Need help removing Google search link redirect virus

Solved
By Geryth
Apr 14, 2012
Topic Status:
Not open for further replies.
  1. I need assistance removing an extremely relentless redirect virus. The problem is, nothing seems to be able to find it. Here are my symptoms:

    1) When I do a google search, my link is redirected (usually to Happili but others as well). This happens maybe 30% of the time, maybe a little less.

    2) I think something is writing to my keyboard / mouse buffer. When I play a game where I hold a certain key down, I've noticed focus being lost on that key for a split second even though I've constantly held it down. I've never had this happen before I started seeing these redirects, so I have a suspicion that they are related.

    I have a paid version of AVG Anti-Virus that finds nothing. I've run a full computer scan with the free version of Malwarebytes and found nothing. I've run TDSSKiller by kaspersky and found nothing. I've never had a problem that Malwarebytes couldn't fix, so I don't know what else to do, and thus am here for more experienced help.

    Important Edit: So, don't know how I missed this, but I just now see two separate crss.exe processes running. I think one of them is probably the virus. The problem is I don't know which one, my access to kill both processess is denied, and Process Explorer won't tell me where they are running from (right clicking the process and choosing Properties yields completely blank results for "Path:" "Command Line" and "Current directory". Unless there is a need or commonly exists more than one crss.exe, I'm not sure about that though.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you for the good description! We need to get some logs to see what's running:Malware entries do not necessarily appear 'bad' to an untrained eye.

    Please follow these steps: Preliminary Virus and Malware Removal.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ==========================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't follow directions given to someone else
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    Threads are closed after 5 days if there is no reply.
  3. Geryth

    Geryth Newcomer, in training Topic Starter

    Edit: Sorry for the coding tags, they worked in the preview : /

    =========================================================

    Step 1: Antivirus scanning

    Done with AVG ANti-Virus 2012, a paid-for service.
    • Ran a normal, full system scan.
    • "No infection was found during this scan"
    • I know the instruction said no logs or actions were necessary, but I just wanted to be thorough


    =========================================================

    Step 2: Malwarebytes Anti-Malware

    • My version was encountering an error when I tried to update it, so I re-downloaded the product from your link. It successully updated after a fresh install.
    • Ran a quick scan.
    • Here are the log results:


    4/14/2012 2:22:49 PM
    mbam-log-2012-04-14 (14-22-49).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 207597
    Time elapsed: 5 minute(s), 33 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 2
    HKCR\.exe\shell\open\command| (Hijack.ExeFile) -> Data: "C:\Users\The Saxton Family\AppData\Local\av.exe" /START "%1" %* ->

    Quarantined and deleted successfully.
    HKCR\secfile\shell\open\command| (Rogue.MultipleAV) -> Data: "C:\Users\The Saxton Family\AppData\Local\av.exe" /START "%1" %*

    -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1
    HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\The

    Saxton Family\AppData\Local\av.exe" /START "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) ->

    Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Users\The Saxton Family\Downloads\LimeWireSetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.

    (end)

    • I was prompted to restart the computer, and I did so.
    • This very well could have quelled the situation, and the answer could be simply that I needed a newer version of Malwarebytes.


    =========================================================

    Step 3: GMER

    • Installed GMER as per the instructions, disconnected from the internet, disabled my AVG anti-virus, and ran the program.
    • It did not do an automatic quick scan as described, so I clicked "Scan" and it scanned fine, although it was a full system scan.
    • NO LOG GENERATED! "GMER hasn't found any system modification."


    =========================================================

    Step 4: DDS

    • Had to reconnect to the internet and I re-enabled my antivirus, in order to download DDS. The instructions could be written to include downloading DDS with GMER before disconnecting, as it seems to imply I still shouldn't be connected when running it.
    • Had problems downloading this from Chrome, it wouldn't work, but it worked fine when I did it in Firefox. I found that very odd.
    • Disconnected from the internet again, and disabled my anti-virus, because of the step at the end that says "Enable your Antivirus protection and reconnect to the internet." leads me to believe that this should be done while not connected.
    • This is the contents of DDS.txt:


    .
    DDS (Ver_2011-08-26.01) - NTFSAMD64
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_26
    Run by The Saxton Family at 16:12:10 on 2012-04-14
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.7934.5463 [GMT -4:00]
    .
    AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    ============== Running Processes ===============
    .
    C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\agr64svc.exe
    C:\Windows\system32\svchost.exe -k apphost
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MYSQL\MSSQL\Binn\sqlservr.exe
    c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    C:\Program Files (x86)\MEDITECH\MTAppDwn.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\Windows\system32\svchost.exe -k iissvcs
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files (x86)\VMware\VMware View\Client\bin\wsnm.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Windows\MHotKey.exe
    C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
    C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
    C:\Program Files (x86)\Steam\Steam.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
    C:\Windows\CNYHKey.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
    C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\ModLedKey.exe
    C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Users\The Saxton Family\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe
    C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\ChiFuncExt.exe
    C:\Users\The Saxton Family\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler64.exe
    C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
    C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files (x86)\AVG\AVG2012\avgui.exe
    C:\Program Files (x86)\AVG\AVG2012\avgcfgex.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cscript.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
    uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
    mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
    uInternet Settings,ProxyServer = 192.168.1.254:80
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
    uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    uRun: [Google Update] "C:\Users\The Saxton Family\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    uRun: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
    uRunOnce: [WebPlatformInstaller] "C:\Program Files\Microsoft\Web Platform Installer\WebPlatformInstaller.exe" "/id" "wpi:placeholder&ASPNET&NETFramework4&MVC2&NETEXTENSIBILITY&ISAPIExtensions&ISAPIFilters&StaticContentCompression&DefaultDocument&DirectoryBrowse&HTTPErrors&HTTPLogging&LoggingTools&RequestMonitor&IISManagementConsole&RequestFiltering&SQLExpress&VWD2010&StaticContent?"
    mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun: [LedKey] CNYHKey.exe
    mRun: [LchDrvKey] LchDrvKey.exe
    mRun: [Gateway Photo Frame] "C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe" -A
    mRun: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
    mRun: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"
    mRun: [UVS10 Preload] "C:\Program Files (x86)\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe"
    mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun: [QuickTime Plugin Install] "C:\Program Files (x86)\QuickTime\Plugins\DeleteMe1.exe"
    mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    mPolicies-explorer: NoActiveDesktop = 1 (0x1)
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {C87ACE20-4BA7-11D4-AD69-0000F80020BC} - hxxp://meditech.com/employees/Pages/Software/MTAppDwn.exe
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: DhcpNameServer = 205.152.37.23 205.152.150.23
    TCP: Interfaces\{4BED0765-0D26-40DE-A5EB-9DADCFDB1001} : DhcpNameServer = 205.152.37.23 205.152.150.23
    TCP: Interfaces\{A0B2F641-D9E0-430C-B8D2-50DB2177C59B} : DhcpNameServer = 205.152.37.23 205.152.150.23
    TCP: Interfaces\{FEE06A1E-5888-432C-A32B-684281C2E549} : DhcpNameServer = 205.152.37.23 205.152.150.23
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    BHO-X64: AcroIEHelperStub - No File
    BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
    BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    BHO-X64: SkypeIEPluginBHO - No File
    BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    BHO-X64: Yontoo Layers: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
    BHO-X64: Yontoo Layers - No File
    TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
    TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    mRun-x64: [LedKey] CNYHKey.exe
    mRun-x64: [LchDrvKey] LchDrvKey.exe
    mRun-x64: [Gateway Photo Frame] "C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe" -A
    mRun-x64: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
    mRun-x64: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"
    mRun-x64: [UVS10 Preload] "C:\Program Files (x86)\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe"
    mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    mRun-x64: [QuickTime Plugin Install] "C:\Program Files (x86)\QuickTime\Plugins\DeleteMe1.exe"
    mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    mRun-x64: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - C:\Users\The Saxton Family\AppData\Roaming\Mozilla\Firefox\Profiles\bazmz6if.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=DCF2DF&PC=DCF2&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.13\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.17\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.68\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npclntax_HBLiteSA.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
    FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
    FF - plugin: C:\Program Files\Microsoft\Web Platform Installer\NPWPIDetector.dll
    FF - plugin: C:\Users\The Saxton Family\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: C:\Users\The Saxton Family\AppData\Local\HuluDesktop\instances\0.9.14.1\nphdplg.dll
    FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
    R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
    R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
    R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
    R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
    R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
    R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
    R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
    R2 MSSQL$MYSQL;SQL Server (MYSQL);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MYSQL\MSSQL\Binn\sqlservr.exe [2011-4-24 42872672]
    R2 MTAppManager;MEDITECH Application Manager;C:\Program Files (x86)\MEDITECH\MTAppDwn.exe [2011-6-13 133592]
    R2 wsnm;VMware View Client Service;C:\Program Files (x86)\VMware\VMware View\Client\bin\wsnm.exe [2009-11-18 151552]
    R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
    R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
    R3 cxpl_mhd;CX23885/8 PCI-E AvStream Video Capture (PalomarMHD);C:\Windows\system32\drivers\y_cx88x.sys --> C:\Windows\system32\drivers\y_cx88x.sys [?]
    R3 RTL85n64;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;C:\Windows\system32\DRIVERS\RTL85n64.sys --> C:\Windows\system32\DRIVERS\RTL85n64.sys [?]
    R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-13 135664]
    S2 Norton Internet Security;Norton Internet Security;"C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
    S3 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2011-4-29 401920]
    S3 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
    S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2010-3-8 25832]
    S3 Gun;Gun;\??\C:\Windows\system32\Gun64.sys --> C:\Windows\system32\Gun64.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-13 135664]
    S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
    S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
    S3 U6000ALL;HDTV110 TV Box(ALL);C:\Windows\system32\DRIVERS\dmdcap.sys --> C:\Windows\system32\DRIVERS\dmdcap.sys [?]
    S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
    S4 ahcix64s;ahcix64s;C:\Windows\system32\drivers\ahcix64s.sys --> C:\Windows\system32\drivers\ahcix64s.sys [?]
    S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-18 89920]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-4-3 44896]
    S4 RsFx0103;RsFx0103 Driver;C:\Windows\system32\DRIVERS\RsFx0103.sys --> C:\Windows\system32\DRIVERS\RsFx0103.sys [?]
    S4 SQLAgent$MYSQL;SQL Server Agent (MYSQL);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MYSQL\MSSQL\Binn\SQLAGENT.EXE [2011-4-24 367456]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880]
    .
    =============== Created Last 30 ================
    .
    2012-04-13 07:04:49 4699520 ----a-w- C:\Windows\System32\ntoskrnl.exe
    2012-04-13 07:04:32 78848 ----a-w- C:\Windows\System32\imagehlp.dll
    2012-04-13 07:04:32 5632 ----a-w- C:\Windows\System32\wmi.dll
    2012-04-13 07:04:32 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
    2012-04-13 07:04:32 219136 ----a-w- C:\Windows\System32\wintrust.dll
    2012-04-13 07:04:32 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
    2012-04-13 07:04:32 16384 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
    2012-04-13 07:04:32 157696 ----a-w- C:\Windows\SysWow64\imagehlp.dll
    2012-04-07 03:37:13 -------- d-----w- C:\Program Files (x86)\Lame For Audacity
    2012-04-05 23:55:24 -------- d-----w- C:\Program Files (x86)\GOG.com
    2012-04-04 05:53:56 182160 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
    2012-04-04 05:53:56 182160 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
    2012-03-19 19:53:53 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
    2012-03-19 19:53:53 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
    2012-03-18 03:44:24 -------- d-----w- C:\Users\The Saxton Family\AppData\Local\Procaster
    .
    ==================== Find3M ====================
    .
    2012-04-04 19:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2012-03-10 15:47:53 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-02-28 15:35:29 1032192 ----a-w- C:\Windows\System32\wininet.dll
    2012-02-28 15:26:16 834048 ----a-w- C:\Windows\SysWow64\wininet.dll
    2012-02-28 14:56:20 485376 ----a-w- C:\Windows\System32\html.iec
    2012-02-28 14:21:25 389632 ----a-w- C:\Windows\SysWow64\html.iec
    2012-02-28 14:19:28 1383424 ----a-w- C:\Windows\System32\mshtml.tlb
    2012-02-28 13:56:50 1383424 ----a-w- C:\Windows\SysWow64\mshtml.tlb
    2012-02-15 16:01:50 52736 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
    2012-02-15 16:01:50 4547944 ----a-w- C:\Windows\System32\usbaaplrc.dll
    2012-02-14 16:49:43 327680 ----a-w- C:\Windows\System32\d3d10_1core.dll
    2012-02-14 16:49:43 196096 ----a-w- C:\Windows\System32\d3d10_1.dll
    2012-02-14 15:45:30 219648 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
    2012-02-14 15:45:30 160768 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
    2012-02-13 14:38:31 2002944 ----a-w- C:\Windows\System32\d3d10warp.dll
    2012-02-13 14:12:08 1172480 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
    2012-02-13 14:06:48 834048 ----a-w- C:\Windows\System32\d2d1.dll
    2012-02-13 14:03:11 1555968 ----a-w- C:\Windows\System32\DWrite.dll
    2012-02-13 13:47:57 683008 ----a-w- C:\Windows\SysWow64\d2d1.dll
    2012-02-13 13:44:40 1068544 ----a-w- C:\Windows\SysWow64\DWrite.dll
    2012-02-02 15:34:25 2765824 ----a-w- C:\Windows\System32\win32k.sys
    .
    ============= FINISH: 16:12:41.16 ===============

    • This is the contents of Attach.txt:


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 5/20/2009 10:38:27 PM
    System Uptime: 4/14/2012 2:36:36 PM (2 hours ago)
    .
    Motherboard: Gateway | | RS780
    Processor: AMD Phenom(tm) 9750 Quad-Core Processor | AM2 | 2400/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 917 GiB total, 368.51 GiB free.
    D: is CDROM (CDFS)
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
    Description: Microsoft PS/2 Mouse
    Device ID: ACPI\PNP0F03\4&2A700557&0
    Manufacturer: Microsoft
    Name: Microsoft PS/2 Mouse
    PNP Device ID: ACPI\PNP0F03\4&2A700557&0
    Service: i8042prt
    .
    ==== System Restore Points ===================
    .
    .
    ==== Installed Programs ======================
    .
    Update for Microsoft Office 2007 (KB2508958)
    AAC Decoder
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Reader X (10.1.3)
    Adobe Shockwave Player 11.5
    Age of Empires Online
    Alien Swarm
    Amazon Games & Software Downloader
    Amazon MP3 Downloader 1.0.5
    AMD LIVE! Explorer
    Apple Application Support
    Apple Software Update
    Audacity 1.3.14 (Unicode)
    Audacity 2.0
    AutoUpdate
    AviSynth 2.5
    Bejeweled 2 Deluxe
    Big Fish Games: Game Manager
    Burger Shop
    Canon MP Navigator EX 2.0
    Canon MP240 series User Registration
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization Danish
    Catalyst Control Center Localization Dutch
    Catalyst Control Center Localization Finnish
    Catalyst Control Center Localization French
    Catalyst Control Center Localization German
    Catalyst Control Center Localization Italian
    Catalyst Control Center Localization Japanese
    Catalyst Control Center Localization Norwegian
    Catalyst Control Center Localization Spanish
    Catalyst Control Center Localization Swedish
    ccc-core-static
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Italian
    CCC Help Japanese
    CCC Help Norwegian
    CCC Help Spanish
    CCC Help Swedish
    Champions Online: Free For All
    Choice Guard
    Command & Conquer Red Alert 2
    Command && Conquer Red Alert 2 - Yuri's Revenge
    Compatibility Pack for the 2007 Office system
    Counter-Strike: Source
    Counter-Strike: Source Beta
    Coupon Printer for Windows
    CyberLink Power2Go
    Diner Dash
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    Dragon Age: Origins
    Dream Of Mirror Online
    Fallout
    Fallout 3
    Fallout: New Vegas
    Farm Frenzy
    ffdshow [rev 2583] [2009-01-05]
    File Type Assistant
    FINAL FANTASY XIV Beta Version
    Final Media Player 2011
    FoxTab Music Converter (remove only)
    FoxTab PDF Converter
    Free Video to MP3 Converter version 5.0.3.1206
    Game Maker 8.0
    GameGuard
    Gateway Games
    Gateway Photo Frame 4.2.3.6
    Gateway Recovery Management
    Gateway ScreenSaver
    GDR 1617 for SQL Server 2008 R2 (KB2494088)
    Gimp 2.6.2 Debug
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    GunBound Thor's Hammer version 451
    GunboundIS
    GunboundWC
    H.264 Decoder
    Haali Media Splitter
    HandBrake 0.9.5
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
    Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
    Hulu Desktop
    Indiana Jones and the Last Crusade
    InstallIQ Updater
    IrfanView (remove only)
    Java Auto Updater
    Java(TM) 6 Update 26
    Java(TM) 6 Update 5
    Java(TM) SE Development Kit 6 Update 18
    Junk Mail filter update
    KB0817 Keyboard Driver
    King Arthur - The Role-playing Wargame
    LAME v3.99.3 (for Windows)
    League of Legends
    Left 4 Dead
    Left 4 Dead 2 Demo
    Livestream Procaster
    Logitech Gaming Software 64
    LOLReplay
    Malwarebytes Anti-Malware version 1.61.0.1400
    Marvell Miniport Driver
    MEDITECH RAT
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Age of Empires Gold
    Microsoft Age of Empires II
    Microsoft Age of Empires II: The Conquerors Expansion
    Microsoft Application Error Reporting
    Microsoft ASP.NET MVC 2
    Microsoft ASP.NET MVC 2 - VWD Express 2010 Tools
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft Games for Windows Marketplace
    Microsoft Money Essentials
    Microsoft Money Shared Libraries
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Professional Edition 2003
    Microsoft Office Project Professional 2003
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Report Viewer Redistributable 2008 (KB971119)
    Microsoft Report Viewer Redistributable 2008 SP1
    Microsoft Silverlight
    Microsoft Silverlight 3 SDK
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2008 R2
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server 2008 R2 Policies
    Microsoft SQL Server 2008 R2 RsFx Driver
    Microsoft SQL Server 2008 R2 Setup (English)
    Microsoft SQL Server 2008 Setup Support Files
    Microsoft SQL Server Browser
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server Compact 3.5 SP2 Query Tools ENU
    Microsoft SQL Server Database Publishing Wizard 1.4
    Microsoft SQL Server System CLR Types
    Microsoft Visual C# 2010 Express - ENU
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
    Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
    Microsoft Visual Studio Tools for Applications 2.0 - ENU
    Microsoft Visual Web Developer 2010 Express - ENU
    Microsoft Works
    MKV Splitter
    Mozilla Firefox 11.0 (x86 en-US)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    Mystery Case Files: Ravenhearst ®
    NVIDIA PhysX
    One Touch Video Capture
    Pando Media Booster
    Plants vs. Zombies: Game of the Year
    Portal
    Quake 3 Arena Demo
    QuickTime
    Realtek High Definition Audio Driver
    RollerCoaster Tycoon
    S.T.A.L.K.E.R.: Call of Pripyat
    Sam & Max 201: Ice Station Santa
    Sam & Max 202: Moai Better Blues
    Sam & Max 203: Night of the Raving Dead
    Sam & Max 204: Chariots of the Dogs
    Sam & Max 205: What's New Beelzebub?
    ScummVM 0.13.1a
    Search Toolbar
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
    Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Visual C# 2010 Express - ENU (KB2251489)
    Security Update for Microsoft Visual Web Developer 2010 Express - ENU (KB2251489)
    Skins
    Skype Click to Call
    Skype™ 5.5
    Sothink Movie DVD Maker
    Spelling Dictionaries Support For Adobe Reader 9
    SQL Server 2008 R2 Common Files
    SQL Server 2008 R2 Database Engine Services
    SQL Server 2008 R2 Database Engine Shared
    SQL Server 2008 R2 Management Studio
    Sql Server Customer Experience Improvement Program
    Star Wars - Jedi Knight II: Jedi Outcast
    Star Wars - Jedi Knight: Mysteries of the Sith
    Star Wars Jedi Knight: Dark Forces II
    Star Wars Jedi Knight: Jedi Academy
    Star Wars: Dark Forces
    StarCraft
    StarCraft II
    StarCraft II Beta
    Steam
    Team Fortress 2
    Torchlight
    Ulead VideoStudio SE DVD
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
    Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
    Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
    Update for Microsoft .NET Framework 4 Extended (KB2468871)
    Update for Microsoft .NET Framework 4 Extended (KB2533523)
    Update for Microsoft .NET Framework 4 Extended (KB2600217)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VC500 Driver
    VC80CRTRedist - 8.0.50727.762
    Ventrilo Client
    Vista Codec Package
    Visual C++ 8.0 Runtime Setup Package (x64)
    Visual Studio 2008 x64 Redistributables
    Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
    VMware View Client
    VoiceOver Kit
    VST Bridge 1.1
    Walmart MP3 Music Downloads
    Warcraft III
    Warcraft III: All Products
    Westwood Shared Internet Components
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sync
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Player Firefox Plugin
    WinRAR archiver
    Wolfenstein - Enemy Territory
    World of Warcraft
    XnView 1.98.2
    .
    ==== Event Viewer Messages From Past Week ========
    .
    4/14/2012 2:38:42 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP SRTSPX
    4/14/2012 2:38:42 PM, Error: Service Control Manager [7000] - The Norton Internet Security service failed to start due to the following error: The system cannot find the path specified.
    4/13/2012 8:37:15 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
    4/13/2012 8:37:15 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    4/13/2012 8:37:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
    4/13/2012 8:36:21 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
    4/13/2012 8:36:21 AM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    .
    ==== End Of File ===========================

    • That is all that is requested for now, although I feel it necessary to mention that my computer is still running two processes called csrss.exe, don't know if that's normal.
  4. Geryth

    Geryth Newcomer, in training Topic Starter

    For some reason, since the new forum look came out, I can no longer edit my post. I just wanted to add that even after the newer version of Malwarebytes discovered more things and removed them, I am still getting redirects.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    They are still working on the site. Just make an extra post here if needed. There are still a few glitches to be smoothed out. I've had internet problems also since this AM!
    ---------------------------
    I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

    Download AppRemover and save to the desktop

    1. [*] Double click the setup on the desktop> click Next
      [*] Select “Remove Security Application”
      [*] Let scan finish to determine security apps
      [*] A screen like below will appear:
      [​IMG]
      [*] Click on Next after choice has been made
      [*] Check the AVG program you want to uninstall
      [*] After uninstall shows complete, follow online prompts to Exit the program.


    Temporary AV: Use one:
    Microsoft Security Essentials
    Comodo AV
    Avast! Free Antivirus
    =============================
    To run the Eset Online Virus Scan:
    If you use Internet Explorer:

    1. [*] Open the ESETOnlineScan
      [*] Skip to #4 to "Continue with the directions"

      If you are using a browser other than Internet Explorer
      [*] Open Eset Smart Installer
      [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
      [o] Double click on the desktop icon to run.
      [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window

      [*] Continue with the directions.

      [*] Check 'Yes I accept terms of use.'
      [*] Click Start button
      [*] Accept any security warnings from your browser.
      [​IMG]
      [*] Uncheck 'Remove found threats'
      [*] Check 'Scan archives/
      [*] Leave remaining settings as is.
      [*] Press the Start button.
      [*] ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
      [*] When the scan completes, press List of found threats
      [*] Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
      [*] Push the Back button, then Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    I think you're going to see some 'extra' processes in Eset from Diner Dash, Big Fish and possibly other related entries.
    -----------------------------------------------
    Did you have Norton on the system at one time. I see the following error:
    Try running the Norton Removal Tool
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Some of the coding isn't working. I tried to edit but couldn't. I think you have everything you need for the 2 scans. If they parse anymore, I'll redo the reply.
  7. Geryth

    Geryth Newcomer, in training Topic Starter

    • I installed AppRemover to uninstall AVG
    • I uninstalled AVG
    • I installed Avast! Free-Antivirus.
    • I rebooted my computer as instructed by AppRemover.
    • I downloaded, installed, and ran Eset Online Scanner (unchecked "Remove Found Threats" and selected "Scan archives")
    • Here are the results:

    C:\Program Files (x86)\FoxTabAudioConverter\AudioConverter.exea variant of Win32/InstallCore.A application
    C:\Users\The Saxton Family\AppData\Local\Temp\is1972027439\zgInstaller.exeWin32/Toolbar.Zugo application
    C:\Users\The Saxton Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-4f1e1374Java/TrojanDownloader.Agent.NBL trojan
    C:\Users\The Saxton Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\640c67b5-6241ba07Java/TrojanDownloader.Agent.NBM trojan
    C:\Users\The Saxton Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-24b1a2fbJava/TrojanDownloader.Agent.NBK trojan

    • Reinstalled AVG
    • Uninstalled AVAST!
    • Rebooted as prompted by AVAST! uninstall
    • Yes, I did at one time have Norton Anti-Virus.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Oops! [​IMG] I left Combofix directions out! The whole idea of removing AVG was so you could run Combofix! Sorry about that!

    A comment: When we say to re-enable the AV after the scan, understand that Avast is a functional, updated AV. In the case of Combofix, you do not need to reinstall AVG at that point. We aren't finished with Combofix.

    Please run the App Remover again and remove AVG.

    Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Before you run the Combofix scan, please disable any security software you have running.

    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe [​IMG]& follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      • The Recovery Console was successfully installed.[/b]
      • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
      • Note: No query will be made if the Recovery Console is already on the system.
    • .Close/disable all anti virus and anti malware programs
      (If you need help with this, please see HERE)
    • .Close any open browsers.
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software. >>> If you choose Avast, re-enable Avast. Don't reinstall AVG now.
    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
    Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ============================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files 
      C:\Program Files (x86)\FoxTabAudioConverter\AudioConverter.exea 
      C:\Users\The SaxtonFamily\AppData\Local\Temp\is1972027439\zgInstaller.exe
      C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-4f1e1374J
      C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\640c67b5-6241ba07
      C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-24b1a2fb
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ============================================
    You are getting malware due in part to the fact that you have 3 outdated versions of Java and these are vulnerabilities:

    Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
    ===========================================
    You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Note: Do not leave this log.
    ===========================================
    Please leave the Combofix log and the OTM log in your next reply.
  9. Geryth

    Geryth Newcomer, in training Topic Starter

    • I uninstalled AVG again.
    • I reinstalled AVAST!
    • I downloaded Combofix.
    • I disabled AVAST!
    • I ran Combofix. Here is the log:

    ComboFix 12-04-18.02 - The Saxton Family 04/18/2012 18:56:04.1.4 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.7934.5516 [GMT -4:00]
    Running from: c:\users\The Saxton Family\Desktop\Virus Removal Stuff\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\Install.exe
    c:\program files (x86)\Mozilla Firefox\components\AskHPRFF.js
    c:\program files (x86)\Search Toolbar
    c:\program files (x86)\Search Toolbar\icon.ico
    c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
    c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe
    c:\users\The Saxton Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\7kyxb.jpg
    c:\users\The Saxton Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\bYyxX.jpg
    c:\users\The Saxton Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\y4lb1x8bA.jpg
    c:\users\The Saxton Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\yN6N5X4M.jpg
    c:\users\The Saxton Family\AppData\Roaming\Love
    c:\users\The Saxton Family\AppData\Roaming\Love\mari0\options.txt
    c:\windows\SwSys1.bmp
    c:\windows\SwSys2.bmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-03-18 to 2012-04-18 )))))))))))))))))))))))))))))))
    .
    .
    2012-04-18 23:19 . 2012-04-18 23:24--------d-----w-c:\users\The Saxton Family\AppData\Local\temp
    2012-04-18 23:19 . 2012-04-18 23:19--------d-----w-c:\users\Default\AppData\Local\temp
    2012-04-18 22:30 . 2012-03-06 23:0124408----a-w-c:\windows\system32\drivers\aswFsBlk.sys
    2012-04-18 22:30 . 2012-03-06 23:04337240----a-w-c:\windows\system32\drivers\aswSP.sys
    2012-04-18 22:30 . 2012-03-06 23:0243864----a-w-c:\windows\system32\drivers\aswRdr.sys
    2012-04-18 22:30 . 2012-03-06 23:0159224----a-w-c:\windows\system32\drivers\aswTdi.sys
    2012-04-18 22:30 . 2012-03-06 23:04819032----a-w-c:\windows\system32\drivers\aswSnx.sys
    2012-04-18 22:30 . 2012-03-06 23:0169976----a-w-c:\windows\system32\drivers\aswMonFlt.sys
    2012-04-18 22:29 . 2012-03-06 23:1541184----a-w-c:\windows\avastSS.scr
    2012-04-18 22:29 . 2012-03-06 23:15201352----a-w-c:\windows\SysWow64\aswBoot.exe
    2012-04-16 13:24 . 2012-04-16 13:24--------d-----w-c:\users\The Saxton Family\AppData\Roaming\AVG2012
    2012-04-16 13:16 . 2012-04-18 23:21--------d-----w-c:\programdata\AVG2012
    2012-04-16 13:14 . 2012-04-16 13:14--------d-----w-c:\program files (x86)\AVG
    2012-04-16 13:10 . 2012-04-18 22:46--------d-----w-c:\programdata\MFAData
    2012-04-16 01:46 . 2012-04-16 01:46--------d-----w-c:\program files (x86)\ESET
    2012-04-16 01:35 . 2012-03-06 23:15258520----a-w-c:\windows\system32\aswBoot.exe
    2012-04-16 01:32 . 2012-04-18 22:28--------d-----w-c:\programdata\AVAST Software
    2012-04-16 01:32 . 2012-04-18 22:28--------d-----w-c:\program files\AVAST Software
    2012-04-13 07:04 . 2012-03-06 06:444699520----a-w-c:\windows\system32\ntoskrnl.exe
    2012-04-13 07:04 . 2012-02-29 15:375632----a-w-c:\windows\system32\wmi.dll
    2012-04-13 07:04 . 2012-02-29 15:37219136----a-w-c:\windows\system32\wintrust.dll
    2012-04-13 07:04 . 2012-02-29 15:3578848----a-w-c:\windows\system32\imagehlp.dll
    2012-04-13 07:04 . 2012-02-29 15:09157696----a-w-c:\windows\SysWow64\imagehlp.dll
    2012-04-13 07:04 . 2012-02-29 13:5216384----a-w-c:\windows\system32\drivers\fs_rec.sys
    2012-04-07 03:37 . 2012-04-07 03:37--------d-----w-c:\program files (x86)\Lame For Audacity
    2012-04-05 23:55 . 2012-04-05 23:55--------d-----w-c:\program files (x86)\GOG.com
    2012-04-04 05:53 . 2012-04-04 05:53182160----a-w-c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
    2012-04-04 05:53 . 2012-04-04 05:53182160----a-w-c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-04 19:56 . 2010-02-26 23:5724904----a-w-c:\windows\system32\drivers\mbam.sys
    2012-03-10 15:47 . 2011-11-23 14:22414368----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2012-02-29 15:11 . 2012-04-13 07:045120----a-w-c:\windows\SysWow64\wmi.dll
    2012-02-29 15:11 . 2012-04-13 07:04172032----a-w-c:\windows\SysWow64\wintrust.dll
    2012-02-28 15:26 . 2012-04-12 15:57834048----a-w-c:\windows\SysWow64\wininet.dll
    2012-02-15 16:01 . 2012-02-15 16:0152736----a-w-c:\windows\system32\drivers\usbaapl64.sys
    2012-02-15 16:01 . 2012-02-15 16:014547944----a-w-c:\windows\system32\usbaaplrc.dll
    2012-02-14 16:49 . 2012-03-14 05:17327680----a-w-c:\windows\system32\d3d10_1core.dll
    2012-02-14 16:49 . 2012-03-14 05:17196096----a-w-c:\windows\system32\d3d10_1.dll
    2012-02-14 15:45 . 2012-03-14 05:17219648----a-w-c:\windows\SysWow64\d3d10_1core.dll
    2012-02-14 15:45 . 2012-03-14 05:17160768----a-w-c:\windows\SysWow64\d3d10_1.dll
    2012-02-13 14:38 . 2012-03-14 05:172002944----a-w-c:\windows\system32\d3d10warp.dll
    2012-02-13 14:12 . 2012-03-14 05:171172480----a-w-c:\windows\SysWow64\d3d10warp.dll
    2012-02-13 14:06 . 2012-03-14 05:17834048----a-w-c:\windows\system32\d2d1.dll
    2012-02-13 14:03 . 2012-03-14 05:171555968----a-w-c:\windows\system32\DWrite.dll
    2012-02-13 13:47 . 2012-03-14 05:17683008----a-w-c:\windows\SysWow64\d2d1.dll
    2012-02-13 13:44 . 2012-03-14 05:171068544----a-w-c:\windows\SysWow64\DWrite.dll
    2012-02-02 15:34 . 2012-03-14 05:172765824----a-w-c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2011-07-22 3077528]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
    "LedKey"="CNYHKey.exe" [2008-04-24 339968]
    "LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
    "Gateway Photo Frame"="c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe" [2009-05-05 123904]
    "CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
    "AmazonGSDownloaderTray"="c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
    "UVS10 Preload"="c:\program files (x86)\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    "AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
    "QuickTime Plugin Install"="c:\program files (x86)\QuickTime\Plugins\DeleteMe1.exe" [2012-01-11 86016]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 421736]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WS2IFSL
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
    iissvcsREG_MULTI_SZ w3svc was
    apphostREG_MULTI_SZ apphostsvc
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-04-18 c:\windows\Tasks\Final Media Player Update Checker.job
    - c:\program files (x86)\FinalMediaPlayer\FMPCheckForUpdates.exe [2011-07-27 19:24]
    .
    2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-13 16:50]
    .
    2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-13 16:50]
    .
    2012-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3239571492-3292308985-2968727561-1000Core.job
    - c:\users\The Saxton Family\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 02:46]
    .
    2012-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3239571492-3292308985-2968727561-1000UA.job
    - c:\users\The Saxton Family\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 02:46]
    .
    .
    --------- x86-64 -----------
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-03-06 23:15135408----a-w-c:\program files\AVAST Software\Avast\ashShA64.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-30 7574048]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "LoadAppInit_DLLs"=0x1
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
    uLocal Page = c:\windows\system32\blank.htm
    mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
    mLocal Page = %SystemRoot%\system32\blank.htm
    uInternet Settings,ProxyServer = 192.168.1.254:80
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 205.152.37.23 205.152.150.23
    DPF: {C87ACE20-4BA7-11D4-AD69-0000F80020BC} - hxxp://meditech.com/employees/Pages/Software/MTAppDwn.exe
    CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
    FF - ProfilePath - c:\users\The Saxton Family\AppData\Roaming\Mozilla\Firefox\Profiles\bazmz6if.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=DCF2DF&PC=DCF2&q=
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bab801183-ca41-49bc-be59-5515aa243954%7D&mid=096d170263091ff919f073b96f298293-1db9057191df1134e1184579f57f2796b3789536&ds=AVG&v=10.2.0.3&lang=en&pr=pr&d=2012-04-16%2009%3A19%3A59&sap=ku&q=
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
    AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
    AddRemove-FX - Music Converter - c:\progra~2\FOXTAB~1\Uninstall\Uninstall.exe
    AddRemove-Search Toolbar - c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
    AddRemove-FoxTab PDF Converter - c:\program files (x86)\FoxTabPDFConverter\Uninstall\Uninstall.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
    "ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-3239571492-3292308985-2968727561-1000\Software\SecuROM\License information*]
    @Allowed: (Read) (RestrictedCode)
    "datasecu"=hex:ad,1f,1b,87,42,14,ff,f5,41,8c,84,32,ed,0b,0f,ae,45,0b,1f,df,fa,
    5b,94,a4,4e,aa,ee,5d,40,2a,67,c2,44,2b,32,42,20,a4,ba,c2,34,e1,a6,70,d5,dc,\
    "rkeysecu"=hex:25,f6,04,4d,45,50,0a,40,a3,da,c4,45,36,7c,0b,25
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.10"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker3"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.MYSQL\MSSQL\Binn\sqlservr.exe
    c:\program files (x86)\MEDITECH\MTAppDwn.exe
    c:\program files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    c:\windows\MHotKey.exe
    c:\program files (x86)\VMware\VMware View\Client\bin\wsnm.exe
    c:\windows\ChiFuncExt.exe
    c:\windows\CNYHKey.exe
    c:\windows\ModLedKey.exe
    c:\program files (x86)\Common Files\Steam\SteamService.exe
    .
    **************************************************************************
    .
    Completion time: 2012-04-18 19:33:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-04-18 23:33
    .
    Pre-Run: 389,109,059,584 bytes free
    Post-Run: 389,731,225,600 bytes free
    .
    - - End Of File - - F20C40A92D7FA83C729CFD2230B6E4AE

    • My computer rebooted after Combofix.
    • I installed and ran OTMovit by Old Timer, and pasted your code block into the program and clicked the red Moveit! button.
    • Here is the log:

    All processes killed
    ========== FILES ==========
    File/Folder C:\Program Files (x86)\FoxTabAudioConverter\AudioConverter.exea not found.
    File/Folder C:\Users\The SaxtonFamily\AppData\Local\Temp\is1972027439\zgInstaller.exe not found.
    File/Folder C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-4f1e1374J not found.
    File/Folder C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\640c67b5-6241ba07 not found.
    File/Folder C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-24b1a2fb not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 41620 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: The Saxton Family
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 107559027 bytes
    ->Java cache emptied: 23268767 bytes
    ->FireFox cache emptied: 196675216 bytes
    ->Google Chrome cache emptied: 21705713 bytes
    ->Flash cache emptied: 5864690 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 4487515 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 343.00 mb


    OTM by OldTimer - Version 3.1.19.0 log created on 04182012_194142

    Files moved on Reboot...
    File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...

    • I then removed old versions of Java and installed a new version and received the latest updates.
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Repeating:
    I'd like you to understand that Avast is a fully functioning antivirus program. It isn't necessary for you to uninstall AVG, then install Avast and the minute you finish the Combofix scan to hurry and reinstall AVG. The comment that reminds you to re-enable the AV when you finish a scan is not meant to indicate you need to do the above. Avast is a free, good and legitimate AV. The system is protected. Just because we refer to a 'temporary AV' does not mean the system isn't covered.

    Some AVG entries are remaining when do the above 'swap' so please leave Avast on the system until we have finished cleaning. Them if you wish, you can reinstall AVG and remove Avast.
    ===============================================
    There is a proxy enabled that may be causing the redirect:
    Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click Ok to close the Local Area Network (LAN) Settings window.
      o Click Ok to close the Internet Options window.
    ===================================================
    About Firefox settings:
    FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search
    FF - prefs.js: browser.startup.homepage - www.google.com
    FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search
    .
    Firefox is set for Bing as default Search
    Firefox startup page is set to Google
    The Keyword URL is set to isearch.AVG

    How about we reset these to all Google? I can do 2 with script for Combofix and tell you how to set the other.
    ==================================================
    Are you still getting redirected?
  11. Geryth

    Geryth Newcomer, in training Topic Starter

    Making all the searches be google would be fine, but I am still getting redirects, even after making the Proxy changes to Firefox (IE was already set correctly). I think they might be a little less frequent though? It feels that way anyway. I would get Happili a lot and I haven't in a while now.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Your description of the redirect doesn't sound like a 'normal' redirect.

    Please give me a couple of examples of what domains come up when you're redirected. DO NOT make a hyperlink- just give me the domain name before the .com or .net. Does this happen just in one browser or all?
    ============================================
    1. Why aren't ther any restore points?==== System Restore Points ===================

    2. The only user name I see in OTM is User: The Saxton Family Are all of the family members posting under this one account?

    3. A tally of Firefox:
    There are 27 plugins in Firefox:
    . There are 4 for GoogleOneClick8.dll
    There are 9 for npGoogleUpdate3.dll
    There are 2 for npCouponPrinter.dll
    There are 2 versions of Adobe\Reader> v10.0 and v9. You have the current vX installed on the OS.Please uninstall both v9 and and v10 in Firefox.

    I have blocked all Google Updates. Are you suppose to keep the previous update when you get a new one?
    ======================================================
    SuperAntiSpyware Home Edition Free Version
    • Please download SuperAntiSpyware from HERE
    • Launch SuperAntiSpyware and click on 'Check for updates'.
    • Wait for the updates to be installed
    • On the main screen click on 'Scan your computer'.
    • Check: 'Perform Complete Scan then Click 'Next' to start the scan.
    • Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
    • Make sure everything found has a checkmark next to it,then press 'Next'.
    • Click on 'Finish' when you've done.
    It's possible that the program will ask you to reboot in order to delete some files.

    Obtain the SuperAntiSpyware log as follows:
    • Click on 'Preferences'.
    • Click on the 'Statistics/Logs' tab.
    • Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
    It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
    =======================================================
    Logs in next reply please. You do not need to detail what you have done- just post the logs,
  13. Geryth

    Geryth Newcomer, in training Topic Starter

    Please keep open, I've been extremely busy, I will update with the new log soon. Just fyi, I am still getting redirects, and the last 3 in a row were actually Happili.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I will keep open for you- all you need to do is let me know you will be delayed. I usually run behind in closing also. Don't wait to long though or we may have to repeat the scans.


    Keep open per member request.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Happili.com is another browser hijacker that installed by ZeroAccess/Serifef-related trojan. Once the trojan is installed and started, it will configure itself to run automatically when Windows loads. While running, it may display many popups and fake security alerts, hijack computer`s browser, redirect search results in Google, Yahoo, MSN to non related sites, block an access to security websites and disable Windows Task Manager, Windows Security Center and registry editor.

    But this is new malware, so you are actively still vulnerable. Try and find some time so we can clean this up before you end up with corrupt files and a possible unbootable system.
  16. Geryth

    Geryth Newcomer, in training Topic Starter

    I greatly apologize at my delay. I'm willing to start with new logs if you desire, but I have reduced the redirects almost to where they live, just a few steps away I think.

    The problem is the Chrome Extension titled "Default Extension 1.0" (Unpacked) and in Firefox it's called "Performance Cache 1.0"

    When I disable these extensions, the redirects stop. If I remove them, they are automatically reinstalled and re-enabled when I close and reopen Chrome and Firefox. Edit: Actually, once I removed "Performance Cache 1.0" from firefox, it has not returned. I don't know if it would return on a reboot though, but closing and reopening firefox doesn't re-enable the extension like it does for Chrome.

    Not sure if that helps you narrow down what I need to do next.
  17. Geryth

    Geryth Newcomer, in training Topic Starter

    Excellent news! So, after some more research, I found out that Chrome had this button on the extensions page called "Developer Mode". When I clicked that, the pesky "Default Extension 1.0 (Unpacked)" extension had this nifty line underneath it that said "Loaded From: <file path>". I navigated to that file path, deleted the junk, did a full computer restart, and it didn't reload!

    I'd still like to keep this open for a while longer to make absolutely sure I don't get anymore redirects, but hopefully this is problem solved!

    Information about the file path:
    The file path showed as -

    C:\Users\[User Name]\Local Settings\Google\Chrome\User Data\Default\Default\aagdcllfcplabdjfklbdfdombjnganlc

    When I tried to navigate to it, I got "Access Denied" at C:\. . .\Local Settings. After some research, it looks like it's a fake path for backwards compatibility because Vista has a new file structure. So, I dug around and found that exact file at:

    C:\Users\[User Name]\AppData\Local\Google\Chrome\User Data\Default\Default\aagdcllfcplabdjfklbdfdombjnganlc

    The gibberish folder contained 3 files:
    background.html
    ContentScript.JScript
    manifest.json

    The time stamps all coincided to when I started getting redirects. Obviously, not one single scanner or AV program identified this as a threat, and seems like it took full advantage of my out-of-data Javascript, which I have you to thank for getting me secure on that end. I hope this helps someone, and I hope this was the root of my problems!
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Note: It was Java that was out of date, not javascript.

    I am a bit uneasy about your "digging around". I'd like you to update and run a new Eset scan.

    Then follow with this:
    Download HijackThis and save to your desktop.
    • Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
    • Extract it to the directory on your hard drive you created C:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    =============================================
    We will deal with what is on these logs and then I'll close the thread. You started this a month ago and malware has been removed.
  19. Geryth

    Geryth Newcomer, in training Topic Starter

    Here is the HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:07:37 PM, on 5/22/2012
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
    C:\Windows\CNYHKey.exe
    C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
    C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
    C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    C:\Windows\ModLedKey.exe
    C:\Program Files (x86)\AVG Secure Search\vprot.exe
    C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\SysWOW64\rundll32.exe
    C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\WinRAR\WinRAR.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z039&form=ZGAPHP
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.254:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
    O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
    O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [LedKey] CNYHKey.exe
    O4 - HKLM\..\Run: [LchDrvKey] LchDrvKey.exe
    O4 - HKLM\..\Run: [Gateway Photo Frame] "C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe" -A
    O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
    O4 - HKLM\..\Run: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"
    O4 - HKLM\..\Run: [UVS10 Preload] "C:\Program Files (x86)\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [QuickTime Plugin Install] "C:\Program Files (x86)\QuickTime\Plugins\DeleteMe1.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
    O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
    O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
    O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
    O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {C87ACE20-4BA7-11D4-AD69-0000F80020BC} (MEDITECHAppDwnld) - http://meditech.com/employees/Pages/Software/MTAppDwn.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: MEDITECH Application Manager (MTAppManager) - Medical Information Technology, Inc. - C:\Program Files (x86)\MEDITECH\MTAppDwn.exe
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: vToolbarUpdater11.0.2 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
    O23 - Service: VMware View Client Service (wsnm) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware View\Client\bin\wsnm.exe

    --
    End of file - 13193 bytes
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Reset your browser proxies
    • For Firefox:
      o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
      o Click on the "Network" tab, and then on the "Settings" button.
      o Please make sure that the "No Proxy" option is selected.
    • For Internet Explorer:
      o Open Internet Explorer.
      o Click on "Tools" and then select "Internet Options".
      o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
      o Uncheck "Use a Proxy server for your LAN".
      o Click Ok to close the Local Area Network (LAN) Settings window.
      o Click Ok to close the Internet Options window.

    Any remaining problems?
  21. Geryth

    Geryth Newcomer, in training Topic Starter

    Those already were my browser settings. I have not had a single problem since I deleted that folder that was installing the "Default" chrome extension.
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay then- let's clean up the tools!
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
    ------------------------------------------
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
    • Choose Disc Cleanup
    • Click "OK" to select the partition or drive you want.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin

    Let me know if you have any questions.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.