75 7615066 35429972 0 0
# compatibility_mode=5892 16776574 100 100 49172988 171648834 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=244479
# found=1
# cleaned=1
# scan_time=6868
C:\Qoobox\Quarantine\C\Users\Megan\AppData\Local\Temp\nevdt.dll.vir a variant of Win32/Medfos.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

********************************

Computer is working as normal. I tried 25 or so google searches, clicking the first result and didn't see a redirect at all. But will have a better idea of how things are going after a longer test period. Thanks, as always!

Bear · « **Reply #16 on:** April 21, 2012, 08:59:08 PM »

Hi Megan

Still need your ESET log.
OTL was unable to delete a bad file. So I need you to do this:

1. Click on The Avenger and download it to your desktop. Double click on the file and click Run/OK. Now copy the code in the code box below and paste it into the input screen on Avenger.

Code: [Select]


Files to delete:
C:\ProgramData\TEMP:5D432CE3

Folders to Delete:
C:\ProgramData\TEMP:5D432CE3

2. Back on the Avenger window, make sure Automatically disable any rootkits found is NOT checked. Click Execute. Your computer may reboot once or twice. When the program is finished it will open a log on your desktop. Name it AvengerLog.txt and save it to your desktop.

Reboot your PC

Now I need you to run TDSSKiller again, but let's get a fresh copy.

Please read carefully and follow these steps:

3. Download TDSSKiller and save it to your Desktop.

4. Doubleclick on TDSSKiller.exe to run the application. Now click Start Scan.

5. Click on Change parameters and place a checkmark next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

6. If an infected file is detected, the default action will be Cure, click on Continue. If a suspicious file is detected, the default action will be Skip, click on Continue.

Click on Reboot Now if you are asked to reboot the computer.

7. If reboot is NOT required, click on Report. Please copy that file. If a reboot IS required, the report can also be found in your root directory (usually C:\ folder). It's file name will take the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt]". Please copy that file.

As always please check to be sure Word Wrap is NOT turned on in any Notepad files you post and please be sure to check that all the data you entered was posted. If not, use multiple posts.

Now please post the following to me as a reply to this post:
EsetLog.txt
AvengerLog.txt
TDSSKiller log
Let me know how your computer and browser are operating
If you have any questions or problems, let me know that as well

mms · « **Reply #17 on:** April 21, 2012, 09:05:23 PM »

Hi Bear,

The ESET log was in the post just prior to yours... dated 8:31 PM today. Or did I somehow capture the incorrect log?

Will get onto these next steps...

Thanks,
Megan

Bear · « **Reply #18 on:** April 21, 2012, 09:34:29 PM »

Hi Megan

We crossed posting. I was posting at the same time your were. All good. I think once we delete that file we might be almost done.

mms · « **Reply #19 on:** April 21, 2012, 10:29:10 PM »

Hi Bear,

I've tried running Avenger with the code snippet you specified, but after the reboot, Avenger never restarts so I'm not getting the log. I've stopped here to wait for your guidance. AV & Firewall was not disabled the first time I ran it, so it automatically removed something right after I hit Execute. After the reboot, I waited 20 minutes or so to see if it continued, and it didn't show up. I tried running it one more time, disabling AV & Firewall this time, so I did not get the notice that it automatically removed something so I assumed we would be in business. Once again, I waited 20 or so minutes, and nothing. So I will wait for your guidance from here.

Thanks!
Megan

Bear · « **Reply #20 on:** April 24, 2012, 01:28:14 AM »

Hi Megan
Sorry so long in getting back to you but for some reason the site did not notify me of your response. Please run OTL again just like you did in post# 7 and post the OTL.txt log. Lets see if that ADS is gone.

mms · « **Reply #21 on:** April 24, 2012, 09:40:07 AM »

Hi Bear, Thanks for getting back to me. I'm heading out of town tonight for a few days so I will run this next step as soon as I'm back on Saturday. Again, I appreciate the continued assistance!

Megan

mms · « **Reply #22 on:** April 28, 2012, 09:16:02 PM »

Hi Bear,

I am back now and was able to go back and run OTL per the Post 7 instructions. I downloaded a copy of OTL from the links again tonight, and I ran it, and only got the OTL.txt log... not the Extras.txt. I did go back and triple-check the settings, and then ran it again, and same result... just the one log. So here it is...

OTL logfile created on: 4/28/2012 11:07:09 PM - Run 3
OTL by OldTimer - Version 3.2.42.1 Folder = C:\Users\Megan\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6001.18000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.96 Gb Total Physical Memory | 2.11 Gb Available Physical Memory | 53.36% Memory free
8.11 Gb Paging File | 5.81 Gb Available in Paging File | 71.66% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 283.40 Gb Total Space | 165.88 Gb Free Space | 58.53% Space Free | Partition Type: NTFS
Drive D: | 14.65 Gb Total Space | 8.06 Gb Free Space | 55.01% Space Free | Partition Type: NTFS

Computer Name: MEGAN-NEWLAPTOP | User Name: Megan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/28 22:49:19 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Megan\Desktop\google.exe
PRC - [2011/10/13 18:21:52 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
PRC - [2009/05/19 17:11:52 | 000,136,544 | ---- | M] (CANON INC.) -- C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
PRC - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/12/16 21:14:42 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/12/16 21:14:42 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe
PRC - [2008/11/11 12:07:00 | 000,442,536 | ---- | M] (Creative Technology Ltd.) -- C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe
PRC - [2008/07/29 15:28:22 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

========== Modules (No Company Name) ==========

MOD - [2011/09/13 00:51:22 | 005,451,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\688252afb3650c606032279d27ffe6a5\System.Xml.ni.dll
MOD - [2011/09/13 00:49:48 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\a9288099fbc6849c6c7523745b4f64f4\System.ni.dll
MOD - [2011/09/13 00:49:35 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a189480a53deaaf80a820de30553259b\mscorlib.ni.dll
MOD - [2009/10/23 18:01:58 | 000,067,872 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2011/10/18 15:32:28 | 000,161,168 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV:64bit: - [2011/10/18 15:23:24 | 000,208,536 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV:64bit: - [2011/10/18 15:23:06 | 000,199,272 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV:64bit: - [2011/06/23 16:23:52 | 000,501,768 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV:64bit: - [2011/01/27 19:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV:64bit: - [2011/01/27 19:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV:64bit: - [2011/01/27 19:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV:64bit: - [2011/01/27 19:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV:64bit: - [2011/01/27 19:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV:64bit: - [2011/01/27 19:28:20 | 000,249,936 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV:64bit: - [2009/03/20 04:26:10 | 000,268,288 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_15f4e438\STacSV64.exe -- (STacSV)
SRV:64bit: - [2009/03/20 04:25:42 | 000,089,600 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\DriverStore\FileRepository\stwrt64.inf_15f4e438\AESTSr64.exe -- (AESTFilters)
SRV:64bit: - [2008/12/18 14:05:28 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV:64bit: - [2008/01/20 22:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/10/21 16:23:42 | 000,196,176 | ---- | M] (Microsoft Corporation.) [Auto | Stopped] -- C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/10/13 18:21:52 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE -- (BBUpdate)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2008/12/16 21:14:42 | 000,206,064 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files (x86)\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
SRV - [2008/07/27 14:03:13 | 000,069,632 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/10/15 14:16:16 | 000,647,080 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\mfehidk.sys -- (mfehidk)
DRV:64bit: - [2011/10/15 14:16:16 | 000,481,768 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfefirek.sys -- (mfefirek)
DRV:64bit: - [2011/10/15 14:16:16 | 000,284,648 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mfewfpk.sys -- (mfewfpk)
DRV:64bit: - [2011/10/15 14:16:16 | 000,229,528 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeavfk.sys -- (mfeavfk)
DRV:64bit: - [2011/10/15 14:16:16 | 000,160,280 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mfeapfk.sys -- (mfeapfk)
DRV:64bit: - [2011/10/15 14:16:16 | 000,100,912 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdet.sys -- (mferkdet)
DRV:64bit: - [2011/10/15 14:16:16 | 000,075,808 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\mfenlfk.sys -- (mfenlfk)
DRV:64bit: - [2011/10/15 14:16:16 | 000,065,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\cfwids.sys -- (cfwids)
DRV:64bit: - [2011/02/18 16:36:58 | 000,051,712 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2010/08/25 20:36:04 | 010,611,552 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2010/07/30 01:36:18 | 000,031,232 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\tap0901.sys -- (tap0901)
DRV:64bit: - [2009/09/16 10:22:40 | 000,049,480 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mfesmfk.sys -- (mfesmfk)
DRV:64bit: - [2009/09/16 10:15:38 | 000,040,904 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mferkdk.sys -- (mferkdk)
DRV:64bit: - [2009/05/18 15:17:08 | 000,034,152 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2009/03/20 04:26:24 | 000,477,696 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\stwrt64.sys -- (STHDA)
DRV:64bit: - [2009/02/10 05:40:28 | 000,158,592 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\OA008Ufd.sys -- (OA008Ufd)
DRV:64bit: - [2009/02/10 05:40:26 | 000,310,784 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\OA008Vid.sys -- (OA008Vid)
DRV:64bit: - [2008/12/22 05:26:28 | 004,735,488 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\NETw5v64.sys -- (NETw5v64) Intel(R)
DRV:64bit: - [2008/12/19 22:24:48 | 000,041,032 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mfebopk.sys -- (mfebopk)
DRV:64bit: - [2008/11/26 03:08:48 | 000,126,464 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R)
DRV:64bit: - [2008/11/26 02:56:58 | 000,261,680 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\SynTP.sys -- (SynTP)
DRV:64bit: - [2008/10/28 11:48:20 | 000,160,704 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\CtClsFlt.sys -- (CtClsFlt)
DRV:64bit: - [2008/10/08 05:49:52 | 000,252,928 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\k57nd60a.sys -- (k57nd60a) Broadcom NetLink (TM)
DRV:64bit: - [2008/09/16 05:11:04 | 000,057,856 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\rixdpx64.sys -- (rismxdp)
DRV:64bit: - [2008/09/16 05:11:00 | 000,062,976 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\rimmpx64.sys -- (rimmptsk)
DRV:64bit: - [2008/09/16 05:10:58 | 000,055,296 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\rimspx64.sys -- (rimsptsk)
DRV:64bit: - [2008/01/20 22:51:07 | 000,016,384 | ---- | M] () [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2008/01/20 22:47:28 | 000,046,080 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2008/01/20 22:46:55 | 000,317,952 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\e1e6032e.sys -- (e1express) Intel(R)
DRV:64bit: - [2008/01/20 22:46:55 | 000,111,104 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\sdbus.sys -- (sdbus)
DRV:64bit: - [2007/11/14 04:00:00 | 000,053,488 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2006/11/02 03:48:50 | 002,488,320 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\atikmdag.sys -- (R300)
DRV - [2012/04/22 00:11:33 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\SysWOW64\drivers\ayjdszw.sys -- (hvph)
DRV - [2012/04/22 00:01:57 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\SysWOW64\drivers\qvvvjqs.sys -- (uhjuub)
DRV - [2012/04/22 00:00:38 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\SysWOW64\drivers\dexa.sys -- (gkccpw)
DRV - [2012/04/21 23:46:19 | 000,061,440 | ---- | M] () [Kernel | Boot | Stopped] -- C:\Windows\SysWOW64\drivers\atxujr.sys -- (jydhqxqb)
DRV - [2008/11/04 19:16:40 | 000,028,152 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Dell Support Center\HWDiag\bin\pcd5srvc_x64.pkms -- (PCD5SRVC{048DBD20-445E8C82-05040104})

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE:64bit: - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/?ref=hp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sear
IE - HKCU\..\SearchScopes\{77F29AFA-D56A-4AB0-9104-053E5757F9CE}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/?ref=hp"
FF - prefs.js..network.proxy.no_proxies_on: "*.local"
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files (x86)\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files (x86)\Canon\ZoomBrowser EX\Program\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~2\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files (x86)\Common Files\McAfee\SystemCore [2012/01/12 23:41:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/09/13 00:44:23 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{3C6E9D9F-7C58-11E1-826D-B8AC6F996F26}: C:\Users\Megan\AppData\Local\{3C6E9D9F-7C58-11E1-826D-B8AC6F996F26}\

[2011/06/10 01:41:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Megan\AppData\Roaming\Mozilla\Extensions
[2011/06/10 01:40:53 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/01/12 23:41:56 | 000,000,000 | ---D | M] (McAfee ScriptScan for Firefox) -- C:\PROGRAM FILES (X86)\COMMON FILES\MCAFEE\SYSTEMCORE
[2009/07/01 03:01:04 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/09/13 00:44:23 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files (x86)\mozilla firefox\components\Scriptff.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2012/04/21 16:20:29 | 000,000,098 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL File not found
O2:64bit: - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111223000745.dll (McAfee, Inc.)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20111223000745.dll (McAfee, Inc.)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4:64bit: - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4:64bit: - HKLM..\Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4:64bit: - HKLM..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe ()
O4:64bit: - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\SysNative\spool\DRIVERS\x64\3\EKIJ5000MUI.exe ()
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe ()
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe ()
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe ()
O4:64bit: - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe (IDT, Inc.)
O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exe ()
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\Windows\system32\spool\DRIVERS\x64\3\EKIJ5000MUI.exe File not found
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - Startup: C:\Users\Megan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoZone iSync.lnk = C:\Program Files (x86)\GoZone\GoZone_iSync.exe (Virgin HealthMiles Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.mpix.com/customer/uploading/activex/ImageUploader5.cab (Image Uploader Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{053E6FE2-0CC2-4332-9BA7-6857F487B63E}: DhcpNameServer = 209.18.47.61 209.18.47.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{730E8AFC-9AC1-4558-814B-D09FA2CB4F04}: DhcpNameServer = 10.61.32.1 1.1.1.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\skype-ie-addon-data - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl64.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll ()
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img1.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img1.jpg
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O35 - HKCU\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm ()
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

MsConfig:64bit - State: "services" - Reg Error: Key error.

========== Files/Folders - Created Within 30 Days ==========

[2012/04/28 22:48:56 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\Megan\Desktop\google.exe
[2012/04/22 00:17:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2012/04/21 23:13:17 | 002,072,624 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Megan\Desktop\tdsskiller.exe
[2012/04/21 19:06:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2012/04/21 16:20:27 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/04/21 16:12:17 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/04/21 15:59:20 | 002,322,184 | ---- | C] (ESET) -- C:\Users\Megan\Desktop\esetsmartinstaller_enu.exe
[2012/04/21 02:47:52 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/04/19 22:15:22 | 000,000,000 | ---D | C] -- C:\Users\Megan\AppData\Local\temp
[2012/04/19 21:49:37 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/04/19 21:49:37 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/04/19 21:49:37 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/04/19 21:49:33 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/04/19 21:49:29 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/04/19 21:38:43 | 004,468,852 | R--- | C] (Swearware) -- C:\Users\Megan\Desktop\ComboFix.exe
[2012/04/18 00:36:54 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Megan\Desktop\dds.com
[2012/04/18 00:20:19 | 000,000,000 | ---D | C] -- C:\Users\Megan\Desktop\tdsskiller
[2012/04/01 17:14:34 | 000,000,000 | ---D | C] -- C:\Users\Megan\Documents\NewCar2012

========== Files - Modified Within 30 Days ==========

[2012/04/28 22:49:19 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\Megan\Desktop\google.exe
[2012/04/24 00:12:43 | 000,003,616 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/24 00:12:43 | 000,003,616 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/22 00:19:57 | 000,709,582 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/04/22 00:19:57 | 000,608,644 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/04/22 00:19:57 | 000,106,114 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/04/22 00:12:29 | 4251,828,224 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/22 00:11:33 | 000,061,440 | ---- | M] () -- C:\Windows\SysWow64\drivers\ayjdszw.sys
[2012/04/22 00:01:57 | 000,061,440 | ---- | M] () -- C:\Windows\SysWow64\drivers\qvvvjqs.sys
[2012/04/22 00:00:38 | 000,061,440 | ---- | M] () -- C:\Windows\SysWow64\drivers\dexa.sys
[2012/04/21 23:46:19 | 000,061,440 | ---- | M] () -- C:\Windows\SysWow64\drivers\atxujr.sys
[2012/04/21 23:13:45 | 002,072,624 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Megan\Desktop\tdsskiller.exe
[2012/04/21 23:12:46 | 000,731,136 | ---- | M] () -- C:\Users\Megan\Desktop\avenger.exe
[2012/04/21 16:20:29 | 000,000,098 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/04/21 15:59:26 | 002,322,184 | ---- | M] (ESET) -- C:\Users\Megan\Desktop\esetsmartinstaller_enu.exe
[2012/04/19 21:39:06 | 004,468,852 | R--- | M] (Swearware) -- C:\Users\Megan\Desktop\ComboFix.exe
[2012/04/18 22:37:21 | 000,015,500 | ---- | M] () -- C:\Users\Megan\Documents\bookmarks-2012-04-18.json
[2012/04/18 00:36:31 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Megan\Desktop\dds.com
[2012/04/18 00:19:49 | 002,052,353 | ---- | M] () -- C:\Users\Megan\Desktop\tdsskiller.zip
[2012/04/18 00:03:50 | 000,000,950 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/04 15:56:40 | 000,024,904 | ---- | M] () -- C:\Windows\SysNative\drivers\mbam.sys
[2012/03/31 03:14:10 | 000,000,680 | ---- | M] () -- C:\Users\Megan\AppData\Local\d3d9caps.dat

========== Files Created - No Company Name ==========

[2012/04/22 00:11:33 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\ayjdszw.sys
[2012/04/22 00:01:57 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\qvvvjqs.sys
[2012/04/22 00:00:38 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\dexa.sys
[2012/04/21 23:46:19 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\drivers\atxujr.sys
[2012/04/19 21:49:37 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/04/19 21:49:37 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/04/19 21:49:37 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/04/19 21:49:37 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/04/19 21:49:37 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/04/18 22:37:21 | 000,015,500 | ---- | C] () -- C:\Users\Megan\Documents\bookmarks-2012-04-18.json
[2012/04/18 00:20:05 | 002,052,353 | ---- | C] () -- C:\Users\Megan\Desktop\tdsskiller.zip
[2012/03/30 02:17:52 | 000,000,950 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/05/31 00:38:56 | 000,000,680 | ---- | C] () -- C:\Users\Megan\AppData\Local\d3d9caps.dat
[2010/11/14 23:01:12 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/08/25 20:34:30 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2010/08/25 20:34:30 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2010/08/25 20:34:30 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2010/08/25 19:52:00 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
[2010/08/25 19:52:00 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll

========== LOP Check ==========

[2012/01/13 00:13:10 | 000,000,000 | ---D | M] -- C:\Users\Megan\AppData\Roaming\Amazon
[2010/10/25 22:24:18 | 000,000,000 | ---D | M] -- C:\Users\Megan\AppData\Roaming\Canon
[2009/09/21 23:46:26 | 000,000,000 | ---D | M] -- C:\Users\Megan\AppData\Roaming\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/07/31 00:29:11 | 000,000,000 | ---D | M] -- C:\Users\Megan\AppData\Roaming\com.picaboo.Picaboo.A382D4714709B456C4E0088DFC1F7243AF9EBF75.1
[2010/01/02 00:02:28 | 000,000,000 | ---D | M] -- C:\Users\Megan\AppData\Roaming\com.youneedabudget.YNAB3.Live.9C763150EFAB05FD2A2B78705C7A54E2FCDDE07D.1
[2011/03/26 00:33:18 | 000,000,000 | ---D | M] -- C:\Users\Megan\AppData\Roaming\GARMIN
[2012/04/22 00:11:42 | 000,013,062 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2010/11/14 23:00:00 | 000,000,216 | ---- | M] () -- C:\Windows\Tasks\{2F5793DB-7591-4573-BBA2-F2E6014A80A8}.job

========== Purity Check ==========

========== Custom Scans ==========

< %systemroot%\*. /rp /s >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Roaming -> Junction
[C:\Windows\System32\config\systemprofile\Local Settings] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\SysWOW64\config\systemprofile\AppData\Local\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\SysWOW64\config\systemprofile\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Roaming -> Junction
[C:\Windows\SysWOW64\config\systemprofile\Local Settings] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction

< End of report >

Bear · « **Reply #23 on:** April 29, 2012, 01:45:33 PM »

Hi Megan

Looks great! The ADS is gone and we're good to go. So let's clean up your PC and harden it against future infection.

1. Uninstall ComboFix as follows: Copy the code in the code box below.

Code: [Select]


combofix /uninstall

Now click on start/run and paste the copied code into the input box.
Click OK. Reboot your PC.

2. Next disable and Enable System Restore: Go to Start/Control Panel/System and Security. Then click on System. Next click on Advanced system settings in the left panel. Click on the System Protection tab. Click on Disk C: and then click Configure. Click on Delete, then Continue and OK.

Now go back to the System Protection tab (as above) and click on Create to make a restore point.

3. Download CCleaner (remove the checkmark from the Yahoo toolbar unless you want it). Before first use, select Options / Advanced and uncheck "Only delete files in Windows Temp folder older than 48 hours" Then select the following:

In the Windows Tab:
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Check all in the Firefox/Mozilla section.
Check all in the Applications section.
Check Sun Java in the Internet section.
Check all in the Multimedia section.
Check any others you choose.

Click the "Run Cleaner" button. A pop up box will appear advising this process will permanently delete files from your system. Click OK. Click exit when done.

4. Download OTC to your desktop and run it.

Click Yes to beginning the Cleanup process and yes to remove these components, including this application. You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
This will remove all the malware tools we have used.

5. MOST IMPORTANT : Windows, IE and any other software you have that connects to the net, needs to be kept updated. I recommend running Secunia PSI. It will monitor the software you have installed and let you know when something needs to be updated.

6. Go to Start/Windows Update and install all recommended updates. You may have to do this more than once to get your operating system and Internet Explorer up to date.

7. Now update Java by clicking Here, click on Windows Online then click on Run/Install/Next and finally click Close when the installation is complete.

Click on Start/Programs and launch the Adobe Reader program. Click on Help and Check for Updates and install all updates available.

8. Now some tips for prevention of further infections:

Always use an updated anti-virus program. Make sure you update this weekly, if not more often. This is critical.

Keep Malwarebytes' Anti-Malware up to date as well. Unless you have the paid version (which you can schedule), be sure to run scans several times per week.

Always use your firewall. Learn how to use your firewall. Only programs that need it should have access to the net. But these are specific to the firewall you use, so you will need to learn how. Check your firewall provider's web site for more information on making your firewall secure.

9. Go to WOT download and install this program. It will help keep you safe on the internet.

Never run two Antivirus programs or two Firewalls at the same time.

NEVER use P2P or file sharing software. Many P2P file sharing programs contain bundled spyware. But all these programs expose you to risks because of the very nature of the P2P file sharing process. Many very malicious worms and trojans target and spread across P2P file sharing networks.

Before downloading, installing or using any malware detection/removal software check Rogue/Suspeckt Spyware List andRogue Applications List. That way you will know if the program you are considering is safe. If you want to know how it rates against other programs check out SpywareWarrior.

We have a good guide on how to prevent malware infections here at SpywareHammer. You might want to peruse this and follow the recommendations Prevent Infection.

Let us know if you have any more problems, either new or old. The internet is a wonderful tool for work and fun, but always be safe.

I would appreciate if after a couple of days of using your computer you let me know if everything is running fine so that I can close this post.

Bear · « **Reply #24 on:** May 02, 2012, 11:20:44 PM »

I am closing this topic. If you wish to re-open the topic please send a private message to Bear.

Bear · « **Reply #25 on:** May 02, 2012, 11:39:34 PM »

Re-opened at the request of the original poster.

mms · « **Reply #26 on:** May 04, 2012, 10:33:09 PM »

Hi Bear,

I'm all set with the final steps. Computer is working great, no redirects at all, and seems to be running smoother than it has in a long time.

THanks so much!
Megan

Bear · « **Reply #27 on:** May 05, 2012, 12:31:53 AM »

This time I really am closing this topic. If you wish to re-open the topic please send a private message to Bear.

News:

Author Topic: [Resolved]Redirecting to happili.com website (Read 1732 times)

mms

Re: [In Progress-b]Redirecting to happili.com website

Bear

Re: [In Progress-b]Redirecting to happili.com website

mms

Re: [In Progress-b]Redirecting to happili.com website

Bear

Re: [In Progress-b]Redirecting to happili.com website

mms

Re: [In Progress-b]Redirecting to happili.com website

Bear

Re: [In Progress-b]Redirecting to happili.com website

mms

Re: [In Progress-b]Redirecting to happili.com website

mms

Re: [In Progress-b]Redirecting to happili.com website

Bear

Re: [In Progress-b]Redirecting to happili.com website

Bear

Re: [Resolved]Redirecting to happili.com website

Bear

Re: [Resolved]Redirecting to happili.com website

mms

Re: [Resolved]Redirecting to happili.com website

Bear

Re: [Resolved]Redirecting to happili.com website