Solved Need help removing Google search link redirect virus

[Geryth]

I need assistance removing an extremely relentless redirect virus. The problem is, nothing seems to be able to find it. Here are my symptoms:

1) When I do a google search, my link is redirected (usually to Happili but others as well). This happens maybe 30% of the time, maybe a little less.

2) I think something is writing to my keyboard / mouse buffer. When I play a game where I hold a certain key down, I've noticed focus being lost on that key for a split second even though I've constantly held it down. I've never had this happen before I started seeing these redirects, so I have a suspicion that they are related.

I have a paid version of AVG Anti-Virus that finds nothing. I've run a full computer scan with the free version of Malwarebytes and found nothing. I've run TDSSKiller by kaspersky and found nothing. I've never had a problem that Malwarebytes couldn't fix, so I don't know what else to do, and thus am here for more experienced help.

Important Edit: So, don't know how I missed this, but I just now see two separate crss.exe processes running. I think one of them is probably the virus. The problem is I don't know which one, my access to kill both processess is denied, and Process Explorer won't tell me where they are running from (right clicking the process and choosing Properties yields completely blank results for "Path:" "Command Line" and "Current directory". Unless there is a need or commonly exists more than one crss.exe, I'm not sure about that though.

 

[Bobbye]

Thank you for the good description! We need to get some logs to see what's running:Malware entries do not necessarily appear 'bad' to an untrained eye.

Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
==========================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

Threads are closed after 5 days if there is no reply.

 

[Geryth]

Edit: Sorry for the coding tags, they worked in the preview : /

=========================================================

Step 1: Antivirus scanning

Done with AVG ANti-Virus 2012, a paid-for service.

• Ran a normal, full system scan.
• "No infection was found during this scan"
• I know the instruction said no logs or actions were necessary, but I just wanted to be thorough

=========================================================

Step 2: Malwarebytes Anti-Malware

• My version was encountering an error when I tried to update it, so I re-downloaded the product from your link. It successully updated after a fresh install.
• Ran a quick scan.
• Here are the log results:

4/14/2012 2:22:49 PM
mbam-log-2012-04-14 (14-22-49).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207597
Time elapsed: 5 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKCR\.exe\shell\open\command| (Hijack.ExeFile) -> Data: "C:\Users\The Saxton Family\AppData\Local\av.exe" /START "%1" %* ->

Quarantined and deleted successfully.
HKCR\secfile\shell\open\command| (Rogue.MultipleAV) -> Data: "C:\Users\The Saxton Family\AppData\Local\av.exe" /START "%1" %*

-> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Users\The

Saxton Family\AppData\Local\av.exe" /START "C:\Program Files (x86)\Internet Explorer\iexplore.exe") Good: (iexplore.exe) ->

Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\The Saxton Family\Downloads\LimeWireSetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.

(end)

• I was prompted to restart the computer, and I did so.
• This very well could have quelled the situation, and the answer could be simply that I needed a newer version of Malwarebytes.

=========================================================

Step 3: GMER

• Installed GMER as per the instructions, disconnected from the internet, disabled my AVG anti-virus, and ran the program.
• It did not do an automatic quick scan as described, so I clicked "Scan" and it scanned fine, although it was a full system scan.
• NO LOG GENERATED! "GMER hasn't found any system modification."

=========================================================

Step 4: DDS

• Had to reconnect to the internet and I re-enabled my antivirus, in order to download DDS. The instructions could be written to include downloading DDS with GMER before disconnecting, as it seems to imply I still shouldn't be connected when running it.
• Had problems downloading this from Chrome, it wouldn't work, but it worked fine when I did it in Firefox. I found that very odd.
• Disconnected from the internet again, and disabled my anti-virus, because of the step at the end that says "Enable your Antivirus protection and reconnect to the internet." leads me to believe that this should be done while not connected.
• This is the contents of DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_26
Run by The Saxton Family at 16:12:10 on 2012-04-14
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.7934.5463 [GMT -4:00]
.
AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agr64svc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MYSQL\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\MEDITECH\MTAppDwn.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\VMware\VMware View\Client\bin\wsnm.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\MHotKey.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files (x86)\Steam\Steam.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
C:\Windows\CNYHKey.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ModLedKey.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\The Saxton Family\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler.exe
C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\ChiFuncExt.exe
C:\Users\The Saxton Family\AppData\Local\Google\Update\1.3.21.111\GoogleCrashHandler64.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\AVG\AVG2012\avgui.exe
C:\Program Files (x86)\AVG\AVG2012\avgcfgex.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
uInternet Settings,ProxyServer = 192.168.1.254:80
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [Google Update] "C:\Users\The Saxton Family\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
uRunOnce: [WebPlatformInstaller] "C:\Program Files\Microsoft\Web Platform Installer\WebPlatformInstaller.exe" "/id" "wpilaceholder&ASPNET&NETFramework4&MVC2&NETEXTENSIBILITY&ISAPIExtensions&ISAPIFilters&StaticContentCompression&DefaultDocument&DirectoryBrowse&HTTPErrors&HTTPLogging&LoggingTools&RequestMonitor&IISManagementConsole&RequestFiltering&SQLExpress&VWD2010&StaticContent?"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [LedKey] CNYHKey.exe
mRun: [LchDrvKey] LchDrvKey.exe
mRun: [Gateway Photo Frame] "C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe" -A
mRun: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
mRun: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"
mRun: [UVS10 Preload] "C:\Program Files (x86)\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [QuickTime Plugin Install] "C:\Program Files (x86)\QuickTime\Plugins\DeleteMe1.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C87ACE20-4BA7-11D4-AD69-0000F80020BC} - hxxp://meditech.com/employees/Pages/Software/MTAppDwn.exe
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 205.152.37.23 205.152.150.23
TCP: Interfaces\{4BED0765-0D26-40DE-A5EB-9DADCFDB1001} : DhcpNameServer = 205.152.37.23 205.152.150.23
TCP: Interfaces\{A0B2F641-D9E0-430C-B8D2-50DB2177C59B} : DhcpNameServer = 205.152.37.23 205.152.150.23
TCP: Interfaces\{FEE06A1E-5888-432C-A32B-684281C2E549} : DhcpNameServer = 205.152.37.23 205.152.150.23
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Yontoo Layers: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll
BHO-X64: Yontoo Layers - No File
TB-X64: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB-X64: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [LedKey] CNYHKey.exe
mRun-x64: [LchDrvKey] LchDrvKey.exe
mRun-x64: [Gateway Photo Frame] "C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe" -A
mRun-x64: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
mRun-x64: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"
mRun-x64: [UVS10 Preload] "C:\Program Files (x86)\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [QuickTime Plugin Install] "C:\Program Files (x86)\QuickTime\Plugins\DeleteMe1.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\The Saxton Family\AppData\Roaming\Mozilla\Firefox\Profiles\bazmz6if.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=DCF2DF&PC=DCF2&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.68\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npclntax_HBLiteSA.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\Microsoft\Web Platform Installer\NPWPIDetector.dll
FF - plugin: C:\Users\The Saxton Family\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Users\The Saxton Family\AppData\Local\HuluDesktop\instances\0.9.14.1\nphdplg.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MSSQL$MYSQL;SQL Server (MYSQL);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MYSQL\MSSQL\Binn\sqlservr.exe [2011-4-24 42872672]
R2 MTAppManager;MEDITECH Application Manager;C:\Program Files (x86)\MEDITECH\MTAppDwn.exe [2011-6-13 133592]
R2 wsnm;VMware View Client Service;C:\Program Files (x86)\VMware\VMware View\Client\bin\wsnm.exe [2009-11-18 151552]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 cxpl_mhd;CX23885/8 PCI-E AvStream Video Capture (PalomarMHD);C:\Windows\system32\drivers\y_cx88x.sys --> C:\Windows\system32\drivers\y_cx88x.sys [?]
R3 RTL85n64;Realtek 8180/8185 Extensible 802.11 Wireless Device Driver;C:\Windows\system32\DRIVERS\RTL85n64.sys --> C:\Windows\system32\DRIVERS\RTL85n64.sys [?]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x64.sys --> C:\Windows\system32\DRIVERS\yk60x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-13 135664]
S2 Norton Internet Security;Norton Internet Security;"C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 Amazon Download Agent;Amazon Download Agent;C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [2011-4-29 401920]
S3 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2010-3-8 25832]
S3 Gun;Gun;\??\C:\Windows\system32\Gun64.sys --> C:\Windows\system32\Gun64.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-13 135664]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 U6000ALL;HDTV110 TV Box(ALL);C:\Windows\system32\DRIVERS\dmdcap.sys --> C:\Windows\system32\DRIVERS\dmdcap.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 ahcix64s;ahcix64s;C:\Windows\system32\drivers\ahcix64s.sys --> C:\Windows\system32\drivers\ahcix64s.sys [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-18 89920]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files (x86)\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0103;RsFx0103 Driver;C:\Windows\system32\DRIVERS\RsFx0103.sys --> C:\Windows\system32\DRIVERS\RsFx0103.sys [?]
S4 SQLAgent$MYSQL;SQL Server Agent (MYSQL);C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.MYSQL\MSSQL\Binn\SQLAGENT.EXE [2011-4-24 367456]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-3-30 427880]
.
=============== Created Last 30 ================
.
2012-04-13 07:04:49 4699520 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-13 07:04:32 78848 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-13 07:04:32 5632 ----a-w- C:\Windows\System32\wmi.dll
2012-04-13 07:04:32 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-13 07:04:32 219136 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-13 07:04:32 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-13 07:04:32 16384 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-13 07:04:32 157696 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-07 03:37:13 -------- d-----w- C:\Program Files (x86)\Lame For Audacity
2012-04-05 23:55:24 -------- d-----w- C:\Program Files (x86)\GOG.com
2012-04-04 05:53:56 182160 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2012-04-04 05:53:56 182160 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
2012-03-19 19:53:53 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-19 19:53:53 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2012-03-18 03:44:24 -------- d-----w- C:\Users\The Saxton Family\AppData\Local\Procaster
.
==================== Find3M ====================
.
2012-04-04 19:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-10 15:47:53 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-28 15:35:29 1032192 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 15:26:16 834048 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 14:56:20 485376 ----a-w- C:\Windows\System32\html.iec
2012-02-28 14:21:25 389632 ----a-w- C:\Windows\SysWow64\html.iec
2012-02-28 14:19:28 1383424 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 13:56:50 1383424 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-15 16:01:50 52736 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
2012-02-15 16:01:50 4547944 ----a-w- C:\Windows\System32\usbaaplrc.dll
2012-02-14 16:49:43 327680 ----a-w- C:\Windows\System32\d3d10_1core.dll
2012-02-14 16:49:43 196096 ----a-w- C:\Windows\System32\d3d10_1.dll
2012-02-14 15:45:30 219648 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2012-02-13 14:38:31 2002944 ----a-w- C:\Windows\System32\d3d10warp.dll
2012-02-13 14:12:08 1172480 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2012-02-13 14:06:48 834048 ----a-w- C:\Windows\System32\d2d1.dll
2012-02-13 14:03:11 1555968 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-13 13:47:57 683008 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-02 15:34:25 2765824 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 16:12:41.16 ===============

• This is the contents of Attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 5/20/2009 10:38:27 PM
System Uptime: 4/14/2012 2:36:36 PM (2 hours ago)
.
Motherboard: Gateway | | RS780
Processor: AMD Phenom(tm) 9750 Quad-Core Processor | AM2 | 2400/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 917 GiB total, 368.51 GiB free.
D: is CDROM (CDFS)
E: is Removable
F: is Removable
G: is Removable
H: is Removable
I: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&2A700557&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&2A700557&0
Service: i8042prt
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
AAC Decoder
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.1.3)
Adobe Shockwave Player 11.5
Age of Empires Online
Alien Swarm
Amazon Games & Software Downloader
Amazon MP3 Downloader 1.0.5
AMD LIVE! Explorer
Apple Application Support
Apple Software Update
Audacity 1.3.14 (Unicode)
Audacity 2.0
AutoUpdate
AviSynth 2.5
Bejeweled 2 Deluxe
Big Fish Games: Game Manager
Burger Shop
Canon MP Navigator EX 2.0
Canon MP240 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center InstallProxy
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Norwegian
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
ccc-core-static
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Norwegian
CCC Help Spanish
CCC Help Swedish
Champions Online: Free For All
Choice Guard
Command & Conquer Red Alert 2
Command && Conquer Red Alert 2 - Yuri's Revenge
Compatibility Pack for the 2007 Office system
Counter-Strike: Source
Counter-Strike: Source Beta
Coupon Printer for Windows
CyberLink Power2Go
Diner Dash
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Dragon Age: Origins
Dream Of Mirror Online
Fallout
Fallout 3
Fallout: New Vegas
Farm Frenzy
ffdshow [rev 2583] [2009-01-05]
File Type Assistant
FINAL FANTASY XIV Beta Version
Final Media Player 2011
FoxTab Music Converter (remove only)
FoxTab PDF Converter
Free Video to MP3 Converter version 5.0.3.1206
Game Maker 8.0
GameGuard
Gateway Games
Gateway Photo Frame 4.2.3.6
Gateway Recovery Management
Gateway ScreenSaver
GDR 1617 for SQL Server 2008 R2 (KB2494088)
Gimp 2.6.2 Debug
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GunBound Thor's Hammer version 451
GunboundIS
GunboundWC
H.264 Decoder
Haali Media Splitter
HandBrake 0.9.5
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
Hulu Desktop
Indiana Jones and the Last Crusade
InstallIQ Updater
IrfanView (remove only)
Java Auto Updater
Java(TM) 6 Update 26
Java(TM) 6 Update 5
Java(TM) SE Development Kit 6 Update 18
Junk Mail filter update
KB0817 Keyboard Driver
King Arthur - The Role-playing Wargame
LAME v3.99.3 (for Windows)
League of Legends
Left 4 Dead
Left 4 Dead 2 Demo
Livestream Procaster
Logitech Gaming Software 64
LOLReplay
Malwarebytes Anti-Malware version 1.61.0.1400
Marvell Miniport Driver
MEDITECH RAT
Microsoft .NET Framework 4 Multi-Targeting Pack
Microsoft Age of Empires Gold
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Application Error Reporting
Microsoft ASP.NET MVC 2
Microsoft ASP.NET MVC 2 - VWD Express 2010 Tools
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Report Viewer Redistributable 2008 (KB971119)
Microsoft Report Viewer Redistributable 2008 SP1
Microsoft Silverlight
Microsoft Silverlight 3 SDK
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2008 R2 Management Objects
Microsoft SQL Server 2008 R2 Policies
Microsoft SQL Server 2008 R2 RsFx Driver
Microsoft SQL Server 2008 R2 Setup (English)
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Browser
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Compact 3.5 SP2 Query Tools ENU
Microsoft SQL Server Database Publishing Wizard 1.4
Microsoft SQL Server System CLR Types
Microsoft Visual C# 2010 Express - ENU
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4974
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Runtime - 10.0.30319
Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Microsoft Visual Web Developer 2010 Express - ENU
Microsoft Works
MKV Splitter
Mozilla Firefox 11.0 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Mystery Case Files: Ravenhearst ®
NVIDIA PhysX
One Touch Video Capture
Pando Media Booster
Plants vs. Zombies: Game of the Year
Portal
Quake 3 Arena Demo
QuickTime
Realtek High Definition Audio Driver
RollerCoaster Tycoon
S.T.A.L.K.E.R.: Call of Pripyat
Sam & Max 201: Ice Station Santa
Sam & Max 202: Moai Better Blues
Sam & Max 203: Night of the Raving Dead
Sam & Max 204: Chariots of the Dogs
Sam & Max 205: What's New Beelzebub?
ScummVM 0.13.1a
Search Toolbar
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Visual C# 2010 Express - ENU (KB2251489)
Security Update for Microsoft Visual Web Developer 2010 Express - ENU (KB2251489)
Skins
Skype Click to Call
Skype™ 5.5
Sothink Movie DVD Maker
Spelling Dictionaries Support For Adobe Reader 9
SQL Server 2008 R2 Common Files
SQL Server 2008 R2 Database Engine Services
SQL Server 2008 R2 Database Engine Shared
SQL Server 2008 R2 Management Studio
Sql Server Customer Experience Improvement Program
Star Wars - Jedi Knight II: Jedi Outcast
Star Wars - Jedi Knight: Mysteries of the Sith
Star Wars Jedi Knight: Dark Forces II
Star Wars Jedi Knight: Jedi Academy
Star Wars: Dark Forces
StarCraft
StarCraft II
StarCraft II Beta
Steam
Team Fortress 2
Torchlight
Ulead VideoStudio SE DVD
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
VC500 Driver
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
Vista Codec Package
Visual C++ 8.0 Runtime Setup Package (x64)
Visual Studio 2008 x64 Redistributables
Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
VMware View Client
VoiceOver Kit
VST Bridge 1.1
Walmart MP3 Music Downloads
Warcraft III
Warcraft III: All Products
Westwood Shared Internet Components
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Player Firefox Plugin
WinRAR archiver
Wolfenstein - Enemy Territory
World of Warcraft
XnView 1.98.2
.
==== Event Viewer Messages From Past Week ========
.
4/14/2012 2:38:42 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SRTSP SRTSPX
4/14/2012 2:38:42 PM, Error: Service Control Manager [7000] - The Norton Internet Security service failed to start due to the following error: The system cannot find the path specified.
4/13/2012 8:37:15 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
4/13/2012 8:37:15 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/13/2012 8:37:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
4/13/2012 8:36:21 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
4/13/2012 8:36:21 AM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
.
==== End Of File ===========================

• That is all that is requested for now, although I feel it necessary to mention that my computer is still running two processes called csrss.exe, don't know if that's normal.

 

[Geryth]

For some reason, since the new forum look came out, I can no longer edit my post. I just wanted to add that even after the newer version of Malwarebytes discovered more things and removed them, I am still getting redirects.

 

[Bobbye]

They are still working on the site. Just make an extra post here if needed. There are still a few glitches to be smoothed out. I've had internet problems also since this AM!
---------------------------
I'd like you to run Combofix- but it won't run with AVG. You will need to temporarily uninstall AVG as follows:

Download AppRemover and save to the desktop

1. Double click the setup on the desktop> click Next
2. Select “Remove Security Application”
3. Let scan finish to determine security apps
4. A screen like below will appear:
   
   
5. Click on Next after choice has been made
6. Check the AVG program you want to uninstall
7. After uninstall shows complete, follow online prompts to Exit the program.

Temporary AV: Use one:
Microsoft Security Essentials
Comodo AV
Avast! Free Antivirus
=============================
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   [/size]
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

I think you're going to see some 'extra' processes in Eset from Diner Dash, Big Fish and possibly other related entries.
-----------------------------------------------
Did you have Norton on the system at one time. I see the following error:

4/14/2012 2:38:42 PM, Error: Service Control Manager [7000] - The Norton Internet Security service failed to start due to the following error: The system cannot find the path specified.

Try running the Norton Removal Tool

 

[Bobbye]

Some of the coding isn't working. I tried to edit but couldn't. I think you have everything you need for the 2 scans. If they parse anymore, I'll redo the reply.

 

[Geryth]

• I installed AppRemover to uninstall AVG
• I uninstalled AVG
• I installed Avast! Free-Antivirus.
• I rebooted my computer as instructed by AppRemover.
• I downloaded, installed, and ran Eset Online Scanner (unchecked "Remove Found Threats" and selected "Scan archives")
• Here are the results:

C:\Program Files (x86)\FoxTabAudioConverter\AudioConverter.exea variant of Win32/InstallCore.A application
C:\Users\The Saxton Family\AppData\Local\Temp\is1972027439\zgInstaller.exeWin32/Toolbar.Zugo application
C:\Users\The Saxton Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-4f1e1374Java/TrojanDownloader.Agent.NBL trojan
C:\Users\The Saxton Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\640c67b5-6241ba07Java/TrojanDownloader.Agent.NBM trojan
C:\Users\The Saxton Family\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-24b1a2fbJava/TrojanDownloader.Agent.NBK trojan

• Reinstalled AVG
• Uninstalled AVAST!
• Rebooted as prompted by AVAST! uninstall
• Yes, I did at one time have Norton Anti-Virus.

 

[Bobbye]

Oops!

I left Combofix directions out! The whole idea of removing AVG was so you could run Combofix! Sorry about that!

A comment: When we say to re-enable the AV after the scan, understand that Avast is a functional, updated AV. In the case of Combofix, you do not need to reinstall AVG at that point. We aren't finished with Combofix.

Please run the App Remover again and remove AVG.

Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Before you run the Combofix scan, please disable any security software you have running.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe
  
  & follow the prompts.
• If prompted for Recovery Console, please allow.
• Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.[/b]
  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• .Close/disable all anti virus and anti malware programs
  (If you need help with this, please see HERE)
• .Close any open browsers.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software. >>> If you choose Avast, re-enable Avast. Don't reinstall AVG now.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
============================================
Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files 
  C:\Program Files (x86)\FoxTabAudioConverter\AudioConverter.exea 
  C:\Users\The SaxtonFamily\AppData\Local\Temp\is1972027439\zgInstaller.exe
  C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-4f1e1374J
  C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\640c67b5-6241ba07
  C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-24b1a2fb
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
============================================
You are getting malware due in part to the fact that you have 3 outdated versions of Java and these are vulnerabilities:

Please update Java: Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Be sure to check all download screens for any pre-check toolbars or BHO> if found, remove the check before the download..
===========================================
You have multiple old versions of Java and do not have the current version. The best way to handle that is to run the following: Note: I do not want this log!

Please download JavaRa and unzip it to your desktop.

Important!***Please close any instances of Internet Explorer before continuing!***

• Double-click on JavaRa.exe to start the program.
• From the drop-down menu, choose English and click on Select.
• JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
• Click Yes when prompted. When JavaRa is done, a notice will appear that
  a logfile has been produced. Click OK.
• A logfile will pop up. Note: Do not leave this log.

===========================================
Please leave the Combofix log and the OTM log in your next reply.

 

[Geryth]

• I uninstalled AVG again.
• I reinstalled AVAST!
• I downloaded Combofix.
• I disabled AVAST!
• I ran Combofix. Here is the log:

ComboFix 12-04-18.02 - The Saxton Family 04/18/2012 18:56:04.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.7934.5516 [GMT -4:00]
Running from: c:\users\The Saxton Family\Desktop\Virus Removal Stuff\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: AVG Anti-Virus 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: AVG Anti-Virus 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\program files (x86)\Mozilla Firefox\components\AskHPRFF.js
c:\program files (x86)\Search Toolbar
c:\program files (x86)\Search Toolbar\icon.ico
c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
c:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe
c:\users\The Saxton Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\7kyxb.jpg
c:\users\The Saxton Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\bYyxX.jpg
c:\users\The Saxton Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\y4lb1x8bA.jpg
c:\users\The Saxton Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\yN6N5X4M.jpg
c:\users\The Saxton Family\AppData\Roaming\Love
c:\users\The Saxton Family\AppData\Roaming\Love\mari0\options.txt
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-18 to 2012-04-18 )))))))))))))))))))))))))))))))
.
.
2012-04-18 23:19 . 2012-04-18 23:24--------d-----w-c:\users\The Saxton Family\AppData\Local\temp
2012-04-18 23:19 . 2012-04-18 23:19--------d-----w-c:\users\Default\AppData\Local\temp
2012-04-18 22:30 . 2012-03-06 23:0124408----a-w-c:\windows\system32\drivers\aswFsBlk.sys
2012-04-18 22:30 . 2012-03-06 23:04337240----a-w-c:\windows\system32\drivers\aswSP.sys
2012-04-18 22:30 . 2012-03-06 23:0243864----a-w-c:\windows\system32\drivers\aswRdr.sys
2012-04-18 22:30 . 2012-03-06 23:0159224----a-w-c:\windows\system32\drivers\aswTdi.sys
2012-04-18 22:30 . 2012-03-06 23:04819032----a-w-c:\windows\system32\drivers\aswSnx.sys
2012-04-18 22:30 . 2012-03-06 23:0169976----a-w-c:\windows\system32\drivers\aswMonFlt.sys
2012-04-18 22:29 . 2012-03-06 23:1541184----a-w-c:\windows\avastSS.scr
2012-04-18 22:29 . 2012-03-06 23:15201352----a-w-c:\windows\SysWow64\aswBoot.exe
2012-04-16 13:24 . 2012-04-16 13:24--------d-----w-c:\users\The Saxton Family\AppData\Roaming\AVG2012
2012-04-16 13:16 . 2012-04-18 23:21--------d-----w-c:\programdata\AVG2012
2012-04-16 13:14 . 2012-04-16 13:14--------d-----w-c:\program files (x86)\AVG
2012-04-16 13:10 . 2012-04-18 22:46--------d-----w-c:\programdata\MFAData
2012-04-16 01:46 . 2012-04-16 01:46--------d-----w-c:\program files (x86)\ESET
2012-04-16 01:35 . 2012-03-06 23:15258520----a-w-c:\windows\system32\aswBoot.exe
2012-04-16 01:32 . 2012-04-18 22:28--------d-----w-c:\programdata\AVAST Software
2012-04-16 01:32 . 2012-04-18 22:28--------d-----w-c:\program files\AVAST Software
2012-04-13 07:04 . 2012-03-06 06:444699520----a-w-c:\windows\system32\ntoskrnl.exe
2012-04-13 07:04 . 2012-02-29 15:375632----a-w-c:\windows\system32\wmi.dll
2012-04-13 07:04 . 2012-02-29 15:37219136----a-w-c:\windows\system32\wintrust.dll
2012-04-13 07:04 . 2012-02-29 15:3578848----a-w-c:\windows\system32\imagehlp.dll
2012-04-13 07:04 . 2012-02-29 15:09157696----a-w-c:\windows\SysWow64\imagehlp.dll
2012-04-13 07:04 . 2012-02-29 13:5216384----a-w-c:\windows\system32\drivers\fs_rec.sys
2012-04-07 03:37 . 2012-04-07 03:37--------d-----w-c:\program files (x86)\Lame For Audacity
2012-04-05 23:55 . 2012-04-05 23:55--------d-----w-c:\program files (x86)\GOG.com
2012-04-04 05:53 . 2012-04-04 05:53182160----a-w-c:\program files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2012-04-04 05:53 . 2012-04-04 05:53182160----a-w-c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 19:56 . 2010-02-26 23:5724904----a-w-c:\windows\system32\drivers\mbam.sys
2012-03-10 15:47 . 2011-11-23 14:22414368----a-w-c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-29 15:11 . 2012-04-13 07:045120----a-w-c:\windows\SysWow64\wmi.dll
2012-02-29 15:11 . 2012-04-13 07:04172032----a-w-c:\windows\SysWow64\wintrust.dll
2012-02-28 15:26 . 2012-04-12 15:57834048----a-w-c:\windows\SysWow64\wininet.dll
2012-02-15 16:01 . 2012-02-15 16:0152736----a-w-c:\windows\system32\drivers\usbaapl64.sys
2012-02-15 16:01 . 2012-02-15 16:014547944----a-w-c:\windows\system32\usbaaplrc.dll
2012-02-14 16:49 . 2012-03-14 05:17327680----a-w-c:\windows\system32\d3d10_1core.dll
2012-02-14 16:49 . 2012-03-14 05:17196096----a-w-c:\windows\system32\d3d10_1.dll
2012-02-14 15:45 . 2012-03-14 05:17219648----a-w-c:\windows\SysWow64\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-14 05:17160768----a-w-c:\windows\SysWow64\d3d10_1.dll
2012-02-13 14:38 . 2012-03-14 05:172002944----a-w-c:\windows\system32\d3d10warp.dll
2012-02-13 14:12 . 2012-03-14 05:171172480----a-w-c:\windows\SysWow64\d3d10warp.dll
2012-02-13 14:06 . 2012-03-14 05:17834048----a-w-c:\windows\system32\d2d1.dll
2012-02-13 14:03 . 2012-03-14 05:171555968----a-w-c:\windows\system32\DWrite.dll
2012-02-13 13:47 . 2012-03-14 05:17683008----a-w-c:\windows\SysWow64\d2d1.dll
2012-02-13 13:44 . 2012-03-14 05:171068544----a-w-c:\windows\SysWow64\DWrite.dll
2012-02-02 15:34 . 2012-03-14 05:172765824----a-w-c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-02 1242448]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2011-07-22 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"Gateway Photo Frame"="c:\program files (x86)\Gateway Photo Frame\ButtonMonitor.exe" [2009-05-05 123904]
"CLMLServer"="c:\program files (x86)\Cyberlink\Power2Go\CLMLSvc.exe" [2008-12-24 103720]
"AmazonGSDownloaderTray"="c:\program files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-10-23 326144]
"UVS10 Preload"="c:\program files (x86)\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"QuickTime Plugin Install"="c:\program files (x86)\QuickTime\Plugins\DeleteMe1.exe" [2012-01-11 86016]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"Malwarebytes Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcsREG_MULTI_SZ w3svc was
apphostREG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-18 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files (x86)\FinalMediaPlayer\FMPCheckForUpdates.exe [2011-07-27 19:24]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-13 16:50]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-13 16:50]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3239571492-3292308985-2968727561-1000Core.job
- c:\users\The Saxton Family\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 02:46]
.
2012-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3239571492-3292308985-2968727561-1000UA.job
- c:\users\The Saxton Family\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-17 02:46]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15135408----a-w-c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-03-30 1833504]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-03-30 7574048]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-04 2114376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=Z039&form=ZGAPHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyServer = 192.168.1.254:80
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 205.152.37.23 205.152.150.23
DPF: {C87ACE20-4BA7-11D4-AD69-0000F80020BC} - hxxp://meditech.com/employees/Pages/Software/MTAppDwn.exe
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\The Saxton Family\AppData\Roaming\Mozilla\Firefox\Profiles\bazmz6if.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=DCF2DF&PC=DCF2&q=
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bab801183-ca41-49bc-be59-5515aa243954%7D&mid=096d170263091ff919f073b96f298293-1db9057191df1134e1184579f57f2796b3789536&ds=AVG&v=10.2.0.3&lang=en&pr=pr&d=2012-04-16%2009%3A19%3A59&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-FX - Music Converter - c:\progra~2\FOXTAB~1\Uninstall\Uninstall.exe
AddRemove-Search Toolbar - c:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-FoxTab PDF Converter - c:\program files (x86)\FoxTabPDFConverter\Uninstall\Uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3239571492-3292308985-2968727561-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:ad,1f,1b,87,42,14,ff,f5,41,8c,84,32,ed,0b,0f,ae,45,0b,1f,df,fa,
5b,94,a4,4e,aa,ee,5d,40,2a,67,c2,44,2b,32,42,20,a4,ba,c2,34,e1,a6,70,d5,dc,\
"rkeysecu"=hex:25,f6,04,4d,45,50,0a,40,a3,da,c4,45,36,7c,0b,25
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10c.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL10_50.MYSQL\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\MEDITECH\MTAppDwn.exe
c:\program files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\MHotKey.exe
c:\program files (x86)\VMware\VMware View\Client\bin\wsnm.exe
c:\windows\ChiFuncExt.exe
c:\windows\CNYHKey.exe
c:\windows\ModLedKey.exe
c:\program files (x86)\Common Files\Steam\SteamService.exe
.
**************************************************************************
.
Completion time: 2012-04-18 19:33:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-18 23:33
.
Pre-Run: 389,109,059,584 bytes free
Post-Run: 389,731,225,600 bytes free
.
- - End Of File - - F20C40A92D7FA83C729CFD2230B6E4AE

• My computer rebooted after Combofix.
• I installed and ran OTMovit by Old Timer, and pasted your code block into the program and clicked the red Moveit! button.
• Here is the log:

All processes killed
========== FILES ==========
File/Folder C:\Program Files (x86)\FoxTabAudioConverter\AudioConverter.exea not found.
File/Folder C:\Users\The SaxtonFamily\AppData\Local\Temp\is1972027439\zgInstaller.exe not found.
File/Folder C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\40591084-4f1e1374J not found.
File/Folder C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\53\640c67b5-6241ba07 not found.
File/Folder C:\Users\The SaxtonFamily\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\8\3f5641c8-24b1a2fb not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: The Saxton Family
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 107559027 bytes
->Java cache emptied: 23268767 bytes
->FireFox cache emptied: 196675216 bytes
->Google Chrome cache emptied: 21705713 bytes
->Flash cache emptied: 5864690 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 4487515 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 343.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 04182012_194142

Files moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

• I then removed old versions of Java and installed a new version and received the latest updates.

 

[Bobbye]

Repeating:

A comment: When we say to re-enable the AV after the scan, understand that Avast is a functional, updated AV. In the case of Combofix, you do not need to reinstall AVG at that point. We aren't finished with Combofix.

I'd like you to understand that Avast is a fully functioning antivirus program. It isn't necessary for you to uninstall AVG, then install Avast and the minute you finish the Combofix scan to hurry and reinstall AVG. The comment that reminds you to re-enable the AV when you finish a scan is not meant to indicate you need to do the above. Avast is a free, good and legitimate AV. The system is protected. Just because we refer to a 'temporary AV' does not mean the system isn't covered.

Some AVG entries are remaining when do the above 'swap' so please leave Avast on the system until we have finished cleaning. Them if you wish, you can reinstall AVG and remove Avast.
===============================================
There is a proxy enabled that may be causing the redirect:
Reset your browser proxies

• For Firefox:
  o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
  o Click on the "Network" tab, and then on the "Settings" button.
  o Please make sure that the "No Proxy" option is selected.
  
• For Internet Explorer:
  o Open Internet Explorer.
  o Click on "Tools" and then select "Internet Options".
  o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
  o Uncheck "Use a Proxy server for your LAN".
  o Click Ok to close the Local Area Network (LAN) Settings window.
  o Click Ok to close the Internet Options window.

===================================================
About Firefox settings:
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search
.
Firefox is set for Bing as default Search
Firefox startup page is set to Google
The Keyword URL is set to isearch.AVG

How about we reset these to all Google? I can do 2 with script for Combofix and tell you how to set the other.
==================================================
Are you still getting redirected?

 

[Geryth]

Making all the searches be google would be fine, but I am still getting redirects, even after making the Proxy changes to Firefox (IE was already set correctly). I think they might be a little less frequent though? It feels that way anyway. I would get Happili a lot and I haven't in a while now.

 

[Bobbye]

Your description of the redirect doesn't sound like a 'normal' redirect.

Please give me a couple of examples of what domains come up when you're redirected. DO NOT make a hyperlink- just give me the domain name before the .com or .net. Does this happen just in one browser or all?
============================================
1. Why aren't ther any restore points?==== System Restore Points ===================

2. The only user name I see in OTM is User: The Saxton Family Are all of the family members posting under this one account?

3. A tally of Firefox:
There are 27 plugins in Firefox:
. There are 4 for GoogleOneClick8.dll
There are 9 for npGoogleUpdate3.dll
There are 2 for npCouponPrinter.dll
There are 2 versions of Adobe\Reader> v10.0 and v9. You have the current vX installed on the OS.Please uninstall both v9 and and v10 in Firefox.

I have blocked all Google Updates. Are you suppose to keep the previous update when you get a new one?
======================================================
SuperAntiSpyware Home Edition Free Version

• Please download SuperAntiSpyware from HERE
• Launch SuperAntiSpyware and click on 'Check for updates'.
• Wait for the updates to be installed
• On the main screen click on 'Scan your computer'.
• Check: 'Perform Complete Scan then Click 'Next' to start the scan.
• Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
• Make sure everything found has a checkmark next to it,then press 'Next'.
• Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

• Click on 'Preferences'.
• Click on the 'Statistics/Logs' tab.
• Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.

It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
=======================================================
Logs in next reply please. You do not need to detail what you have done- just post the logs,

 

[Geryth]

Please keep open, I've been extremely busy, I will update with the new log soon. Just fyi, I am still getting redirects, and the last 3 in a row were actually Happili.

 

[Bobbye]

I will keep open for you- all you need to do is let me know you will be delayed. I usually run behind in closing also. Don't wait to long though or we may have to repeat the scans.


Keep open per member request.

 

[Bobbye]

Happili.com is another browser hijacker that installed by ZeroAccess/Serifef-related trojan. Once the trojan is installed and started, it will configure itself to run automatically when Windows loads. While running, it may display many popups and fake security alerts, hijack computer`s browser, redirect search results in Google, Yahoo, MSN to non related sites, block an access to security websites and disable Windows Task Manager, Windows Security Center and registry editor.

But this is new malware, so you are actively still vulnerable. Try and find some time so we can clean this up before you end up with corrupt files and a possible unbootable system.

 

[Geryth]

I greatly apologize at my delay. I'm willing to start with new logs if you desire, but I have reduced the redirects almost to where they live, just a few steps away I think.

The problem is the Chrome Extension titled "Default Extension 1.0" (Unpacked) and in Firefox it's called "Performance Cache 1.0"

When I disable these extensions, the redirects stop. If I remove them, they are automatically reinstalled and re-enabled when I close and reopen Chrome and Firefox. Edit: Actually, once I removed "Performance Cache 1.0" from firefox, it has not returned. I don't know if it would return on a reboot though, but closing and reopening firefox doesn't re-enable the extension like it does for Chrome.

Not sure if that helps you narrow down what I need to do next.

 

[Geryth]

Excellent news! So, after some more research, I found out that Chrome had this button on the extensions page called "Developer Mode". When I clicked that, the pesky "Default Extension 1.0 (Unpacked)" extension had this nifty line underneath it that said "Loaded From: <file path>". I navigated to that file path, deleted the junk, did a full computer restart, and it didn't reload!

I'd still like to keep this open for a while longer to make absolutely sure I don't get anymore redirects, but hopefully this is problem solved!

Information about the file path:
The file path showed as -

C:\Users\[User Name]\Local Settings\Google\Chrome\User Data\Default\Default\aagdcllfcplabdjfklbdfdombjnganlc

When I tried to navigate to it, I got "Access Denied" at C:\. . .\Local Settings. After some research, it looks like it's a fake path for backwards compatibility because Vista has a new file structure. So, I dug around and found that exact file at:

C:\Users\[User Name]\AppData\Local\Google\Chrome\User Data\Default\Default\aagdcllfcplabdjfklbdfdombjnganlc

The gibberish folder contained 3 files:
background.html
ContentScript.JScript
manifest.json

The time stamps all coincided to when I started getting redirects. Obviously, not one single scanner or AV program identified this as a threat, and seems like it took full advantage of my out-of-data Javascript, which I have you to thank for getting me secure on that end. I hope this helps someone, and I hope this was the root of my problems!

 

[Bobbye]

Note: It was Java that was out of date, not javascript.

I am a bit uneasy about your "digging around". I'd like you to update and run a new Eset scan.

Then follow with this:
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
• Extract it to the directory on your hard drive you created C:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
=============================================
We will deal with what is on these logs and then I'll close the thread. You started this a month ago and malware has been removed.

 

[Geryth]

Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:07:37 PM, on 5/22/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
C:\Windows\CNYHKey.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\ModLedKey.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\The Saxton Family\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\WinRAR\WinRAR.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z039&form=ZGAPHP
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=0509&m=dx4300
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.254:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [LedKey] CNYHKey.exe
O4 - HKLM\..\Run: [LchDrvKey] LchDrvKey.exe
O4 - HKLM\..\Run: [Gateway Photo Frame] "C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe" -A
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [AmazonGSDownloaderTray] "C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe"
O4 - HKLM\..\Run: [UVS10 Preload] "C:\Program Files (x86)\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Plugin Install] "C:\Program Files (x86)\QuickTime\Plugins\DeleteMe1.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {C87ACE20-4BA7-11D4-AD69-0000F80020BC} (MEDITECHAppDwnld) - http://meditech.com/employees/Pages/Software/MTAppDwn.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - c:\program files (x86)\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MEDITECH Application Manager (MTAppManager) - Medical Information Technology, Inc. - C:\Program Files (x86)\MEDITECH\MTAppDwn.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files (x86)\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files (x86)\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: vToolbarUpdater11.0.2 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: VMware View Client Service (wsnm) - VMware, Inc. - C:\Program Files (x86)\VMware\VMware View\Client\bin\wsnm.exe

--
End of file - 13193 bytes

 

[Bobbye]

Reset your browser proxies

• For Firefox:
  o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
  o Click on the "Network" tab, and then on the "Settings" button.
  o Please make sure that the "No Proxy" option is selected.
  
• For Internet Explorer:
  o Open Internet Explorer.
  o Click on "Tools" and then select "Internet Options".
  o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
  o Uncheck "Use a Proxy server for your LAN".
  o Click Ok to close the Local Area Network (LAN) Settings window.
  o Click Ok to close the Internet Options window.

Any remaining problems?

 

[Geryth]

Those already were my browser settings. I have not had a single problem since I deleted that folder that was installing the "Default" chrome extension.

 

[Bobbye]

Okay then- let's clean up the tools!
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
------------------------------------------

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
• Choose Disc Cleanup
• Click "OK" to select the partition or drive you want.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you have any questions.