[Resolved] Redirect removal

[Hoov]

I would still like to see you run combofix just to make sure.

Also if that is the final part of it, we are still not totally done. There is some cleanup to do.

You do have a product from Apple, Quicktime. You may need to reinstall that.

[billla]

Hoov, I ran COMBOFIX as noted - output below.  My system is now totally hosed - no applications (Office, IE, etc.) will run, giving the error "Illegal operation attempted on a registry key that has been marked for deletion". I'm completely dead in the water, but thankfully had my work machine. This is a fairly major issue for me, and any assistance you can offer with restoring system function would be appreciated. The last system restore point is well before COMBOFIX made it's backup...

ComboFix 12-05-21.05 - Bill 05/21/2012  20:11:31.1.3 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6143.4492 [GMT -7:00]
Running from: c:\users\Bill\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YUXYUTJ0\ComboFix.exe
AV: Trend Micro Titanium Maximum Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium Maximum Security *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Bill\AppData\Roaming\mm
c:\users\Bill\AppData\Roaming\mm\cache\.cache
c:\users\Bill\AppData\Roaming\mm\cache\ImageLoader\0D51E9900D2C17AA30F9D5B537BA8FCE
c:\users\Bill\AppData\Roaming\mm\cache\ImageLoader\3C537468670FEF5CDA2E97FDA3E15875
c:\users\Bill\AppData\Roaming\mm\cache\ImageLoader\F722CF962F4FCDC6D9D98B6BDE3E35D8
c:\windows\UNWISE.EXE
J:\Autorun.inf
J:\Setup.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
(((((((((((((((((((((((((   Files Created from 2012-04-22 to 2012-05-22  )))))))))))))))))))))))))))))))
.
.
2012-05-21 14:23 . 2012-05-21 14:23   --------   d-----w-   c:\users\Bill\AppData\Local\Apple
2012-05-18 21:56 . 2012-05-08 17:02   8955792   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{F225AA3C-F189-4003-87D5-024981BDB7AE}\mpengine.dll
2012-05-18 16:17 . 2012-05-22 02:46   --------   d-----w-   c:\program files (x86)\Spybot - Search & Destroy
2012-05-18 16:17 . 2012-05-21 14:29   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2012-05-18 15:13 . 2012-05-18 15:13   --------   d-----w-   c:\users\Bill\AppData\Roaming\Malwarebytes
2012-05-18 15:13 . 2012-05-18 15:13   --------   d-----w-   c:\programdata\Malwarebytes
2012-05-16 06:01 . 2012-05-16 10:24   21520   ----a-w-   c:\windows\DCEBoot64.exe
2012-05-16 06:01 . 2012-05-16 10:24   129024   ----a-w-   c:\windows\RegBootClean64.exe
2012-05-14 04:01 . 2012-05-14 04:01   --------   d-----w-   C:\SkyDriveTemp
2012-05-14 04:01 . 2012-05-22 03:08   --------   d-----r-   c:\users\Bill\SkyDrive
2012-05-14 04:00 . 2012-05-14 04:00   --------   d-----w-   c:\programdata\Microsoft SkyDrive
2012-05-09 14:22 . 2012-03-03 06:35   1544704   ----a-w-   c:\windows\system32\DWrite.dll
2012-05-09 14:22 . 2012-03-03 05:31   1077248   ----a-w-   c:\windows\SysWow64\DWrite.dll
2012-05-09 14:22 . 2012-03-31 06:05   5559664   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-05-09 14:22 . 2012-03-31 04:39   3968368   ----a-w-   c:\windows\SysWow64\ntkrnlpa.exe
2012-05-09 14:22 . 2012-03-31 03:10   3146240   ----a-w-   c:\windows\system32\win32k.sys
2012-05-09 14:22 . 2012-03-31 04:39   3913072   ----a-w-   c:\windows\SysWow64\ntoskrnl.exe
2012-05-09 14:22 . 2012-03-17 07:58   75120   ----a-w-   c:\windows\system32\drivers\partmgr.sys
2012-05-09 14:22 . 2012-03-30 11:35   1918320   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2012-05-09 14:22 . 2012-03-31 05:40   1367552   ----a-w-   c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-09 14:22 . 2012-03-31 04:29   936960   ----a-w-   c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 06:52 . 2012-04-11 13:31   419488   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-05 06:52 . 2011-05-17 20:33   70304   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-05 06:52 . 2012-04-11 13:52   8744608   ----a-w-   c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-03-09 01:50 . 2012-03-09 01:50   49016   ----a-w-   c:\windows\SysWow64\sirenacm.dll
2012-03-09 01:37 . 2012-03-09 01:37   302448   ----a-w-   c:\windows\WLXPGSS.SCR
2012-03-02 11:04 . 2012-03-02 11:04   86528   ----a-w-   c:\windows\SysWow64\iesysprep.dll
2012-03-02 11:04 . 2012-03-02 11:04   76800   ----a-w-   c:\windows\SysWow64\SetIEInstalledDate.exe
2012-03-02 11:04 . 2012-03-02 11:04   74752   ----a-w-   c:\windows\SysWow64\RegisterIEPKEYs.exe
2012-03-02 11:04 . 2012-03-02 11:04   48640   ----a-w-   c:\windows\SysWow64\mshtmler.dll
2012-03-02 11:04 . 2012-03-02 11:04   161792   ----a-w-   c:\windows\SysWow64\msls31.dll
2012-03-02 11:04 . 2012-03-02 11:04   110592   ----a-w-   c:\windows\SysWow64\IEAdvpack.dll
2012-03-02 11:04 . 2012-03-02 11:04   74752   ----a-w-   c:\windows\SysWow64\iesetup.dll
2012-03-02 11:04 . 2012-03-02 11:04   63488   ----a-w-   c:\windows\SysWow64\tdc.ocx
2012-03-02 11:04 . 2012-03-02 11:04   420864   ----a-w-   c:\windows\SysWow64\vbscript.dll
2012-03-02 11:04 . 2012-03-02 11:04   367104   ----a-w-   c:\windows\SysWow64\html.iec
2012-03-02 11:04 . 2012-03-02 11:04   23552   ----a-w-   c:\windows\SysWow64\licmgr10.dll
2012-03-02 11:04 . 2012-03-02 11:04   152064   ----a-w-   c:\windows\SysWow64\wextract.exe
2012-03-02 11:04 . 2012-03-02 11:04   150528   ----a-w-   c:\windows\SysWow64\iexpress.exe
2012-03-02 11:04 . 2012-03-02 11:04   35840   ----a-w-   c:\windows\SysWow64\imgutil.dll
2012-03-02 11:04 . 2012-03-02 11:04   142848   ----a-w-   c:\windows\SysWow64\ieUnatt.exe
2012-03-02 11:04 . 2012-03-02 11:04   11776   ----a-w-   c:\windows\SysWow64\mshta.exe
2012-03-02 11:04 . 2012-03-02 11:04   101888   ----a-w-   c:\windows\SysWow64\admparse.dll
2012-03-02 11:04 . 2012-03-02 11:04   89088   ----a-w-   c:\windows\system32\RegisterIEPKEYs.exe
2012-03-02 11:04 . 2012-03-02 11:04   222208   ----a-w-   c:\windows\system32\msls31.dll
2012-03-02 11:04 . 2012-03-02 11:04   173056   ----a-w-   c:\windows\system32\ieUnatt.exe
2012-03-02 11:04 . 2012-03-02 11:04   12288   ----a-w-   c:\windows\system32\mshta.exe
2012-03-02 11:04 . 2012-03-02 11:04   114176   ----a-w-   c:\windows\system32\admparse.dll
2012-03-02 11:04 . 2012-03-02 11:04   49664   ----a-w-   c:\windows\system32\imgutil.dll
2012-03-02 11:04 . 2012-03-02 11:04   91648   ----a-w-   c:\windows\system32\SetIEInstalledDate.exe
2012-03-02 11:04 . 2012-03-02 11:04   85504   ----a-w-   c:\windows\system32\iesetup.dll
2012-03-02 11:04 . 2012-03-02 11:04   76800   ----a-w-   c:\windows\system32\tdc.ocx
2012-03-02 11:04 . 2012-03-02 11:04   48640   ----a-w-   c:\windows\system32\mshtmler.dll
2012-03-02 11:04 . 2012-03-02 11:04   448512   ----a-w-   c:\windows\system32\html.iec
2012-03-02 11:04 . 2012-03-02 11:04   135168   ----a-w-   c:\windows\system32\IEAdvpack.dll
2012-03-02 11:04 . 2012-03-02 11:04   111616   ----a-w-   c:\windows\system32\iesysprep.dll
2012-03-02 11:03 . 2012-03-02 11:03   603648   ----a-w-   c:\windows\system32\vbscript.dll
2012-03-02 11:03 . 2012-03-02 11:03   30720   ----a-w-   c:\windows\system32\licmgr10.dll
2012-03-02 11:03 . 2012-03-02 11:03   165888   ----a-w-   c:\windows\system32\iexpress.exe
2012-03-02 11:03 . 2012-03-02 11:03   160256   ----a-w-   c:\windows\system32\wextract.exe
2012-03-01 06:46 . 2012-04-11 10:03   23408   ----a-w-   c:\windows\system32\drivers\fs_rec.sys
2012-03-01 06:38 . 2012-04-11 10:03   220672   ----a-w-   c:\windows\system32\wintrust.dll
2012-03-01 06:33 . 2012-04-11 10:03   81408   ----a-w-   c:\windows\system32\imagehlp.dll
2012-03-01 06:28 . 2012-04-11 10:03   5120   ----a-w-   c:\windows\system32\wmi.dll
2012-03-01 05:37 . 2012-04-11 10:03   172544   ----a-w-   c:\windows\SysWow64\wintrust.dll
2012-03-01 05:33 . 2012-04-11 10:03   159232   ----a-w-   c:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29 . 2012-04-11 10:03   5120   ----a-w-   c:\windows\SysWow64\wmi.dll
2012-02-28 06:56 . 2012-04-11 10:18   2311168   ----a-w-   c:\windows\system32\jscript9.dll
2012-02-28 06:49 . 2012-04-11 10:18   1390080   ----a-w-   c:\windows\system32\wininet.dll
2012-02-28 06:48 . 2012-04-11 10:18   1493504   ----a-w-   c:\windows\system32\inetcpl.cpl
2012-02-28 06:42 . 2012-04-11 10:18   2382848   ----a-w-   c:\windows\system32\mshtml.tlb
2012-02-28 01:18 . 2012-04-11 10:18   1799168   ----a-w-   c:\windows\SysWow64\jscript9.dll
2012-02-28 01:11 . 2012-04-11 10:18   1427456   ----a-w-   c:\windows\SysWow64\inetcpl.cpl
2012-02-28 01:11 . 2012-04-11 10:18   1127424   ----a-w-   c:\windows\SysWow64\wininet.dll
2012-02-28 01:03 . 2012-04-11 10:18   2382848   ----a-w-   c:\windows\SysWow64\mshtml.tlb
2012-02-25 14:03 . 2012-02-25 14:03   539984   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-02-23 17:18 . 2010-07-31 20:25   279656   ------w-   c:\windows\system32\MpSigStub.exe
2010-09-08 12:54 . 2010-09-10 00:54   44   ---h--w-   c:\program files (x86)\9ac60659.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-05-14 04:01   208096   ----a-w-   c:\users\Bill\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-05-14 04:01   208096   ----a-w-   c:\users\Bill\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-05-14 04:01   208096   ----a-w-   c:\users\Bill\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"OfficeSyncProcess"="c:\program files (x86)\Microsoft Office\Office14\MSOSYNC.EXE" [2011-07-22 718720]
"QuickenScheduledUpdates"="c:\program files (x86)\Quicken\bagent.exe" [2012-01-14 74840]
"SkyDrive"="c:\users\Bill\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe" [2012-05-14 296672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell DataSafe Online"="c:\program files (x86)\Dell DataSafe Online\DataSafeOnline.exe" [2010-02-09 1807680]
"Seagate Dashboard"="c:\program files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
.
c:\users\Bill\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-12-21 227712]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages   REG_MULTI_SZ      kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-12 136176]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-12 136176]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys

R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe

R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys

R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2011-08-05 306400]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe

S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe

S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-08-03 2255464]
S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2011-06-01 14088]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2010-08-20 689472]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-08-03 379496]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys

S2 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys

S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys

S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys

S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys

S3 RDPDISPM;RDPDISPM;c:\windows\system32\DRIVERS\rdpdispm.sys

.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17   302592   ----a-w-   c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 06:52]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-12 07:55]
.
2012-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-12 07:55]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2012-05-14 04:01   232672   ----a-w-   c:\users\Bill\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2012-05-14 04:01   232672   ----a-w-   c:\users\Bill\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2012-05-14 04:01   232672   ----a-w-   c:\users\Bill\AppData\Local\Microsoft\SkyDrive\16.4.3347.0416\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-08 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 197152]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1873256]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2011-08-05 163552]
"combofix"="c:\combofix\CF18234.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.cnn.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: cityu.edu
Trusted Zone: cityu.edu\courses
Trusted Zone: mycmsc.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: Web-Based Email Tools - hxxp://email03.secureserver.net/Download.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-Apple - c:\users\Bill\AppData\Local\Apple Computer\Apple\bxzjf.dll
Toolbar-Locked - (no file)
AddRemove-DeskTop DynoSim Engine Simulation v.4.20 - c:\windows\UNWISE.EXE
AddRemove-DragSim Vehicle Simulation v.4.20 Demo - c:\windows\UNWISE.EXE
AddRemove-DynoSim Engine Simulation v.4.20 Advanced - c:\windows\UNWISE.EXE
AddRemove-DynoSim Engine Simulation v.4.20 ProTools - c:\windows\UNWISE.EXE
AddRemove-DynoSim5 Engine Simulation v.5.01.0929 - c:\windows\UNWISE.EXE
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
.
**************************************************************************
.
Completion time: 2012-05-21  20:28:13 - machine was rebooted
ComboFix-quarantined-files.txt  2012-05-22 03:28
.
Pre-Run: 565,714,911,232 bytes free
Post-Run: 565,058,306,048 bytes free
.
- - End Of File - - ADD01C8365485BE5F623F9DC831C3EE6

[Hoov]

Reboot the computer a couple times, that should resolve the problems. I have seen it take up to 3 reboots.

If it does not resolved itself, then do a system restore to the last point before combofix was run. Let me know how it goes.

[billla]

After 2 reboots, it's back. As they say...warn a guy, would you :)  Sincerely, it's good to know in advance if there are any expected behaviours like this. :)

Sorry for the mild panic, Hoov 

[Hoov]

It doesn't usually happen. It is one of those things that happens once in a blue moon.

How is the computer running now? Still running good?

[billla]

Must have been the eclipse :)

Yes; appears good right now - TrendMicro is not reporting any "web threats" blocked today and I've been fairly active doing searches.  Haven't seen a single redirect yet.

[Hoov]

Outstanding.

Now  there are a few thing's you need to do to fully clean your system and keep it secure.

Run OTC
Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Cleaning out Temporary Files etc. There are several different products that you can use for this. You can go thru the Internet Options in the windows Control Panel. There are several programs that also do the job better than windows does it, in my opinion. There is System Security Suite, EasyCleaner, Ccleaner. Also sometimes other program sometimes do it as well as what you originally got it for like ZoneAlarm Security Suite. Just make sure to keep them updated and use them regularly.

Disable and Enable System Restore.
I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.
For Vista use these instructions, Windows Vista Restore Guide
For XP use these instructions, Windows XP System Restore Guide
Reboot
Re-enable system restore with instructions from tutorial above
Create a System Restore Point
Go to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.

Make your Internet Explorer more secure - This can be done by following these simple instructions: (unless you are using ZoneAlarm Security Suite or something similar, then you would secure the browser thru the firewall). There are some good basic instructions for that here.

Use a different browser other than  IE (most exploits are pointed towards IE). One of them is
Firefox.
It is also worth trying Thunderbird for controlling spam in your e-mail.

Always use an UPDATED anti-virus program Make sure you update this at least weekly, if not more often. This is one thing that may save you more than anything else.

Run malware scanners. Three free ones are Spybot Search and Destroy, and AdAware and Malwarebytes' Anti-Malware

Always use a firewall.
Any firewall is better than none, and you should pick a firewall that you will use, as even the best firewall is worthless if you turn it off.
 
Learn how to use your firewall Only programs that need it should have access to the net. But these are specific to the firewall you use, so you will need to learn how. Several firewalls have support forums here. My page will help you with ZoneAlarm if that is what you choose. 


Never run two Antivirus programs or two Firewalls  at the same time. They can interfere with each other and cause problems. Some people swear that more protection is provided, but the reverse is true. They tend to argue amongst themselves and end up leaving holes. Now I have more than 1 AV installed on my computer, and I keep them up to date. I only run one at a time, but each program has weakness's, so I keep a backup in case my computer starts acting up.


 MOST IMPORTANT : Windows and IE, and whatever other software that you have that connects to the net, needs to be kept updated. The reason is, these programs connect to the net, and if there is an internal security problem, you have already told your firewall to allow the communication, and thus you will have allowed a hole. UPDATES are important. I suggest that you make sure that Windows Updates and the updates for your antivirus and antimalware programs are set for automatic updates. I also suggest running Secunia PSI. It will monitor the software you have installed and let you know when something needs to be updated.

Don't ever use P2P or filesharing software Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities.

Before using any malware detection / removal software Check with Rogue/Suspect Spyware List That way you will know if the program you are looking at is on the up and up. If you want to know how it stacks up against other programs check out SpywareWarrior

We have a good guide here at Spyware Hammer on how to prevent Malware in the Future. You might want to peruse this and follow the recommendations in there.
PLEASE READ IT AND FOLLOW THE RECOMMENDATIONS TO PROTECT YOURSELF.

Let us know if you have any more problems, either new or old.
Have a good time surfing the net, but stay safe.
If you have no more problems, let me know and I will mark this as resolved. Or if you have more questions or concerns , ask away, that is why I am here.

[billla]

 

Thanks, Hoov - everything's done from your notes and I seem to be in great shape!

I can't thank you enough for sticking with me and getting this all the way sorted out!

 

[Hoov]

You are welcome. But to be honest with you, yours was a fairly short, quick problem. Only 2 pages.

Have a good one!