Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirect Malware ick!


  • This topic is locked This topic is locked
24 replies to this topic

#1 Sooner Aviator

Sooner Aviator

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 14 October 2012 - 05:25 PM

Hey folks, it appears that I have been infected with the redirect malware.

I initially noticed about 2 months ago that occasionally a google search result would redirect to some other page. Going back and then clicking the result again would take me to the actuall result. Ran a scan in AVG with, of course, no results. Did a quick internet search and found BC.

I have read the Preparation guide and have included the logs from DDS. I am not sure why the DDS log is pasted, while the attach log is attached, just following directions.

Thank you in advance for the help,
Jesse

DDS Log
DDS (Ver_2012-10-14.05) - NTFS_AMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_35
Run by Us at 17:09:50 on 2012-10-14
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1791.562 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Users\Us\AppData\Local\Programs\Google\MusicManager\MusicManager.exe
C:\Users\Us\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files (x86)\NETGEAR\WPN111\wpn111.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Vimicro Corporation\VMUVC\VMonitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Logitech\Video\FxSvr2.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wuauclt.exe
D:\Cobian Backup 11\cbVSCService11.exe
D:\Cobian Backup 11\Cobian.exe
D:\Cobian Backup 11\cbInterface.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Us\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.primericaonline.com/Login
mWinlogon: Userinit = userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - C:\Program Files (x86)\somototoolbar\vmntemplateX.dll
BHO: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Somoto Toolbar: {c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - C:\Program Files (x86)\somototoolbar\vmntemplateX.dll
uRun: [Google Update] "C:\Users\Us\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [MusicManager] "C:\Users\Us\AppData\Local\Programs\Google\MusicManager\MusicManager.exe"
uRun: [Spotify Web Helper] "C:\Users\Us\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [LogitechSoftwareUpdate] "C:\Program Files (x86)\Logitech\Video\ManifestEngine.exe" boot
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [VMonitorVMUVC] "C:\Program Files (x86)\Vimicro Corporation\VMUVC\VMonitor.exe" VMUVC
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [LogitechVideoRepair] C:\Program Files (x86)\Logitech\Video\ISStart.exe
mRun: [LogitechVideoTray] C:\Program Files (x86)\Logitech\Video\LogiTray.exe
mRun: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\NETGEA~1.LNK - C:\Program Files (x86)\NETGEAR\WPN111\wpn111.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{EEEB235A-DF44-48BE-AAD7-BDCE33C7D092} : DHCPNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll
x64-BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll
x64-BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll
x64-SSODL: WebCheck - <orphaned>
x64-SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Us\AppData\Roaming\Mozilla\Firefox\Profiles\e8rcpt6j.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1&ltmpl=default&ltmplcache=2
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: C:\Program Files (x86)\Weathersoft\NpWeatherScope32.dll
FF - plugin: C:\Users\Us\AppData\Local\Google\Update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: C:\Users\Us\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\Us\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll
FF - plugin: C:\Windows\SysWOW64\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
FF - ExtSQL: 2012-09-05 22:55; {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}; C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2012-4-19 28480]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2012-1-31 36944]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2012-7-26 291680]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2011-12-23 47696]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2012-8-24 384352]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [2012-8-13 5167736]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-2-14 193288]
R2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;D:\Cobian Backup 11\cbVSCService11.exe [2012-10-14 67584]
R2 Fabs;FABS - Helping agent for MAGIX media database;C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-8-27 1253376]
R2 LVPrcS64;Process Monitor;C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-7 191000]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2011-12-23 124496]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\System32\drivers\avgidsfiltera.sys [2011-12-23 29776]
R3 LVPr2M64;Logitech LVPr2M64 Driver;C:\Windows\System32\drivers\LVPr2M64.sys [2009-10-7 30232]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;C:\Windows\System32\drivers\PCASp50a64.sys [2011-4-24 41280]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\Windows\System32\drivers\WPN111vx.sys [2011-4-24 1075712]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-16 136176]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-8-7 3276800]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-16 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-26 114144]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;C:\Windows\System32\drivers\PCAMp50a64.sys [2011-4-24 43328]
S3 VMUVC;Vimicro Camera Service VMUVC;C:\Windows\System32\drivers\vmuvc.sys [2012-1-12 198400]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;C:\Windows\System32\drivers\vvftUVC.sys [2012-1-12 303616]
.
=============== File Associations ===============
.
ShellExec: QSync.exe: Open="C:\Program Files (x86)\Logitech\Video\QSync.exe"
.
=============== Created Last 30 ================
.
2012-10-08 18:39:38 -------- d-----w- C:\Users\Us\AppData\Local\TTales
2012-10-07 22:49:51 -------- d-----w- C:\Users\Us\AppData\Local\Lucasarts
2012-09-26 20:00:23 -------- d-----w- C:\Users\Us\AppData\Local\Diagnostics
.
==================== Find3M ====================
.
2012-09-06 03:55:14 477168 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2012-09-06 03:55:14 473072 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-08-24 20:43:16 384352 ----a-w- C:\Windows\System32\drivers\avgtdia.sys
2012-07-26 08:21:28 291680 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
.
============= FINISH: 17:10:21.31 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:25 AM

Posted 14 October 2012 - 07:35 PM

Please do the following:

Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]type exit and reboot the computer normally
[*]FRST will make a log (FRST.txt) on the flash drive, please copy and paste the log in your reply.[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Sooner Aviator

Sooner Aviator
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 19 October 2012 - 04:07 PM

Thanks for the quick reply, I ran Farbar. Here is the log

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 16-10-2012
Ran by SYSTEM at 19-10-2012 16:01:05
Running from I:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [8067616 2011-04-24] (Realtek Semiconductor)
HKLM\...\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2399632 2011-04-13] (Microsoft Corporation)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2596984 2012-07-31] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421160 2011-04-26] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [VMonitorVMUVC] "C:\Program Files (x86)\Vimicro Corporation\VMUVC\VMonitor.exe" VMUVC [135168 2008-03-26] (Vimicro Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [LogitechVideoRepair] C:\Program Files (x86)\Logitech\Video\ISStart.exe [458752 2005-06-08] (Logitech Inc.)
HKLM-x32\...\Run: [LogitechVideoTray] C:\Program Files (x86)\Logitech\Video\LogiTray.exe [217088 2005-06-08] (Logitech Inc.)
HKLM-x32\...\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide [2793304 2009-10-14] ()
HKU\Us\...\Run: [Google Update] "C:\Users\Us\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2011-06-24] (Google Inc.)
HKU\Us\...\Run: [MusicManager] "C:\Users\Us\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [7321600 2012-08-31] (Google Inc.)
HKU\Us\...\Run: [Spotify Web Helper] "C:\Users\Us\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [932528 2012-05-20] ()
HKU\Us\...\Run: [LogitechSoftwareUpdate] "C:\Program Files (x86)\Logitech\Video\ManifestEngine.exe" boot [196608 2005-06-08] (Logitech Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Startup: C:\Users\All Users\Start Menu\Programs\Startup\NETGEAR WPN111 Smart Wizard.lnk
ShortcutTarget: NETGEAR WPN111 Smart Wizard.lnk -> C:\Program Files (x86)\NETGEAR\WPN111\wpn111.exe (NETGEAR)

==================== Services (Whitelisted) ===================

2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe" [5167736 2012-08-13] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
3 FirebirdServerMAGIXInstance; "C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe" [3276800 2008-08-07] (MAGIX®)
2 cbVSCService11; C:\Cobian Backup 11\cbVSCService11.exe [x]

==================== Drivers (Whitelisted) =====================

3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [124496 2011-12-23] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
0 AVGIDSHA; C:\Windows\System32\Drivers\AVGIDSHA.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [291680 2012-07-26] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
1 Avgtdia; C:\Windows\System32\Drivers\Avgtdia.sys [384352 2012-08-24] (AVG Technologies CZ, s.r.o.)
3 LVPr2M64; C:\Windows\System32\Drivers\LVPr2M64.sys [30232 2009-10-06] ()
3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2M64.sys [30232 2009-10-06] ()
3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-28] ()
3 PCAMp50a64; C:\Windows\System32\Drivers\PCAMp50a64.sys [43328 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
3 PCASp50a64; C:\Windows\System32\Drivers\PCASp50a64.sys [41280 2006-11-28] (Printing Communications Assoc., Inc. (PCAUSA))
3 VMUVC; C:\Windows\System32\Drivers\VMUVC.sys [198400 2009-03-11] (Vimicro Corporation)
3 vvftUVC; C:\Windows\System32\Drivers\vvftUVC.sys [303616 2008-07-01] (Vimicro Corporation)
3 WPN111; C:\Windows\System32\DRIVERS\WPN111vx.sys [1075712 2008-08-04] (Atheros Communications, Inc.)

==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-10-19 16:00 - 2012-10-19 16:00 - 00000000 ____D C:\FRST
2012-10-19 12:48 - 2012-10-19 12:49 - 01458573 ____A (Farbar) C:\Users\Us\Downloads\FRST64.exe
2012-10-14 14:14 - 2012-10-14 14:14 - 00004719 ____A C:\Users\Us\Desktop\attach.txt
2012-10-14 14:10 - 2012-10-14 14:15 - 00000000 ____D C:\Users\Us\Documents\log files
2012-10-14 14:10 - 2012-10-14 14:10 - 00016102 ____A C:\Users\Us\Desktop\dds.txt
2012-10-14 14:09 - 2012-10-14 14:09 - 00706431 ____R (Swearware) C:\Users\Us\Downloads\dds.com
2012-10-14 13:44 - 2012-10-14 13:45 - 19620864 ____A (Luis Cobian, CobianSoft) C:\Users\Us\Downloads\cbSetup.exe
2012-10-08 10:39 - 2012-10-08 10:39 - 00000000 ____D C:\Users\Us\AppData\Local\TTales
2012-10-08 10:31 - 2012-10-08 10:31 - 00000492 ____A C:\Users\Us\Desktop\LEGO Star Wars II - Shortcut.lnk
2012-10-07 14:49 - 2012-10-07 14:49 - 00000000 ____D C:\Users\Us\AppData\Local\Lucasarts
2012-10-07 14:43 - 2006-07-28 06:31 - 00083736 ____A (Microsoft Corporation) C:\Windows\System32\xinput1_2.dll
2012-10-07 14:43 - 2006-07-28 06:30 - 00363288 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_3.dll
2012-10-07 14:43 - 2006-07-28 06:30 - 00236824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_3.dll
2012-10-07 14:43 - 2006-07-28 06:30 - 00062744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_2.dll
2012-10-07 14:43 - 2006-05-31 04:24 - 00230168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_2.dll
2012-10-07 14:43 - 2006-05-31 04:22 - 00354072 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_2.dll
2012-10-07 14:43 - 2006-03-31 09:41 - 03927248 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_30.dll
2012-10-07 14:43 - 2006-03-31 09:40 - 02388176 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_30.dll
2012-10-07 14:43 - 2006-03-31 09:40 - 00352464 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_1.dll
2012-10-07 14:43 - 2006-03-31 09:39 - 00229584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_1.dll
2012-10-07 14:43 - 2006-03-31 09:39 - 00083664 ____A (Microsoft Corporation) C:\Windows\System32\xinput1_1.dll
2012-10-07 14:43 - 2006-03-31 09:39 - 00062672 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_1.dll
2012-10-07 14:43 - 2006-02-03 05:43 - 03830992 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_29.dll
2012-10-07 14:43 - 2006-02-03 05:43 - 02332368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_29.dll
2012-10-07 14:43 - 2006-02-03 05:42 - 00355536 ____A (Microsoft Corporation) C:\Windows\System32\xactengine2_0.dll
2012-10-07 14:43 - 2006-02-03 05:42 - 00230096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\xactengine2_0.dll
2012-10-07 14:43 - 2006-02-03 05:41 - 00016592 ____A (Microsoft Corporation) C:\Windows\System32\x3daudio1_0.dll
2012-10-07 14:43 - 2006-02-03 05:41 - 00014032 ____A (Microsoft Corporation) C:\Windows\SysWOW64\x3daudio1_0.dll
2012-10-07 14:43 - 2005-12-05 15:09 - 03815120 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_28.dll
2012-10-07 14:43 - 2005-12-05 15:09 - 02323664 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_28.dll
2012-10-07 14:43 - 2005-07-22 16:59 - 03807440 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_27.dll
2012-10-07 14:43 - 2005-07-22 16:59 - 02319568 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_27.dll
2012-10-07 14:43 - 2005-05-26 12:34 - 03767504 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_26.dll
2012-10-07 14:43 - 2005-05-26 12:34 - 02297552 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_26.dll
2012-10-07 14:43 - 2005-03-18 14:19 - 03823312 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_25.dll
2012-10-07 14:43 - 2005-03-18 14:19 - 02337488 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_25.dll
2012-10-07 14:43 - 2005-02-05 16:45 - 03544272 ____A (Microsoft Corporation) C:\Windows\System32\d3dx9_24.dll
2012-10-07 14:43 - 2005-02-05 16:45 - 02222800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3dx9_24.dll
2012-10-04 17:21 - 2012-10-04 17:21 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-10-03 12:18 - 2012-10-03 12:20 - 99710192 ____A (Advanced Micro Devices, Inc.) C:\Users\Us\Documents\10-2_legacy_vista32-64_dd_ccc.exe
2012-10-01 14:27 - 2012-10-01 14:48 - 00000000 ____D C:\Users\Us\Documents\Recipies from betty (Johns wife)
2012-09-28 13:20 - 2012-10-05 08:51 - 00100375 ____A C:\Users\Us\Documents\Samuel DE Champlain.pptx

==================== 3 Months Modified Files ==================

2012-10-19 12:54 - 2011-04-24 11:19 - 01715986 ____A C:\Windows\WindowsUpdate.log
2012-10-19 12:52 - 2009-07-13 20:51 - 00084730 ____A C:\Windows\setupact.log
2012-10-19 12:49 - 2012-10-19 12:48 - 01458573 ____A (Farbar) C:\Users\Us\Downloads\FRST64.exe
2012-10-19 12:44 - 2011-06-24 12:59 - 00000896 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000UA.job
2012-10-19 12:30 - 2011-05-16 17:44 - 00000890 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-10-19 12:30 - 2011-05-16 17:44 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-10-19 11:43 - 2011-04-24 15:35 - 00035594 ____A C:\Windows\PFRO.log
2012-10-19 11:43 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-10-17 15:09 - 2009-07-13 20:45 - 00013584 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-10-17 15:09 - 2009-07-13 20:45 - 00013584 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-10-15 08:44 - 2011-06-24 12:59 - 00000844 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000Core.job
2012-10-14 14:14 - 2012-10-14 14:14 - 00004719 ____A C:\Users\Us\Desktop\attach.txt
2012-10-14 14:10 - 2012-10-14 14:10 - 00016102 ____A C:\Users\Us\Desktop\dds.txt
2012-10-14 14:09 - 2012-10-14 14:09 - 00706431 ____R (Swearware) C:\Users\Us\Downloads\dds.com
2012-10-14 13:45 - 2012-10-14 13:44 - 19620864 ____A (Luis Cobian, CobianSoft) C:\Users\Us\Downloads\cbSetup.exe
2012-10-08 10:31 - 2012-10-08 10:31 - 00000492 ____A C:\Users\Us\Desktop\LEGO Star Wars II - Shortcut.lnk
2012-10-07 14:43 - 2011-05-12 12:37 - 00162344 ____A C:\Windows\DirectX.log
2012-10-05 08:51 - 2012-09-28 13:20 - 00100375 ____A C:\Users\Us\Documents\Samuel DE Champlain.pptx
2012-10-04 17:21 - 2012-10-04 17:21 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-10-03 12:20 - 2012-10-03 12:18 - 99710192 ____A (Advanced Micro Devices, Inc.) C:\Users\Us\Documents\10-2_legacy_vista32-64_dd_ccc.exe
2012-09-16 15:14 - 2012-09-16 15:14 - 02211928 ____A (Kaspersky Lab ZAO) C:\Users\Us\Downloads\tdsskiller.exe
2012-09-14 14:48 - 2011-09-19 08:45 - 00012288 ____A C:\Users\Us\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-09-10 18:33 - 2012-09-10 18:33 - 00002093 ____A C:\Users\Public\Desktop\Logitech Webcam Software.lnk
2012-09-10 18:30 - 2012-09-10 18:27 - 53539128 ____A (Logitech, Inc.) C:\Users\Us\Documents\lws110_x64.exe
2012-09-10 18:17 - 2012-05-20 12:35 - 00012288 __ASH C:\Users\Us\AppData\Thumbs.db
2012-09-10 18:08 - 2012-09-10 18:08 - 00001973 ____A C:\Users\Public\Desktop\Logitech QuickCam.lnk
2012-09-10 18:08 - 2012-09-10 18:08 - 00001868 ____A C:\Users\Public\Desktop\My Logitech Pictures.lnk
2012-09-10 18:08 - 2012-09-10 18:08 - 00000717 ____A C:\Windows\SysWOW64\Installer.log
2012-09-10 18:06 - 2012-09-10 18:06 - 33823016 ____A (Logitech Inc. ) C:\Users\Us\Documents\qc848enu.exe
2012-09-10 11:33 - 2012-07-19 17:21 - 00000935 ____A C:\Users\Public\Desktop\AVG 2012.lnk
2012-09-05 19:55 - 2012-09-05 19:55 - 00477168 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\npdeployJava1.dll
2012-09-05 19:55 - 2012-09-05 19:55 - 00157680 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-09-05 19:55 - 2012-09-05 19:55 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-09-05 19:55 - 2012-09-05 19:55 - 00149488 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-09-05 19:55 - 2011-05-10 16:46 - 00473072 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-08-31 11:44 - 2012-08-31 11:44 - 00011161 ____A C:\Users\Us\Documents\matthew flyer.odg
2012-08-24 12:43 - 2012-08-24 12:43 - 00384352 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
2012-08-19 19:04 - 2011-04-24 10:38 - 00155008 ____A C:\Users\Us\AppData\Local\GDIPFONTCACHEV1.DAT
2012-08-18 15:51 - 2012-08-18 15:51 - 02447334 ____A C:\Users\Us\AppData\Local[j0013]-[p04].bmp
2012-08-18 14:37 - 2012-08-18 14:37 - 02447334 ____A C:\Users\Us\AppData\Local[j0010]-[p08].bmp
2012-08-18 14:33 - 2012-08-18 14:33 - 02447334 ____A C:\Users\Us\AppData\Local[j0008]-[p10].bmp
2012-08-18 14:26 - 2012-08-18 14:26 - 02440206 ____A C:\Users\Us\AppData\Local[j0006]-[p06].bmp
2012-08-18 13:10 - 2012-08-18 13:10 - 02440206 ____A C:\Users\Us\AppData\Local[j0003]-[p20].bmp
2012-08-17 19:00 - 2012-08-17 19:00 - 00013524 ____A C:\Users\Us\Documents\calwndar.xlsx
2012-08-04 13:13 - 2012-08-04 13:13 - 09968194 ____A C:\Users\Us\Downloads\WeatherScope-1.9.1.exe
2012-07-26 00:21 - 2012-07-26 00:21 - 00291680 ____A (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgldx64.sys

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-10-07 14:34:44
Restore point made on: 2012-10-07 14:35:35
Restore point made on: 2012-10-14 14:02:22
Restore point made on: 2012-10-15 09:28:50

==================== Memory info ===========================

Percentage of memory in use: 27%
Total physical RAM: 1791.16 MB
Available physical RAM: 1305.95 MB
Total Pagefile: 1791.16 MB
Available Pagefile: 1296.16 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (New Volume) (Fixed) (Total:78.13 GB) (Free:3.06 GB) NTFS
2 Drive e: (New Volume) (Fixed) (Total:24.41 GB) (Free:24.32 GB) NTFS
3 Drive f: (New Volume) (Fixed) (Total:363.22 GB) (Free:308.21 GB) NTFS
6 Drive i: () (Removable) (Total:0.47 GB) (Free:0.1 GB) FAT
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
8 Drive y: () (Fixed) (Total:149.04 GB) (Free:140.56 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 149 GB 7168 KB
Disk 1 Online 465 GB 1024 KB
Disk 2 Online 483 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 149 GB 31 KB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 Y NTFS Partition 149 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 78 GB 31 KB
Partition 2 Primary 24 GB 78 GB
Partition 3 Primary 363 GB 102 GB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C New Volume NTFS Partition 78 GB Healthy

=========================================================

Disk: 1
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 E New Volume NTFS Partition 24 GB Healthy

=========================================================

Disk: 1
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 F New Volume NTFS Partition 363 GB Healthy

=========================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 483 MB 118 KB

==================================================================================

Disk: 2
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 I FAT Removable 483 MB Healthy

=========================================================

Last Boot: 2012-10-16 11:05

==================== End Of Log =============================

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:25 AM

Posted 19 October 2012 - 06:12 PM

Please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Sooner Aviator

Sooner Aviator
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 21 October 2012 - 08:29 PM

Combofix Log

ComboFix 12-10-21.02 - Us 10/21/2012 20:05:55.1.1 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1791.945 [GMT -5:00]
Running from: c:\users\Us\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\somototoolbar\vmNTemplatex.dll
c:\users\Us\AppData\Local\Microsoft\Windows\Temporary Internet Files\{03BFE523-A745-42E9-85F6-866FC3EB50E8}.xps
c:\users\Us\AppData\Local\Microsoft\Windows\Temporary Internet Files\{BECA06D6-BA5D-46F7-8175-4C4C603817D0}.xps
.
.
((((((((((((((((((((((((( Files Created from 2012-09-22 to 2012-10-22 )))))))))))))))))))))))))))))))
.
.
2012-10-22 01:13 . 2012-10-22 01:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-20 00:00 . 2012-10-20 00:00 -------- d-----w- C:\FRST
2012-10-08 18:39 . 2012-10-08 18:39 -------- d-----w- c:\users\Us\AppData\Local\TTales
2012-10-07 22:49 . 2012-10-07 22:49 -------- d-----w- c:\users\Us\AppData\Local\Lucasarts
2012-09-26 20:00 . 2012-10-16 20:30 -------- d-----w- c:\users\Us\AppData\Local\Diagnostics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-06 03:55 . 2012-09-06 03:55 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-09-06 03:55 . 2011-05-11 00:46 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-24 20:43 . 2012-08-24 20:43 384352 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2012-07-26 08:21 . 2012-07-26 08:21 291680 ----a-w- c:\windows\system32\drivers\avgldx64.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2011-06-10 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2011-06-10 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MusicManager"="c:\users\Us\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-08-31 7321600]
"Spotify Web Helper"="c:\users\Us\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-20 932528]
"LogitechSoftwareUpdate"="c:\program files (x86)\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"VMonitorVMUVC"="c:\program files (x86)\Vimicro Corporation\VMUVC\VMonitor.exe" [2008-03-26 135168]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"LogitechVideoRepair"="c:\program files (x86)\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files (x86)\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WPN111\wpn111.exe [2011-4-24 995328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-08-13 5167736]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 136176]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-13 114144]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50a64.sys [2006-11-29 43328]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111vx.sys [2008-08-05 1075712]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-07-26 291680]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-08-24 384352]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;d:\cobian backup 11\cbVSCService11.exe [2012-07-31 67584]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 52632]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2009-10-07 30232]
S3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [2006-11-29 41280]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys [2009-03-11 198400]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2008-07-01 303616]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 01:44]
.
2012-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 01:44]
.
2012-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000Core.job
- c:\users\Us\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:59]
.
2012-10-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000UA.job
- c:\users\Us\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-04-24 8067616]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.primericaonline.com/Login
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Us\AppData\Roaming\Mozilla\Firefox\Profiles\e8rcpt6j.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1&ltmpl=default&ltmplcache=2
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-09-05 22:55; {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files (x86)\somototoolbar\vmntemplateX.dll
Toolbar-{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d} - c:\program files (x86)\somototoolbar\vmntemplateX.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-10-21 20:18:33
ComboFix-quarantined-files.txt 2012-10-22 01:18
.
Pre-Run: 3,079,172,096 bytes free
Post-Run: 4,452,167,680 bytes free
.
- - End Of File - - 05D07E1DC33DF07A9915566D199D48E1

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:25 AM

Posted 21 October 2012 - 10:46 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FCopy::
c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll | c:\windows\system32\user32.dll
c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll | c:\windows\SysWOW64\user32.dll

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT


Please download Malwarebytes Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Sooner Aviator

Sooner Aviator
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 24 October 2012 - 09:38 PM

CFScript log:

ComboFix 12-10-21.02 - Us 10/22/2012 18:45:19.2.1 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1791.1036 [GMT -5:00]
Running from: c:\users\Us\Desktop\ComboFix.exe
Command switches used :: c:\users\Us\Desktop\cfscript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Mozilla Firefox\searchplugins\search.xml
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll --> c:\windows\system32\user32.dll
c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll --> c:\windows\SysWOW64\user32.dll
.
((((((((((((((((((((((((( Files Created from 2012-09-23 to 2012-10-23 )))))))))))))))))))))))))))))))
.
.
2012-10-23 00:17 . 2012-10-23 00:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-20 00:00 . 2012-10-20 00:00 -------- d-----w- C:\FRST
2012-10-08 18:39 . 2012-10-08 18:39 -------- d-----w- c:\users\Us\AppData\Local\TTales
2012-10-07 22:49 . 2012-10-07 22:49 -------- d-----w- c:\users\Us\AppData\Local\Lucasarts
2012-09-26 20:00 . 2012-10-16 20:30 -------- d-----w- c:\users\Us\AppData\Local\Diagnostics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-06 03:55 . 2012-09-06 03:55 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-09-06 03:55 . 2011-05-11 00:46 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-24 20:43 . 2012-08-24 20:43 384352 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2012-07-26 08:21 . 2012-07-26 08:21 291680 ----a-w- c:\windows\system32\drivers\avgldx64.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}]
c:\program files (x86)\somototoolbar\vmntemplateX.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}"= "c:\program files (x86)\somototoolbar\vmntemplateX.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MusicManager"="c:\users\Us\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-08-31 7321600]
"Spotify Web Helper"="c:\users\Us\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-20 932528]
"LogitechSoftwareUpdate"="c:\program files (x86)\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"VMonitorVMUVC"="c:\program files (x86)\Vimicro Corporation\VMUVC\VMonitor.exe" [2008-03-26 135168]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"LogitechVideoRepair"="c:\program files (x86)\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files (x86)\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WPN111\wpn111.exe [2011-4-24 995328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-08-13 5167736]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 136176]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-09-13 114144]
R3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50a64.sys [2006-11-29 43328]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111vx.sys [2008-08-05 1075712]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-07-26 291680]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-08-24 384352]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;d:\cobian backup 11\cbVSCService11.exe [2012-07-31 67584]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 52632]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2009-10-07 30232]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
S3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [2006-11-29 41280]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
S3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys [2009-03-11 198400]
S3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2008-07-01 303616]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 01:44]
.
2012-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 01:44]
.
2012-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000Core.job
- c:\users\Us\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:59]
.
2012-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000UA.job
- c:\users\Us\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-04-24 8067616]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.primericaonline.com/Login
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Us\AppData\Roaming\Mozilla\Firefox\Profiles\e8rcpt6j.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1&ltmpl=default&ltmplcache=2
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-09-05 22:55; {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-10-22 19:21:54
ComboFix-quarantined-files.txt 2012-10-23 00:21
ComboFix2.txt 2012-10-22 01:18
.
Pre-Run: 3,851,141,120 bytes free
Post-Run: 3,552,149,504 bytes free
.
- - End Of File - - 4365BA52FF3AF24F5E4D6B16BF19331E


ADWCLEANER LOG:

# AdwCleaner v2.005 - Logfile created 10/22/2012 at 20:52:10
# Updated 14/10/2012 by Xplode
# Operating system : Windows 7 Ultimate (64 bits)
# User : Us - WIN7DESKTOP
# Boot Mode : Normal
# Running from : C:\Users\Us\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\ProgramData\WeCareReminder

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\Somoto Toolbar
Key Deleted : HKCU\Software\wecarereminder
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\IEHelperv2.5.0.DLL
Key Deleted : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder
Key Deleted : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v15.0.1 (en-US)

*************************

AdwCleaner[S1].txt - [332 octets] - [22/10/2012 20:28:31]
AdwCleaner[S2].txt - [2361 octets] - [22/10/2012 20:52:10]

########## EOF - C:\AdwCleaner[S2].txt - [2421 octets] ##########

MalwareBytes

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.23.01

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Us :: WIN7DESKTOP [administrator]

10/22/2012 9:05:03 PM
mbam-log-2012-10-22 (21-05-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201492
Time elapsed: 2 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Us\rw2123456.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\Us\rw23456.exe (HackTool.Wpakill) -> Quarantined and deleted successfully.
C:\Users\Us\Downloads\SoftonicDownloader_for_dvd-decrypter.exe (PUP.OfferBundler.ST) -> Quarantined and deleted successfully.

(end)

ESET Log:

C:\Documents and Settings\Us\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6DF77ANG\video_downloader[1].htm HTML/ScrInject.B.Gen virus
C:\Documents and Settings\Us\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ET1T95ZJ\landing[1].htm HTML/ScrInject.B.Gen virus
C:\Documents and Settings\Us\AppData\Local\{24C4DE4E-DBA0-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan
C:\Documents and Settings\Us\Downloads\cdbxp_setup_4.3.8.2568.exe Win32/OpenCandy application
C:\Users\Us\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6DF77ANG\video_downloader[1].htm HTML/ScrInject.B.Gen virus
C:\Users\Us\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ET1T95ZJ\landing[1].htm HTML/ScrInject.B.Gen virus
C:\Users\Us\AppData\Local\{24C4DE4E-DBA0-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan
C:\Users\Us\Downloads\cdbxp_setup_4.3.8.2568.exe Win32/OpenCandy application

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:25 AM

Posted 25 October 2012 - 05:05 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files (x86)\SmileyCentral_1vEI\Installr\1.bin\1vEIPlug.dll	
C:\Program Files (x86)\SmileyCentral_1vEI\Installr\1.bin\NP1vEISb.dll	
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll	
C:\Users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


next

  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.

NEXT


Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Sooner Aviator

Sooner Aviator
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 29 October 2012 - 05:10 PM

Ok, after running these last steps, it appears I still have the redirect problem. It seems to not have the problem when I use the Google search box in firefox, but it is apparent when I use Google directly.

CFScript Log 2

ComboFix 12-10-21.02 - Us 10/29/2012 16:47:26.3.1 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1791.1032 [GMT -5:00]
Running from: c:\users\Us\Desktop\ComboFix.exe
Command switches used :: c:\users\Us\Desktop\cfscript2.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.
FILE ::
"c:\program files (x86)\SmileyCentral_1vEI\Installr\1.bin\1vEIPlug.dll"
"c:\program files (x86)\SmileyCentral_1vEI\Installr\1.bin\NP1vEISb.dll"
"c:\programdata\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll"
"c:\users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll"
.
.
((((((((((((((((((((((((( Files Created from 2012-09-28 to 2012-10-29 )))))))))))))))))))))))))))))))
.
.
2012-10-29 21:48 . 2012-10-29 21:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-23 02:12 . 2012-10-23 02:12 -------- d-----w- c:\program files (x86)\ESET
2012-10-23 02:04 . 2012-10-23 02:04 -------- d-----w- c:\users\Us\AppData\Roaming\Malwarebytes
2012-10-23 02:04 . 2012-10-23 02:04 -------- d-----w- c:\programdata\Malwarebytes
2012-10-23 02:04 . 2012-10-23 02:04 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-10-23 02:04 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-20 00:00 . 2012-10-20 00:00 -------- d-----w- C:\FRST
2012-10-08 18:39 . 2012-10-08 18:39 -------- d-----w- c:\users\Us\AppData\Local\TTales
2012-10-07 22:49 . 2012-10-07 22:49 -------- d-----w- c:\users\Us\AppData\Local\Lucasarts
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-06 03:55 . 2012-09-06 03:55 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-09-06 03:55 . 2011-05-11 00:46 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-24 20:43 . 2012-08-24 20:43 384352 ----a-w- c:\windows\system32\drivers\avgtdia.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}]
c:\program files (x86)\somototoolbar\vmntemplateX.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}"= "c:\program files (x86)\somototoolbar\vmntemplateX.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MusicManager"="c:\users\Us\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-08-31 7321600]
"Spotify Web Helper"="c:\users\Us\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-20 932528]
"LogitechSoftwareUpdate"="c:\program files (x86)\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"VMonitorVMUVC"="c:\program files (x86)\Vimicro Corporation\VMUVC\VMonitor.exe" [2008-03-26 135168]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"LogitechVideoRepair"="c:\program files (x86)\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files (x86)\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WPN111\wpn111.exe [2011-4-24 995328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-08-13 5167736]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 136176]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-10-25 115168]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50a64.sys [2006-11-29 43328]
R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys [2009-03-11 198400]
R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2008-07-01 303616]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111vx.sys [2008-08-05 1075712]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-07-26 291680]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-08-24 384352]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;d:\cobian backup 11\cbVSCService11.exe [2012-07-31 67584]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 52632]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2009-10-07 30232]
S3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [2006-11-29 41280]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 01:44]
.
2012-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 01:44]
.
2012-10-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000Core.job
- c:\users\Us\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:59]
.
2012-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000UA.job
- c:\users\Us\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-04-24 8067616]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.primericaonline.com/Login
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Us\AppData\Roaming\Mozilla\Firefox\Profiles\e8rcpt6j.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1&ltmpl=default&ltmplcache=2
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-09-05 22:55; {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-10-29 16:53:14
ComboFix-quarantined-files.txt 2012-10-29 21:53
ComboFix2.txt 2012-10-23 00:21
ComboFix3.txt 2012-10-22 01:18
.
Pre-Run: 3,753,955,328 bytes free
Post-Run: 3,707,944,960 bytes free
.
- - End Of File - - BBA88BD62CCA6F76130EFCE8E1563BEA


Mini Toolbox Log

MiniToolBox by Farbar Version: 23-07-2012
Ran by Us (administrator) on 29-10-2012 at 16:56:31
Microsoft Windows 7 Ultimate (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0
========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

µTorrent (Version: 3.0.0)
Ableton Live 8 (Version: 8.0.0.0)
Adobe AIR (Version: 3.0.0.4080)
Adobe Flash Player 11 Plugin 64-bit (Version: 11.2.202.235)
Adobe Reader X (10.1.1) (Version: 10.1.1)
Amazon MP3 Downloader 1.0.12 (Version: 1.0.12)
Apple Application Support (Version: 1.5.1)
Apple Mobile Device Support (Version: 3.4.0.25)
Apple Software Update (Version: 2.1.2.120)
ASPCA Reminder by We-Care.com v4.0.16.1 (Version: 4.0.16.1)
Audacity 2.0
AVG 2012 (Version: 12.0.2221)
AVG 2012 (Version: 12.0.2441)
AVG 2012 (Version: 2012.0.2221)
AVS DVD Copy version 4.1.2
AVS Update Manager 1.0
AVS4YOU Software Navigator 1.4
Bonjour (Version: 2.0.5.0)
Burn4Free DVD Burning 5.6.0.0
Burn4Free FileBulldog Toolbar
CDBurnerXP (Version: 4.3.8.2568)
Clone Wars
Cobian Backup 11 Gravity
Cool MP3 Splitter 2.02
Coupon Printer for Windows (Version: 5.0.0.1)
Digital microscope (Version: 2009.03.18)
DVD Decrypter (Remove Only)
ESET Online Scanner v3
Firebird SQL Server - MAGIX Edition (Version: 2.1.27.0)
Free RAR Extract Frog (Version: 3.22)
GameFly (Version: 1.0.1297)
Google Earth Plug-in (Version: 6.1.0.5001)
Google Talk Plugin (Version: 3.9.1.9832)
Google Update Helper (Version: 1.3.21.123)
IrfanView (remove only) (Version: 4.30)
iTunes (Version: 10.2.2.14)
Java Auto Updater (Version: 2.0.7.1)
Java™ 6 Update 35 (Version: 6.0.350)
LEGO Star Wars II (Version: 1.00.0000)
Logitech QuickCam Software (Version: 8.47.0000)
Logitech Webcam Software (Version: 12.10.1113)
Logitech Webcam Software Driver Package (Version: 12.10.1110)
MAGIX Goya burnR (MSI) (Version: 4.3.1.6)
MAGIX Music Maker MX Download Version (Version: 18.0.0.42)
MAGIX Screenshare (Version: 4.3.6.1987)
Malwarebytes Anti-Malware version 1.65.1.1000 (Version: 1.65.1.1000)
MicroCapture 2.0 (Version: 2.0)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft IntelliPoint 8.1 (Version: 8.15.406.0)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Groove MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Professional Plus 2010 (Version: 14.0.4763.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.4763.1000)
Microsoft Silverlight (Version: 4.0.60531.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Mozilla Firefox 15.0.1 (x86 en-US) (Version: 15.0.1)
Mozilla Firefox 16.0.1 (x86 en-US) (Version: 16.0.1)
Mozilla Maintenance Service (Version: 16.0.1)
Mplayer 0.6.9 (Version: 0.6.9)
MSXML 4.0 SP3 Parser (Version: 4.30.2100.0)
Music Manager
Need for Speed™ ProStreet (Version: 1.0.1.0)
NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111 (Version: 1.0.0)
NVIDIA Drivers (Version: 1.7)
OpenOffice.org 3.3 (Version: 3.3.9567)
QuickTime (Version: 7.69.80.9)
Realtek High Definition Audio Driver (Version: 6.0.1.5919)
Spotify (Version: 0.5.2)
Spotify (Version: 0.8.3.222.g317ab79d)
Text-To-Speech-Runtime (Version: 1.0.0.0)
Visual Studio 2008 x64 Redistributables (Version: 10.0.0.2)
VLC media player 1.1.11 (Version: 1.1.11)
WeatherScope
Yahoo! Detect

**** End of log ****


FSS LOG

Farbar Service Scanner Version: 27-10-2012
Ran by Us (administrator) on 29-10-2012 at 16:57:33
Running from "C:\Users\Us\Downloads"
Microsoft Windows 7 Ultimate (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Attempt to access Google.com returned error: Other errors
Yahoo IP is accessible.
Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys
[2009-07-13 18:25] - [2009-07-13 20:45] - 1898576 ____A (Microsoft Corporation) 912107716BAB424C7870E8E6AF5E07E1

C:\Windows\System32\dnsrslvr.dll
[2009-07-13 18:21] - [2009-07-13 20:40] - 0182272 ____A (Microsoft Corporation) 676108C4E3AA6F6B34633748BD0BEBD9

C:\Windows\System32\mpssvc.dll
[2009-07-13 19:09] - [2009-07-13 20:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 18:36] - [2009-07-13 20:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:25 AM

Posted 29 October 2012 - 05:32 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
c:\program files (x86)\somototoolbar\vmntemplateX.dll

Folder::
c:\program files (x86)\somototoolbar

Registry::
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}"=-
[-HKEY_CLASSES_ROOT\clsid\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}]

DDS::
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

Please re-run adwCleaner > choose to DELETE what it finds, post the new log


are the redirects still occurring? Is it just FireFox or all browsers?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:25 AM

Posted 04 November 2012 - 02:49 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:25 AM

Posted 11 November 2012 - 02:17 PM

This topic has been re-opened at the request of the person who originally posted.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Sooner Aviator

Sooner Aviator
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 11 November 2012 - 08:59 PM

It appears that firefox is not being affected by the redirect issue. It is the only browser I use.

Combofix Log 3

ComboFix 12-11-10.03 - Us 11/11/2012 19:26:00.5.1 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1791.834 [GMT -6:00]
Running from: c:\users\Us\Downloads\ComboFix.exe
Command switches used :: c:\users\Us\Desktop\cfscript3.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files (x86)\somototoolbar\vmntemplateX.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\somototoolbar
c:\program files (x86)\somototoolbar\chrome\content\lib\about.xml
c:\program files (x86)\somototoolbar\chrome\content\lib\dtxpanel.xul
c:\program files (x86)\somototoolbar\chrome\content\lib\dtxpanelwin.xul
c:\program files (x86)\somototoolbar\chrome\content\lib\dtxprefwin.xul
c:\program files (x86)\somototoolbar\chrome\content\lib\dtxwin.xul
c:\program files (x86)\somototoolbar\chrome\content\lib\emailnotifierproviders.xml
c:\program files (x86)\somototoolbar\chrome\content\lib\external.js
c:\program files (x86)\somototoolbar\chrome\content\lib\neterror.xhtml
c:\program files (x86)\somototoolbar\chrome\content\lib\rsspreview.html
c:\program files (x86)\somototoolbar\chrome\content\lib\rsswin.xml
c:\program files (x86)\somototoolbar\chrome\content\lib\rsswin.xsl
c:\program files (x86)\somototoolbar\chrome\content\lib\vmncode.js
c:\program files (x86)\somototoolbar\chrome\content\lib\wmpstreamer.html
c:\program files (x86)\somototoolbar\chrome\content\modules\datastore.jsm
c:\program files (x86)\somototoolbar\chrome\content\neterror.xhtml
c:\program files (x86)\somototoolbar\chrome\content\newtab\images\btn_search.gif
c:\program files (x86)\somototoolbar\chrome\content\newtab\images\bullet.gif
c:\program files (x86)\somototoolbar\chrome\content\newtab\images\field_bg.gif
c:\program files (x86)\somototoolbar\chrome\content\newtab\images\powered_by_yahoo.gif
c:\program files (x86)\somototoolbar\chrome\content\newtab\newtab.html
c:\program files (x86)\somototoolbar\chrome\content\newtab\newtab_mystart.html
c:\program files (x86)\somototoolbar\chrome\content\newtab\newtab_yahoo.html
c:\program files (x86)\somototoolbar\chrome\content\preferences.xml
c:\program files (x86)\somototoolbar\chrome\content\toolbar.htm
c:\program files (x86)\somototoolbar\chrome\content\toolbar.xul
c:\program files (x86)\somototoolbar\chrome\content\vmncode.js
c:\program files (x86)\somototoolbar\chrome\content\vmnrsswin.xml
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\css\dialog.css
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrow-grey.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrows_grey-left.gif
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrows_grey-right.gif
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\bg.gif
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\btn-search-over.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\btn-search.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\powered-by-youtube.gif
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb-disable.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb-down.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt-disable.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt-down.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-off-l.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-off-r.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-on-l.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-on-r.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-over-l.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-over-r.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-left.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-mdl.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-right.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-left.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-mdl.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-right.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\throbber.gif
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\Thumbs.db
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\vid-bg.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\youtube.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\index.html
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery-1.3.2.min.js
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery.autocomplete.min.js
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\css\dialog.css
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\bg.gif
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-search.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-wide-close-over.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-wide-close.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\default.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\tab-off-l.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\tab-off-r.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\tab-on-r.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\Thumbs.db
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\transparent.gif
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-left.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-mdl.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-right-resize.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-right.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\main.html
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\scripts\defscript.js
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\tb_icon.png
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget.jsw
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget.xml
c:\program files (x86)\somototoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget_version.txt
c:\program files (x86)\somototoolbar\chrome\data\dynamicElements\vmntoolbar.xsl
c:\program files (x86)\somototoolbar\chrome\data\product.xml
c:\program files (x86)\somototoolbar\chrome\data\rss\rss.xml
c:\program files (x86)\somototoolbar\chrome\data\search\engines.xml
c:\program files (x86)\somototoolbar\chrome\data\search\search.xsl
c:\program files (x86)\somototoolbar\chrome\data\weather\icons.xml
c:\program files (x86)\somototoolbar\chrome\skin\1x1_png
c:\program files (x86)\somototoolbar\chrome\skin\about.gif
c:\program files (x86)\somototoolbar\chrome\skin\babylon_logo.png
c:\program files (x86)\somototoolbar\chrome\skin\bluelite.gif
c:\program files (x86)\somototoolbar\chrome\skin\bluesky.gif
c:\program files (x86)\somototoolbar\chrome\skin\btn-search-over.png
c:\program files (x86)\somototoolbar\chrome\skin\btn-search.png
c:\program files (x86)\somototoolbar\chrome\skin\btn-settings-over.png
c:\program files (x86)\somototoolbar\chrome\skin\btn-settings.png
c:\program files (x86)\somototoolbar\chrome\skin\btn-widgets-over.png
c:\program files (x86)\somototoolbar\chrome\skin\btn-widgets.png
c:\program files (x86)\somototoolbar\chrome\skin\btn_settings.png
c:\program files (x86)\somototoolbar\chrome\skin\ca.png
c:\program files (x86)\somototoolbar\chrome\skin\dictionary.png
c:\program files (x86)\somototoolbar\chrome\skin\divider.png
c:\program files (x86)\somototoolbar\chrome\skin\downloadcom.png
c:\program files (x86)\somototoolbar\chrome\skin\dtxlogo.png
c:\program files (x86)\somototoolbar\chrome\skin\email.png
c:\program files (x86)\somototoolbar\chrome\skin\email_on.png
c:\program files (x86)\somototoolbar\chrome\skin\facebook.png
c:\program files (x86)\somototoolbar\chrome\skin\games.png
c:\program files (x86)\somototoolbar\chrome\skin\graphred0.png
c:\program files (x86)\somototoolbar\chrome\skin\graphred0_5.png
c:\program files (x86)\somototoolbar\chrome\skin\graphred1.png
c:\program files (x86)\somototoolbar\chrome\skin\graphred1_5.png
c:\program files (x86)\somototoolbar\chrome\skin\graphred2.png
c:\program files (x86)\somototoolbar\chrome\skin\graphred2_5.png
c:\program files (x86)\somototoolbar\chrome\skin\graphred3.png
c:\program files (x86)\somototoolbar\chrome\skin\graphred3_5.png
c:\program files (x86)\somototoolbar\chrome\skin\graphred4.png
c:\program files (x86)\somototoolbar\chrome\skin\graphred4_5.png
c:\program files (x86)\somototoolbar\chrome\skin\graphred5.png
c:\program files (x86)\somototoolbar\chrome\skin\graphredna.png
c:\program files (x86)\somototoolbar\chrome\skin\grey.gif
c:\program files (x86)\somototoolbar\chrome\skin\ico-shield.png
c:\program files (x86)\somototoolbar\chrome\skin\icon_facebook_png
c:\program files (x86)\somototoolbar\chrome\skin\images.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\add.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\aol.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\arrow-dn.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\arrow-right-disabled.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\arrow-right.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\arrow-up.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\bg-btn-divider.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\bg-btn-end.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\bg-btn-mdl.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\bg-btn-mdl_ff.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\bg-btn-start.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\bg-btnover-divider.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\bg-btnover-end.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\bg-btnover-mdl.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\bg-btnover-mdl_ff.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\bg-btnover-start.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\blank.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\btn-widgets-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\btn-widgets.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\btn_slider.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\btnback-down-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\btnback-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\btnleft-down-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\btnleft-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\btnright-down-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\btnright-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\button-splitter-down-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\button-splitter-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\checkmark.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\chevron.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\collapse.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\comcast.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\dtx.css
c:\program files (x86)\somototoolbar\chrome\skin\lib\edit-back-hot.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\edit-back.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\expand.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\found.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\gmail.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\highlight.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\highlight_blue.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\highlight_cyan.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\highlight_lime.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\highlight_magenta.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\highlight_yellow.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\hotmail.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\ico-check.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\imap.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\lastsearch-thumb-back.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\loadingMid.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\lock.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\logo-separator.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\mailcom.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\menu_bg-basic.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\menu_separator_bar.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\menu_separator_white.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\menuitem-splitter.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\menuitemback-down-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\menuitemback-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\menuitemleft-down-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\menuitemleft-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\menuitemright-down-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\menuitemright-vista.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\modify.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\move.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\movetarget.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\css\panels.css
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\css\popupAbout.css
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\css\popupGames.css
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\css\popupRSS.css
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\css\popupWidgets.css
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\css\dialog.css
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\bg.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\btn-search.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\btn-wide-close-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\btn-wide-close.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\default.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\tab-off-l.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\tab-off-r.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\tab-on-l.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\tab-on-r.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\transparent.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\ttlbar-left.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\ttlbar-mdl.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\ttlbar-right.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\win-btm-left.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\win-btm-mdl.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\win-btm-right-resize.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\win-btm-right.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\win-left.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\images\win-right.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\main.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\default\scripts\defscript.js
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\footer.htm
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\gamecategory.xsl
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\gameData.js
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\gameList.xsl
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\games.xsl
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\gametype.xsl
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\arrow-dn.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\arrow-sml-drop.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\arrow-sml.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\arrow-up.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\arrowr-bluew5.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\bg-aboutbox.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\bg-btnover.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\bg-pnl520x390.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-addtoolbar-left-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-addtoolbar-left.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-addtoolbar-right.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-back.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-close-grey.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-close-greyover.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-drag.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-mdl-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-mdl.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-moredetails.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-next-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-next.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-play-left-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-play-left.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-previous-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-previous.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-right-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-try-left-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\btn-try-left.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\bullet-orange.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\gamethumb-on.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\gamethumb2-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\ico-calendar.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\ico-download.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\ico-joystick24.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\ico-news24.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\ico-play.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\ico-tags.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\icon-Add.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\icon-download.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\icon-Info.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\icon-play.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\icon-shop.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\menul-bgon.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\menul-bgover.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\panel-botm-noscroll.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\scroll-bg-206.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\scroll-bg.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\scroll-topwin.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\scrollb-disable.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\scrollb-down.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\scrollb-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\scrollb.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\scrollt-disable.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\scrollt-down.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\scrollt-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\scrollt.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\searchbox-pnlbtm.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\star_x_grey.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\star_x_orange.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\TRUSTe_about.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\view-detailed-on.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\view-detailed-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\view-thumb-on.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\view-thumb-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\widgets-square-16px.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\widgets-square-24px.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\images\widgets.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\initHTML.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\popupGames.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\popupHTML.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\popupRSS.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\popupWidgets.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\panels\scroll.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\pop.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\css\manager.css
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\css\slider.css
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\bg-pnl.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\btn-close-grey.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\btn-close-greyover.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\collapsed_button.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\expanded_button.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\ico-playstation-down.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\ico-playstation-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\ico-playstation.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\ico-radio.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\music-note.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-btn-pause-on.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-btn-pause.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-btn-play-on.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-btn-play.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-eq-bg.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-eq-buffer.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-eq-busy.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-eq-off.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-eq-on.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-eq-warning.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-options-design-on.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-options-design.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-options-on.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-options.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-volume-0.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-volume-1.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-volume-2.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-volume-3.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\radio-volume-mute.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\scrollbar-handle.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\scrollbar-track.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\slider.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\slideron.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\images\track.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\managerpanel.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\radio\volumeslider.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\reload.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\remove.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\rename.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\resize-box.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\rss.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\rsschannelback.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\RSSLogo.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\rsstabdivider.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\scroll-left.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\scroll-right.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\search-go.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\search.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\text-ellipsis.xml
c:\program files (x86)\somototoolbar\chrome\skin\lib\throbber.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\toolbarsplitter.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\transparent_1px.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_02.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_03.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_04.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_06.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_07.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_08.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_09.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_10.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_11.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_12.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_13.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_14.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_15.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_16.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_18.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_19.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_20.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\border_21.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\btn-close-grey.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\btn-close-greyover.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\close-hot.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\close-normal.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\loadingMid.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\proxy.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\template.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\template.xml
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\templateFF.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\uwa\throbber.gif
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\icons\cond999.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\icons\icons.xml
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\icons\na-s.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\icons\na-t.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\icons\na.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\icons\weather.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\add.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\arrowr-bluew5.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue-whitebg.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\box-check.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\box-uncheck.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-grey.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-greyover.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-delete.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm-over.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-check.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid-s.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\options-weather.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\over-blue.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\over-orange.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug2.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-checked.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-unchecked.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\searchbox-pnlbtm.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\images\weather-contour.png
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.css
c:\program files (x86)\somototoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.html
c:\program files (x86)\somototoolbar\chrome\skin\lib\yahoo.png
c:\program files (x86)\somototoolbar\chrome\skin\lichen.gif
c:\program files (x86)\somototoolbar\chrome\skin\logo-about.png
c:\program files (x86)\somototoolbar\chrome\skin\logo-over.png
c:\program files (x86)\somototoolbar\chrome\skin\logo-separator.png
c:\program files (x86)\somototoolbar\chrome\skin\logo.png
c:\program files (x86)\somototoolbar\chrome\skin\mail.png
c:\program files (x86)\somototoolbar\chrome\skin\menuseparatorback.gif
c:\program files (x86)\somototoolbar\chrome\skin\modify-save.png
c:\program files (x86)\somototoolbar\chrome\skin\modify.png
c:\program files (x86)\somototoolbar\chrome\skin\modifyhot.png
c:\program files (x86)\somototoolbar\chrome\skin\music.png
c:\program files (x86)\somototoolbar\chrome\skin\namespacetoolbar.css
c:\program files (x86)\somototoolbar\chrome\skin\news.png
c:\program files (x86)\somototoolbar\chrome\skin\options\options-main.png
c:\program files (x86)\somototoolbar\chrome\skin\options\options-search.png
c:\program files (x86)\somototoolbar\chrome\skin\options\options-weather.png
c:\program files (x86)\somototoolbar\chrome\skin\options\options-widgets.png
c:\program files (x86)\somototoolbar\chrome\skin\orange.gif
c:\program files (x86)\somototoolbar\chrome\skin\pixsy.png
c:\program files (x86)\somototoolbar\chrome\skin\protect-id.png
c:\program files (x86)\somototoolbar\chrome\skin\relatedlinks.png
c:\program files (x86)\somototoolbar\chrome\skin\rss-collapse.png
c:\program files (x86)\somototoolbar\chrome\skin\rss-delete.png
c:\program files (x86)\somototoolbar\chrome\skin\rss-expand.png
c:\program files (x86)\somototoolbar\chrome\skin\rss-feed.png
c:\program files (x86)\somototoolbar\chrome\skin\rss-folder-remove.png
c:\program files (x86)\somototoolbar\chrome\skin\rss-folder-rename.png
c:\program files (x86)\somototoolbar\chrome\skin\rss-folder.png
c:\program files (x86)\somototoolbar\chrome\skin\rss-found.png
c:\program files (x86)\somototoolbar\chrome\skin\rss-reload.png
c:\program files (x86)\somototoolbar\chrome\skin\rss-subscribe.png
c:\program files (x86)\somototoolbar\chrome\skin\rss.png
c:\program files (x86)\somototoolbar\chrome\skin\rssback.gif
c:\program files (x86)\somototoolbar\chrome\skin\rsstopback.gif
c:\program files (x86)\somototoolbar\chrome\skin\search-over.png
c:\program files (x86)\somototoolbar\chrome\skin\search.png
c:\program files (x86)\somototoolbar\chrome\skin\searchbar\searchbar-background-left.png
c:\program files (x86)\somototoolbar\chrome\skin\searchbar\searchbar-background-middle.png
c:\program files (x86)\somototoolbar\chrome\skin\searchbar\searchbar-background-right.png
c:\program files (x86)\somototoolbar\chrome\skin\settings.png
c:\program files (x86)\somototoolbar\chrome\skin\shopping.png
c:\program files (x86)\somototoolbar\chrome\skin\siteinfo.png
c:\program files (x86)\somototoolbar\chrome\skin\skin-bluelite.png
c:\program files (x86)\somototoolbar\chrome\skin\skin-bluesky.png
c:\program files (x86)\somototoolbar\chrome\skin\skin-grey.png
c:\program files (x86)\somototoolbar\chrome\skin\skin-lichen.png
c:\program files (x86)\somototoolbar\chrome\skin\skin-orange.png
c:\program files (x86)\somototoolbar\chrome\skin\skin-yellow.png
c:\program files (x86)\somototoolbar\chrome\skin\skin.xml
c:\program files (x86)\somototoolbar\chrome\skin\technorati.png
c:\program files (x86)\somototoolbar\chrome\skin\throbber.gif
c:\program files (x86)\somototoolbar\chrome\skin\toolbarsplitter.png
c:\program files (x86)\somototoolbar\chrome\skin\translate.png
c:\program files (x86)\somototoolbar\chrome\skin\TRUSTe_about.png
c:\program files (x86)\somototoolbar\chrome\skin\vmn.css
c:\program files (x86)\somototoolbar\chrome\skin\vmn.png
c:\program files (x86)\somototoolbar\chrome\skin\web.png
c:\program files (x86)\somototoolbar\chrome\skin\wikipedia.png
c:\program files (x86)\somototoolbar\chrome\skin\yahoosearch.png
c:\program files (x86)\somototoolbar\chrome\skin\yellow.gif
c:\program files (x86)\somototoolbar\chrome\skin\youtube.png
c:\program files (x86)\somototoolbar\chrome\skin\zoom.png
c:\program files (x86)\somototoolbar\components\windowmediator.js
c:\program files (x86)\somototoolbar\dtband.dll
c:\program files (x86)\somototoolbar\install.ico
c:\program files (x86)\somototoolbar\manifest.xml
c:\program files (x86)\somototoolbar\partner.xml
c:\program files (x86)\somototoolbar\search.ico
c:\program files (x86)\somototoolbar\uninstall.exe
c:\windows\TEMP\logishrd\LVPrcInj02.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-10-12 to 2012-11-12 )))))))))))))))))))))))))))))))
.
.
2012-11-12 01:37 . 2012-11-12 01:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-29 22:30 . 2012-10-29 22:30 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-10-23 02:12 . 2012-10-23 02:12 -------- d-----w- c:\program files (x86)\ESET
2012-10-23 02:04 . 2012-10-23 02:04 -------- d-----w- c:\users\Us\AppData\Roaming\Malwarebytes
2012-10-23 02:04 . 2012-10-23 02:04 -------- d-----w- c:\programdata\Malwarebytes
2012-10-23 02:04 . 2012-10-23 02:04 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-10-23 02:04 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-20 00:00 . 2012-10-20 00:00 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-24 20:32 . 2012-09-06 03:55 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-09-24 20:32 . 2011-05-11 00:46 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-24 20:43 . 2012-08-24 20:43 384352 ----a-w- c:\windows\system32\drivers\avgtdia.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}]
c:\program files (x86)\somototoolbar\vmntemplateX.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MusicManager"="c:\users\Us\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-10-22 7356928]
"Spotify Web Helper"="c:\users\Us\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-20 932528]
"LogitechSoftwareUpdate"="c:\program files (x86)\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"VMonitorVMUVC"="c:\program files (x86)\Vimicro Corporation\VMUVC\VMonitor.exe" [2008-03-26 135168]
"LogitechVideoRepair"="c:\program files (x86)\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files (x86)\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WPN111\wpn111.exe [2011-4-24 995328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50a64.sys [2006-11-29 43328]
R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys [2009-03-11 198400]
R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2008-07-01 303616]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111vx.sys [2008-08-05 1075712]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-07-26 291680]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-08-24 384352]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-08-13 5167736]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;d:\cobian backup 11\cbVSCService11.exe [2012-07-31 67584]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 52632]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2009-10-07 30232]
S3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [2006-11-29 41280]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 01:44]
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 01:44]
.
2012-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000Core.job
- c:\users\Us\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:59]
.
2012-11-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000UA.job
- c:\users\Us\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-04-24 8067616]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.primericaonline.com/Login
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Us\AppData\Roaming\Mozilla\Firefox\Profiles\e8rcpt6j.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1&ltmpl=default&ltmplcache=2
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-29 17:30; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-11-11 19:40:58
ComboFix-quarantined-files.txt 2012-11-12 01:40
ComboFix2.txt 2012-11-12 01:21
ComboFix3.txt 2012-10-29 21:53
ComboFix4.txt 2012-10-23 00:21
ComboFix5.txt 2012-11-12 01:24
.
Pre-Run: 4,071,993,344 bytes free
Post-Run: 3,873,779,712 bytes free
.
- - End Of File - - D6B29C665A8593CA6CEA484E22C30715


AdwCleaner Log

# AdwCleaner v2.005 - Logfile created 11/11/2012 at 19:51:46
# Updated 14/10/2012 by Xplode
# Operating system : Windows 7 Ultimate (64 bits)
# User : Us - WIN7DESKTOP
# Boot Mode : Normal
# Running from : C:\Users\Us\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.2 (en-US)

*************************

AdwCleaner[S1].txt - [332 octets] - [22/10/2012 19:28:31]
AdwCleaner[S2].txt - [2486 octets] - [22/10/2012 19:52:10]
AdwCleaner[S3].txt - [779 octets] - [11/11/2012 12:35:17]
AdwCleaner[R1].txt - [838 octets] - [11/11/2012 12:38:16]
AdwCleaner[S4].txt - [897 octets] - [11/11/2012 12:38:40]
AdwCleaner[S5].txt - [829 octets] - [11/11/2012 19:51:46]

########## EOF - C:\AdwCleaner[S5].txt - [888 octets] ##########

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:25 AM

Posted 11 November 2012 - 10:01 PM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic471849.html/page__pid__2892693#entry2892693

Collect::
c:\program files (x86)\somototoolbar\vmntemplateX.dll

Registry::
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}]

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click on "Do I have Java"
  • It will check your current version and then offer to update to the latest version
  • Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if there are - remove them.



NEXT



Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Sooner Aviator

Sooner Aviator
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:25 AM

Posted 14 November 2012 - 11:02 PM

Still having redirect issues, I may have messed up one of the combofix runs.


CFLog

ComboFix 12-11-10.03 - Us 11/14/2012 21:10:06.7.1 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1791.1018 [GMT -6:00]
Running from: c:\users\Us\Downloads\ComboFix.exe
Command switches used :: c:\users\Us\Downloads\cfscriptb.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll . . . . Failed to delete
c:\windows\TEMP\logishrd\LVPrcInj02.dll . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-10-15 to 2012-11-15 )))))))))))))))))))))))))))))))
.
.
2012-11-15 03:45 . 2012-11-15 03:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-10-29 22:30 . 2012-10-29 22:30 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-10-23 02:12 . 2012-10-23 02:12 -------- d-----w- c:\program files (x86)\ESET
2012-10-23 02:04 . 2012-10-23 02:04 -------- d-----w- c:\users\Us\AppData\Roaming\Malwarebytes
2012-10-23 02:04 . 2012-10-23 02:04 -------- d-----w- c:\programdata\Malwarebytes
2012-10-23 02:04 . 2012-10-23 02:04 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-10-23 02:04 . 2012-09-30 00:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-10-20 00:00 . 2012-10-20 00:00 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-24 20:32 . 2012-09-06 03:55 477168 ----a-w- c:\windows\SysWow64\npdeployJava1.dll
2012-09-24 20:32 . 2011-05-11 00:46 473072 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-08-24 20:43 . 2012-08-24 20:43 384352 ----a-w- c:\windows\system32\drivers\avgtdia.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{c3721e85-f0ac-4b7e-ae4c-3e738011dc9d}]
c:\program files (x86)\somototoolbar\vmntemplateX.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MusicManager"="c:\users\Us\AppData\Local\Programs\Google\MusicManager\MusicManager.exe" [2012-10-22 7356928]
"Spotify Web Helper"="c:\users\Us\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-20 932528]
"LogitechSoftwareUpdate"="c:\program files (x86)\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-07-31 2596984]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"VMonitorVMUVC"="c:\program files (x86)\Vimicro Corporation\VMUVC\VMonitor.exe" [2008-03-26 135168]
"LogitechVideoRepair"="c:\program files (x86)\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files (x86)\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-09-17 254896]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - c:\program files (x86)\NETGEAR\WPN111\wpn111.exe [2011-4-24 995328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2008-08-07 3276800]
R3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50a64.sys [2006-11-29 43328]
R3 VMUVC;Vimicro Camera Service VMUVC;c:\windows\system32\Drivers\VMUVC.sys [2009-03-11 198400]
R3 vvftUVC;Vimicro Camera Filter Service VMUVC;c:\windows\system32\drivers\vvftUVC.sys [2008-07-01 303616]
S0 AVGIDSHA;AVGIDSHA;c:\windows\system32\DRIVERS\avgidsha.sys [2012-04-19 28480]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [2012-01-31 36944]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [2012-07-26 291680]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [2011-12-23 47696]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [2012-08-24 384352]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\avgidsagent.exe [2012-08-13 5167736]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;d:\cobian backup 11\cbVSCService11.exe [2012-07-31 67584]
S2 Fabs;FABS - Helping agent for MAGIX media database;c:\program files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [2009-08-27 1253376]
S2 LVPrcS64;Process Monitor;c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe [2009-10-07 191000]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdrivera.sys [2011-12-23 124496]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfiltera.sys [2011-12-23 29776]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 52632]
S3 LVPr2M64;Logitech LVPr2M64 Driver;c:\windows\system32\DRIVERS\LVPr2M64.sys [2009-10-07 30232]
S3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [2006-11-29 41280]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\DRIVERS\WPN111vx.sys [2008-08-05 1075712]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 01:44]
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-17 01:44]
.
2012-11-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000Core.job
- c:\users\Us\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:59]
.
2012-11-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2444250241-1775575786-799666393-1000UA.job
- c:\users\Us\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-24 20:59]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-04-24 8067616]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.primericaonline.com/Login
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Us\AppData\Roaming\Mozilla\Firefox\Profiles\e8rcpt6j.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=llya694le36z&scc=1&ltmpl=default&ltmplcache=2
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-10-29 17:30; {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}; c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe
c:\program files (x86)\Logitech\Video\FxSvr2.exe
c:\program files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2012-11-14 21:54:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-11-15 03:54
ComboFix2.txt 2012-11-12 06:31
ComboFix3.txt 2012-11-12 01:40
ComboFix4.txt 2012-11-12 01:21
ComboFix5.txt 2012-11-15 03:08
.
Pre-Run: 4,871,954,432 bytes free
Post-Run: 4,649,664,512 bytes free
.
- - End Of File - - 081931F54DDACDB3BAE25CE18AE8FCAF




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users