Solved: Browser Redirect

Deejay100six · 28-Mar-2012, 02:19 PM **#16**

Hi,

My apologies for the delay. I have been very busy and forgot about your thread as I had unsubscribed. This post will automatically subscribe me again and I'll get to work on your log now.

Thankyou for your patience.

Deejay100six · 28-Mar-2012, 06:36 PM **#17**

Hi,

Quote:

Originally Posted by tanusgreystar

BTW what would be a better antivirus to use??

I gave you some advice about this in post #6 and also asked about your views on uninstalling the AVG products. I wouldn't actually be surprised if it was AVG causing your redirects.

First of all, we need to disable Spybots Teatimer.

Disable SpyBot Tea Timer
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent some of our scanning tools from running properly.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are declared clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.

---------------------------------------------------------------------------------------------

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Code:

Firefox::
FF - ProfilePath - c:\users\Lyn\AppData\Roaming\Mozilla\Firefox\Profiles\d5d88x05.default\
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7Bb0 ... &sap=ku&q=

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

Very Important! --> If you receive a prompt saying there is an updated version of ComboFix available, please allow it to update.

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

----------------------------------------------------------------------------------

Extra Combofix Report

Push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
Please copy and paste the following into the box

Code:

C:\Qoobox\Add-Remove Programs.txt

Click ok

Copy and paste the report into this topic for me to review.

tanusgreystar · 29-Mar-2012, 03:42 AM **#18**

Ok I'll get to this within the next couple of days. I got rid of AVG using their removal tool but there may still be some of it left, like their toolbar. I'll try to get rid of that. I installed Avast and that seems to be ok so far. If I don't get to things right away, I work and go to school, so I may not get back to you as quickly as you would like. I apologize. Thanks.

tanusgreystar · 29-Mar-2012, 04:02 PM **#19**

ComboFix 12-03-29.02 - Lyn 03/29/2012 15:23:52.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6143.4345 [GMT -4:00]
Running from: c:\users\Lyn\Desktop\ComboFix.exe
Command switches used :: c:\users\Lyn\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-29 )))))))))))))))))))))))))))))))
.
.
2012-03-29 19:33 . 2012-03-29 19:33 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-03-29 19:33 . 2012-03-29 19:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-26 12:49 . 2012-03-26 12:49 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-26 12:49 . 2012-03-26 12:49 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-03-26 01:47 . 2012-03-06 23:01 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-26 01:47 . 2012-03-06 23:04 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-26 01:47 . 2012-03-06 23:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-03-26 01:47 . 2012-03-06 23:01 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-26 01:47 . 2012-03-06 23:04 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-26 01:47 . 2012-03-06 23:15 258520 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-26 01:47 . 2012-03-06 23:01 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-26 01:46 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-03-26 01:46 . 2012-03-06 23:15 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-03-26 01:46 . 2012-03-26 01:46 -------- d-----w- c:\programdata\AVAST Software
2012-03-26 01:46 . 2012-03-26 01:46 -------- d-----w- c:\program files\AVAST Software
2012-03-11 14:27 . 2012-03-11 14:27 -------- d-----w- c:\programdata\Premium
2012-03-11 14:25 . 2012-03-11 14:32 -------- d-----w- c:\programdata\InstallMate
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-26 21:05 . 2010-06-01 18:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-03 00:04 . 2012-01-03 00:04 6723368 ----a-w- c:\users\Public\InstallMyTomTomSA.exe
2009-04-08 14:31 . 2009-04-08 14:31 106496 ----a-w- c:\program files (x86)\Common Files\CPInstallAction.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2010-04-08 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2010-04-08 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-03-26_01.14.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-03-25 22:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
+ 2009-07-14 04:54 . 2012-03-29 19:38 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2009-07-14 04:54 . 2012-03-25 22:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-29 19:38 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-29 19:38 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-25 22:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2009-10-06 00:29 . 2012-03-29 19:39 67058 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-29 19:39 49578 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-10-06 00:15 . 2012-03-29 19:39 15538 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2867500651-1516734084-2197057008-1001_UserData.bin
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
+ 2009-10-06 00:12 . 2012-03-29 19:38 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
+ 2009-10-06 00:12 . 2012-03-29 19:38 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
+ 2009-10-06 00:12 . 2012-03-29 19:38 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
+ 2009-10-06 00:12 . 2012-03-29 19:38 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
+ 2009-10-06 00:12 . 2012-03-29 19:38 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
- 2012-03-26 01:14 . 2012-03-26 01:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-29 19:36 . 2012-03-29 19:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-29 19:36 . 2012-03-29 19:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-26 01:14 . 2012-03-26 01:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-13 00:47 . 2012-03-26 02:25 277808 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-10-07 03:54 . 2012-03-28 22:30 349932 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 05:01 . 2012-03-29 19:36 401520 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-03-26 01:13 401520 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-06 04:55 . 2012-03-29 19:36 22641264 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2867500651-1516734084-2197057008-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\ex plorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 21:08 143360 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\OfficeGuardianV2N\reminder\SacReminder. exe" [2010-11-18 862032]
"chromium"="c:\users\Lyn\AppData\Local\Google\Chrome\Application\chrome.exe " [2012-03-21 1049072]
"MyTomTomSA.exe"="c:\program files (x86)\MyTomTom 3\MyTomTomSA.exe" [2011-11-14 435672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"DirectConsole2"="c:\program files (x86)\ASUS\Direct Console\Direct Console.exe" [2009-04-07 2861624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Media\DMedia.exe" [2009-04-07 159744]
"ATKOSD2"="c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe" [2009-03-04 8392704]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Turbo Gear Help"="c:\program files (x86)\ASUS\Turbo Gear Extreme\GearHelp.exe" [2009-08-06 1026048]
"Turbo Gear"="c:\program files (x86)\ASUS\Turbo Gear Extreme\TurboGear.exe" [2009-08-06 2987520]
"Salmosa"="c:\program files (x86)\Razer\Salmosa\razerhid.exe" [2008-08-21 139264]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\Lyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2010-9-15 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 EST_Server;Network USB Device;c:\windows\system32\DRIVERS\GenHC.sys [x]
R3 ipswuio;ipswuio;c:\windows\system32\DRIVERS\ipswuio.sys [x]
S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 EIO64;EIO Driver;c:\windows\system32\DRIVERS\EIO64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 CFUACProxy_officeguardianv2n;CFUACProxy_officeguardianv2n;c:\programdata\Of ficeGuardianV2N\UACProxy.exe [2010-11-18 83792]
S2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x64.sys [x]
S2 NPWService;NPWService;c:\program files (x86)\Generic\Network Printer Wizard\NPWService.exe [2009-01-15 788480]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-04-08 2218600]
S2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programd ata\OfficeGuardianV2N\Reminder\SacNetAgent.exe [2010-11-18 163664]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-04-08 378472]
S2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [2012-03-12 918880]
S2 WBVGAservice;WB VGA Service;c:\program files (x86)\ASUS\Turbo Gear Enhanced VGA Driver\WBVGAservice.exe [2009-02-06 72248]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]
S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\DRIVERS\GenBus.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 salmosa;Razer Salmosa;c:\windows\system32\drivers\salmosa.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2867500651-1516734084-2197057008-1001Core.job
- c:\users\Lyn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-18 15:59]
.
2012-03-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2867500651-1516734084-2197057008-1001UA.job
- c:\users\Lyn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-18 15:59]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 20:52 159744 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x64\OverlayIconShlExt1_64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-04-20 1833504]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 2184520]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
FF - ProfilePath - c:\users\Lyn\AppData\Roaming\Mozilla\Firefox\Profiles\d5d88x05.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files (x86)\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
Toolbar-{95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files (x86)\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
Wow6432Node-HKLM-Run-vProt - c:\program files (x86)\AVG Secure Search\vprot.exe
Wow6432Node-HKLM-Run-ROC_roc_dec12 - c:\program files (x86)\AVG Secure Search\ROC_roc_dec12.exe
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2867500651-1516734084-2197057008-1001\Software\SecuROM\License information*]
"datasecu"=hex:7f,43,c7,10,e5,e7,73,fc,6a,5d,61,48,76,5a,80,1a,2c,03,81,57, ec,
57,f4,3d,3b,a3,47,dc,32,a3,33,5a,bf,b1,29,ad,e5,66,f6,50,96,de,92,ca,a5,17, \
"rkeysecu"=hex:de,c7,f0,77,cc,44,e2,a7,6d,05,f1,c1,86,cd,a4,c6
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_Ac tiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
c:\program files (x86)\ASUS\Net4Switch\Net4Switch.exe
c:\program files (x86)\ASUS\ATK Hotkey\HControl.exe
c:\program files (x86)\ASUS\ATK Hotkey\Atouch64.exe
c:\program files (x86)\ASUS\Turbo Gear Enhanced VGA Driver\wbctlvga.exe
c:\program files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Hotkey\WDC.exe
c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files (x86)\ASUS\NB Probe\SPM\spmgr.exe
c:\program files (x86)\Razer\Salmosa\razertra.exe
c:\program files (x86)\Razer\Salmosa\razerofa.exe
c:\program files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
.
**************************************************************************
.
Completion time: 2012-03-29 15:58:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-29 19:58
ComboFix2.txt 2012-03-26 01:21
.
Pre-Run: 147,795,017,728 bytes free
Post-Run: 148,084,473,856 bytes free
.
- - End Of File - - F2ECC7234BFD949E87B07190D09FE246

7-Zip 4.65
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.0
Apple Application Support
Apple Software Update
ASUS CopyProtect
ASUS Data Security Manager
ASUS LifeFrame3
ASUS Live Update
ASUS MultiFrame
ASUS SmartLogon
ASUS Turbo Gear Enhanced VGA Driver
ASUS Virtual Camera
ATK Generic Function Service
ATK Hotkey
ATK Media
ATKOSD2
avast! Free Antivirus
BitTorrent
Canon Easy-WebPrint EX
Canon MP Navigator EX 3.0
Canon MP250 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
ControlDeck
Direct Console 2.0
Dragon Age II
Dragon Age: Origins
DriverTuner 3.1.0.0
GetDislike
GIMP 2.6.11
Google Chrome
Java Auto Updater
Java(TM) 6 Update 31
Magic ISO Maker v5.5 (build 0281)
MagicDisc 2.7.106
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
Mozilla Firefox 11.0 (x86 en-US)
MyTomTom 3.1.0.530
NB Probe
Net4Switch
NetAssistant
NetAssistant for Firefox
Network Printer Wizard
Networking USB Server
NVIDIA 3D Vision Controller Driver
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
OpenPaint
QuickTime
Razer Salmosa
Realtek 8136 8168 8169 Ethernet Driver
Realtek High Definition Audio Driver
SDFormatter
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Spybot - Search & Destroy
SpywareBlaster 4.6
The Sims Medieval
Turbo Gear Extreme
UltraISO Premium V9.36
Update for 2007 Microsoft Office System (KB2284654)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb2410711)
Visual Studio C++ 10.0 Runtime
Windows Media Player Firefox Plugin
WinFlash
Wireless Console 2
Wireless Console 3

Deejay100six · 30-Mar-2012, 03:39 PM **#20**

Hi,

Please follow the instructions here to disable Windows Defender. Its not neccessary and may even cause conflicts with Avast.

---------------------------------------------------------------------------------------------

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Code:

Driver::
vToolbarUpdater10.2.0

Folder::
c:\program files (x86)\Common Files\AVG Secure Search

DDS::
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

Very Important! --> If you receive a prompt saying there is an updated version of ComboFix available, please allow it to update.

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

----------------------------------------------------------------------------------

I notice that you have Malwarebytes Antimalware (MBAM) installed
I want you to run a scan for me.
First I want you to update MBAM so we have the latest definitions onboard.....

Please open Malwarebytes Antimalware
Now click on the update tab
Next - Click on the Check for updates button

If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

-----------------------------------------------------------------------

Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

tanusgreystar · 31-Mar-2012, 11:42 AM **#21**

Windows Defender doesn't appear on my programs list for some reason.

LOGS

ComboFix 12-03-29.02 - Lyn 03/31/2012 11:04:03.3.2 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6143.4704 [GMT -4:00]
Running from: c:\users\Lyn\Desktop\ComboFix.exe
Command switches used :: c:\users\Lyn\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Common Files\AVG Secure Search
c:\program files (x86)\Common Files\AVG Secure Search\CommonInstaller\10.0.6\CommonInstaller.exe
c:\program files (x86)\Common Files\AVG Secure Search\CommonInstaller\10.2.0\CommonInstaller.exe
c:\program files (x86)\Common Files\AVG Secure Search\CommonInstaller\9.0.1\CommonInstaller.exe
c:\program files (x86)\Common Files\AVG Secure Search\InstalledProducts.ini
c:\program files (x86)\Common Files\AVG Secure Search\ScriptHelperInstaller\10.0.6\ScriptHelper.exe
c:\program files (x86)\Common Files\AVG Secure Search\ScriptHelperInstaller\10.2.0\ScriptHelper.exe
c:\program files (x86)\Common Files\AVG Secure Search\ScriptHelperInstaller\9.0.1\ScriptHelper.exe
c:\program files (x86)\Common Files\AVG Secure Search\ToolBandTlb\10.0.6\toolband
c:\program files (x86)\Common Files\AVG Secure Search\ToolBandTlb\10.2.0\toolband
c:\program files (x86)\Common Files\AVG Secure Search\ToolBandTlb\9.0.1\toolband
c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.0.6\ViProtocol.dll
c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
c:\program files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\9.0.1\ViProtocol.dll
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\ToolbarUpdater.exe
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.0.6\UpdaterConfig.ini
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\UpdaterConfig.ini
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\UpdaterConfig.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_vToolbarUpdater10.2.0
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-31 )))))))))))))))))))))))))))))))
.
.
2012-03-31 15:14 . 2012-03-31 15:14 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-03-31 15:14 . 2012-03-31 15:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-26 12:49 . 2012-03-26 12:49 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-26 12:49 . 2012-03-26 12:49 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-03-26 01:47 . 2012-03-06 23:01 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-26 01:47 . 2012-03-06 23:04 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-26 01:47 . 2012-03-06 23:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-03-26 01:47 . 2012-03-06 23:01 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-26 01:47 . 2012-03-06 23:04 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-26 01:47 . 2012-03-06 23:15 258520 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-26 01:47 . 2012-03-06 23:01 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-26 01:46 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-03-26 01:46 . 2012-03-06 23:15 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-03-26 01:46 . 2012-03-26 01:46 -------- d-----w- c:\programdata\AVAST Software
2012-03-26 01:46 . 2012-03-26 01:46 -------- d-----w- c:\program files\AVAST Software
2012-03-11 14:27 . 2012-03-11 14:27 -------- d-----w- c:\programdata\Premium
2012-03-11 14:25 . 2012-03-11 14:32 -------- d-----w- c:\programdata\InstallMate
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-26 21:05 . 2010-06-01 18:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-01-03 00:04 . 2012-01-03 00:04 6723368 ----a-w- c:\users\Public\InstallMyTomTomSA.exe
2009-04-08 14:31 . 2009-04-08 14:31 106496 ----a-w- c:\program files (x86)\Common Files\CPInstallAction.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2010-04-08 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2010-04-08 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-03-26_01.14.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2012-03-31 15:15 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2009-07-14 04:54 . 2012-03-25 22:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
+ 2009-07-14 04:54 . 2012-03-31 15:15 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-25 22:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-25 22:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-31 15:15 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2009-10-06 00:29 . 2012-03-29 19:39 67058 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-31 15:17 49642 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-10-06 00:15 . 2012-03-31 11:19 15594 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2867500651-1516734084-2197057008-1001_UserData.bin
+ 2009-10-06 03:07 . 2012-03-29 20:53 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2009-10-06 03:07 . 2012-03-06 14:01 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
+ 2009-10-06 03:07 . 2012-03-29 20:53 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2009-10-06 03:07 . 2012-03-06 14:01 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-29 20:53 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-06 14:01 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2009-10-06 00:12 . 2012-03-31 15:16 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
+ 2009-10-06 00:12 . 2012-03-31 15:16 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
+ 2009-10-06 00:12 . 2012-03-31 15:16 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
+ 2009-10-06 00:12 . 2012-03-31 15:17 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
+ 2009-10-06 00:12 . 2012-03-31 15:17 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
- 2012-03-26 01:14 . 2012-03-26 01:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-31 15:15 . 2012-03-31 15:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-26 01:14 . 2012-03-26 01:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-31 15:15 . 2012-03-31 15:15 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-13 00:47 . 2012-03-26 02:25 277808 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-10-07 03:54 . 2012-03-31 02:04 355190 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-08-03 17:13 . 2012-03-18 21:07 732750 c:\windows\system32\perfh019.dat
+ 2009-08-03 17:13 . 2012-03-31 13:35 732750 c:\windows\system32\perfh019.dat
+ 2009-07-14 02:36 . 2012-03-31 13:35 670178 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-03-18 21:07 670178 c:\windows\system32\perfh009.dat
+ 2009-08-03 17:13 . 2012-03-31 13:35 154362 c:\windows\system32\perfc019.dat
- 2009-08-03 17:13 . 2012-03-18 21:07 154362 c:\windows\system32\perfc019.dat
- 2009-07-14 02:36 . 2012-03-18 21:07 125322 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-03-31 13:35 125322 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-03-26 01:13 401520 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-31 15:14 401520 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 02:34 . 2012-03-29 21:11 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
- 2009-07-14 02:34 . 2012-03-15 13:15 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2011-02-06 04:55 . 2012-03-31 15:14 23000575 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2867500651-1516734084-2197057008-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
c:\program files (x86)\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files (x86)\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\ex plorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 21:08 143360 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\OfficeGuardianV2N\reminder\SacReminder. exe" [2010-11-18 862032]
"chromium"="c:\users\Lyn\AppData\Local\Google\Chrome\Application\chrome.exe " [2012-03-27 1224176]
"MyTomTomSA.exe"="c:\program files (x86)\MyTomTom 3\MyTomTomSA.exe" [2011-11-14 435672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"DirectConsole2"="c:\program files (x86)\ASUS\Direct Console\Direct Console.exe" [2009-04-07 2861624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Media\DMedia.exe" [2009-04-07 159744]
"ATKOSD2"="c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe" [2009-03-04 8392704]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Turbo Gear Help"="c:\program files (x86)\ASUS\Turbo Gear Extreme\GearHelp.exe" [2009-08-06 1026048]
"Turbo Gear"="c:\program files (x86)\ASUS\Turbo Gear Extreme\TurboGear.exe" [2009-08-06 2987520]
"Salmosa"="c:\program files (x86)\Razer\Salmosa\razerhid.exe" [2008-08-21 139264]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\Lyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2010-9-15 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 EST_Server;Network USB Device;c:\windows\system32\DRIVERS\GenHC.sys [x]
R3 ipswuio;ipswuio;c:\windows\system32\DRIVERS\ipswuio.sys [x]
S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 EIO64;EIO Driver;c:\windows\system32\DRIVERS\EIO64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 CFUACProxy_officeguardianv2n;CFUACProxy_officeguardianv2n;c:\programdata\Of ficeGuardianV2N\UACProxy.exe [2010-11-18 83792]
S2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x64.sys [x]
S2 NPWService;NPWService;c:\program files (x86)\Generic\Network Printer Wizard\NPWService.exe [2009-01-15 788480]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-04-08 2218600]
S2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programd ata\OfficeGuardianV2N\Reminder\SacNetAgent.exe [2010-11-18 163664]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-04-08 378472]
S2 WBVGAservice;WB VGA Service;c:\program files (x86)\ASUS\Turbo Gear Enhanced VGA Driver\WBVGAservice.exe [2009-02-06 72248]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]
S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\DRIVERS\GenBus.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 salmosa;Razer Salmosa;c:\windows\system32\drivers\salmosa.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2867500651-1516734084-2197057008-1001Core.job
- c:\users\Lyn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-18 15:59]
.
2012-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2867500651-1516734084-2197057008-1001UA.job
- c:\users\Lyn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-18 15:59]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 20:52 159744 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x64\OverlayIconShlExt1_64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-04-20 1833504]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 2184520]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
"combofix"="c:\combofix\CF2790.3XE" [2009-07-14 344576]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Lyn\AppData\Roaming\Mozilla\Firefox\Profiles\d5d88x05.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2867500651-1516734084-2197057008-1001\Software\SecuROM\License information*]
"datasecu"=hex:7f,43,c7,10,e5,e7,73,fc,6a,5d,61,48,76,5a,80,1a,2c,03,81,57, ec,
57,f4,3d,3b,a3,47,dc,32,a3,33,5a,bf,b1,29,ad,e5,66,f6,50,96,de,92,ca,a5,17, \
"rkeysecu"=hex:de,c7,f0,77,cc,44,e2,a7,6d,05,f1,c1,86,cd,a4,c6
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_Ac tiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\ASUS\Net4Switch\Net4Switch.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
c:\program files (x86)\ASUS\Turbo Gear Enhanced VGA Driver\wbctlvga.exe
c:\program files (x86)\ASUS\ATK Hotkey\HControl.exe
c:\program files (x86)\ASUS\ATK Hotkey\Atouch64.exe
c:\program files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Hotkey\WDC.exe
c:\program files (x86)\Razer\Salmosa\razertra.exe
c:\program files (x86)\Razer\Salmosa\razerofa.exe
c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files (x86)\ASUS\NB Probe\SPM\spmgr.exe
c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMTray.exe
c:\program files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
c:\program files (x86)\ASUS\Wireless Console 3\wcourier.exe
.
**************************************************************************
.
Completion time: 2012-03-31 11:32:14 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-31 15:32
ComboFix2.txt 2012-03-29 19:58
ComboFix3.txt 2012-03-26 01:21
.
Pre-Run: 146,155,274,240 bytes free
Post-Run: 145,550,991,360 bytes free
.
- - End Of File - - 17AC041E8E740F2A79426D5619D0A81C
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.31.08

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Lyn :: LYN-PC [administrator]

3/31/2012 11:33:53 AM
mbam-log-2012-03-31 (11-33-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216476
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Results of screen317's Security Check version 0.99.32
Windows 7 x64 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
SpywareBlaster 4.6
Spybot - Search & Destroy
Java(TM) 6 Update 31
Adobe Flash Player 11.1.102.55
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (11.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Spybot Teatimer.exe is disabled!
AVAST Software Avast AvastSvc.exe
AVAST Software Avast AvastUI.exe
``````````End of Log````````````

THANKS!!

Deejay100six · 01-Apr-2012, 10:35 PM **#22**

Hi,

Quote:

Windows Defender doesn't appear on my programs list for some reason.

Ok, lets deal with that first.

Please press the + R key and copy/paste or type services.msc into the run dialogue box.
The services window should open. Check to see if Windows Defender is present in the list.
Assuming it is, right click Windows Defender and select properties.
Click the down arrow next to startup type and select disabled.
Let me know if you had any problems with this.

---------------------------------------------------------------------------------------------

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Code:

Folder::
c:\programdata\Premium
c:\programdata\InstallMate
c:\program files (x86)\AVG Secure Search

Registry::
[-HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=-
[-HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[-HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

Very Important! --> If you receive a prompt saying there is an updated version of ComboFix available, please allow it to update.

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

----------------------------------------------------------------------------------

Deejay100six · 04-Apr-2012, 04:19 PM **#23**

Hi, do you still require assistance?

If you do not reply within 24 hours I will have to unsubscribe from this thread and wont be notified about any new replies.

tanusgreystar · 04-Apr-2012, 11:31 PM **#24**

Hi yes I still require assistance. Sorry I didn't get back to you sooner. I will do that tonight and reply. Thanks.

tanusgreystar · 05-Apr-2012, 07:58 PM **#25**

ComboFix 12-04-05.09 - Lyn 04/05/2012 19:28:15.4.2 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6143.4388 [GMT -4:00]
Running from: c:\users\Lyn\Desktop\ComboFix.exe
Command switches used :: c:\users\Lyn\Desktop\New folder\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\InstallMate
c:\programdata\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\_Setup.dll
c:\programdata\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\_Setupx.dll
c:\programdata\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\0.ini
c:\programdata\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\20120311102543.log
c:\programdata\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\Setup.dat
c:\programdata\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\Setup.exe
c:\programdata\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\Setup.ico
c:\programdata\InstallMate\{B01A9061-55EF-4AEF-9983-6BD5B2D76491}\TsuDll.dll
c:\programdata\Premium
c:\users\Public\SecurityCheck.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-05 to 2012-04-05 )))))))))))))))))))))))))))))))
.
.
2012-04-05 23:37 . 2012-04-05 23:37 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-04-05 23:37 . 2012-04-05 23:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-26 12:49 . 2012-03-26 12:49 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-26 12:49 . 2012-03-26 12:49 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-03-26 01:47 . 2012-03-06 23:01 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-26 01:47 . 2012-03-06 23:04 337240 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-26 01:47 . 2012-03-06 23:02 53080 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2012-03-26 01:47 . 2012-03-06 23:01 59224 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-26 01:47 . 2012-03-06 23:04 819032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-26 01:47 . 2012-03-06 23:15 258520 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-26 01:47 . 2012-03-06 23:01 69976 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-03-26 01:46 . 2012-03-06 23:15 41184 ----a-w- c:\windows\avastSS.scr
2012-03-26 01:46 . 2012-03-06 23:15 201352 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-03-26 01:46 . 2012-03-26 01:46 -------- d-----w- c:\programdata\AVAST Software
2012-03-26 01:46 . 2012-03-26 01:46 -------- d-----w- c:\program files\AVAST Software
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-26 21:05 . 2010-06-01 18:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2009-04-08 14:31 . 2009-04-08 14:31 106496 ----a-w- c:\program files (x86)\Common Files\CPInstallAction.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2010-04-08 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2010-04-08 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-03-26_01.14.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2012-04-05 23:38 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2009-07-14 04:54 . 2012-03-25 22:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-05 23:38 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-25 22:49 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-25 22:49 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-05 23:38 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
+ 2009-10-06 00:29 . 2012-04-05 23:40 67546 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-05 11:07 49642 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-10-06 00:15 . 2012-04-05 11:07 15750 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2867500651-1516734084-2197057008-1001_UserData.bin
+ 2010-05-13 01:04 . 2010-04-24 09:00 28672 c:\windows\system32\spool\prtprocs\x64\1_CNMPD9W.DLL
- 2009-10-06 03:07 . 2012-03-06 14:01 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
+ 2009-10-06 03:07 . 2012-04-03 12:53 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\ Cookies\index.dat
- 2009-10-06 03:07 . 2012-03-06 14:01 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2009-10-06 03:07 . 2012-04-03 12:53 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Te mporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-03 12:53 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-06 14:01 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Hi story\History.IE5\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
+ 2009-10-06 00:12 . 2012-04-05 23:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows \Cookies\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
+ 2009-10-06 00:12 . 2012-04-05 23:40 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\T emporary Internet Files\Content.IE5\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
+ 2009-10-06 00:12 . 2012-04-05 23:40 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\H istory\History.IE5\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
+ 2009-10-06 00:12 . 2012-04-05 23:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\C ookies\index.dat
+ 2009-10-06 00:12 . 2012-04-05 23:40 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
- 2009-10-06 00:12 . 2012-03-26 01:15 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\His tory\History.IE5\index.dat
- 2012-03-26 01:14 . 2012-03-26 01:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-05 23:38 . 2012-04-05 23:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-26 01:14 . 2012-03-26 01:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-04-05 23:38 . 2012-04-05 23:38 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-12-13 00:47 . 2012-03-26 02:25 277808 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2009-10-07 03:54 . 2012-04-03 16:31 356438 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-08-03 17:13 . 2012-03-18 21:07 732750 c:\windows\system32\perfh019.dat
+ 2009-08-03 17:13 . 2012-04-01 19:05 732750 c:\windows\system32\perfh019.dat
- 2009-07-14 02:36 . 2012-03-18 21:07 670178 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-01 19:05 670178 c:\windows\system32\perfh009.dat
+ 2009-08-03 17:13 . 2012-04-01 19:05 154362 c:\windows\system32\perfc019.dat
- 2009-08-03 17:13 . 2012-03-18 21:07 154362 c:\windows\system32\perfc019.dat
+ 2009-07-14 02:36 . 2012-04-01 19:05 125322 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-03-18 21:07 125322 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2012-04-05 23:37 401520 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-03-26 01:13 401520 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 02:34 . 2012-03-15 13:15 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2012-03-31 18:38 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2011-02-06 04:55 . 2012-04-05 23:37 29719066 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2867500651-1516734084-2197057008-1001-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\ex plorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 21:08 143360 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x86\OverlayIconShlExt1.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SacReminderHDDV2N"="c:\programdata\OfficeGuardianV2N\reminder\SacReminder. exe" [2010-11-18 862032]
"chromium"="c:\users\Lyn\AppData\Local\Google\Chrome\Application\chrome.exe " [2012-03-27 1224176]
"MyTomTomSA.exe"="c:\program files (x86)\MyTomTom 3\MyTomTomSA.exe" [2011-11-14 435672]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"DirectConsole2"="c:\program files (x86)\ASUS\Direct Console\Direct Console.exe" [2009-04-07 2861624]
"HControlUser"="c:\program files (x86)\ASUS\ATK Hotkey\HControlUser.exe" [2008-08-18 98304]
"ATKMEDIA"="c:\program files (x86)\ASUS\ATK Media\DMedia.exe" [2009-04-07 159744]
"ATKOSD2"="c:\program files (x86)\ASUS\ATKOSD2\ATKOSD2.exe" [2009-03-04 8392704]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Turbo Gear Help"="c:\program files (x86)\ASUS\Turbo Gear Extreme\GearHelp.exe" [2009-08-06 1026048]
"Turbo Gear"="c:\program files (x86)\ASUS\Turbo Gear Extreme\TurboGear.exe" [2009-08-06 2987520]
"Salmosa"="c:\program files (x86)\Razer\Salmosa\razerhid.exe" [2008-08-21 139264]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\users\Lyn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2010-9-15 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe [2009-12-15 25832]
R3 EST_Server;Network USB Device;c:\windows\system32\DRIVERS\GenHC.sys [x]
R3 ipswuio;ipswuio;c:\windows\system32\DRIVERS\ipswuio.sys [x]
S0 lullaby;lullaby;c:\windows\system32\DRIVERS\lullaby.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 EIO64;EIO Driver;c:\windows\system32\DRIVERS\EIO64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AFBAgent;AFBAgent;c:\windows\system32\FBAgent.exe [x]
S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys [2007-07-24 14904]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 CFUACProxy_officeguardianv2n;CFUACProxy_officeguardianv2n;c:\programdata\Of ficeGuardianV2N\UACProxy.exe [2010-11-18 83792]
S2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x64.sys [x]
S2 NPWService;NPWService;c:\program files (x86)\Generic\Network Printer Wizard\NPWService.exe [2009-01-15 788480]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-04-08 2218600]
S2 SacNetAgentService_C57C4F854F53;SacNetAgentService_C57C4F854F53;c:\programd ata\OfficeGuardianV2N\Reminder\SacNetAgent.exe [2010-11-18 163664]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-04-08 378472]
S2 WBVGAservice;WB VGA Service;c:\program files (x86)\ASUS\Turbo Gear Enhanced VGA Driver\WBVGAservice.exe [2009-02-06 72248]
S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [x]
S3 EST_BusEnum;Network USB Device Bus;c:\windows\system32\DRIVERS\GenBus.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 salmosa;Razer Salmosa;c:\windows\system32\drivers\salmosa.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2867500651-1516734084-2197057008-1001Core.job
- c:\users\Lyn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-18 15:59]
.
2012-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2867500651-1516734084-2197057008-1001UA.job
- c:\users\Lyn\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-18 15:59]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-01 20:52 159744 ----a-w- c:\program files (x86)\ASUS\ASUS Data Security Manager\ShlExt\x64\OverlayIconShlExt1_64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-04-20 1833504]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-24 2184520]
"CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Lyn\AppData\Roaming\Mozilla\Firefox\Profiles\d5d88x05.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2867500651-1516734084-2197057008-1001\Software\SecuROM\License information*]
"datasecu"=hex:7f,43,c7,10,e5,e7,73,fc,6a,5d,61,48,76,5a,80,1a,2c,03,81,57, ec,
57,f4,3d,3b,a3,47,dc,32,a3,33,5a,bf,b1,29,ad,e5,66,f6,50,96,de,92,ca,a5,17, \
"rkeysecu"=hex:de,c7,f0,77,cc,44,e2,a7,6d,05,f1,c1,86,cd,a4,c6
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_Ac tiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\ASUS\Net4Switch\Net4Switch.exe
c:\program files (x86)\ASUS\SmartLogon\sensorsrv.exe
c:\program files (x86)\ASUS\ATK Hotkey\HControl.exe
c:\program files (x86)\ASUS\ATK Hotkey\Atouch64.exe
c:\program files (x86)\ASUS\Turbo Gear Enhanced VGA Driver\wbctlvga.exe
c:\program files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
c:\program files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
c:\program files (x86)\ASUS\ATK Hotkey\WDC.exe
c:\program files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
c:\program files (x86)\ASUS\NB Probe\SPM\spmgr.exe
c:\program files (x86)\Razer\Salmosa\razertra.exe
c:\program files (x86)\Razer\Salmosa\razerofa.exe
c:\program files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
.
**************************************************************************
.
Completion time: 2012-04-05 19:56:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-05 23:56
ComboFix2.txt 2012-03-31 15:32
ComboFix3.txt 2012-03-29 19:58
ComboFix4.txt 2012-03-26 01:21
.
Pre-Run: 145,223,303,168 bytes free
Post-Run: 145,032,863,744 bytes free
.
- - End Of File - - B8F13CCD549066BE423F9B490F3D3B42

Deejay100six · 07-Apr-2012, 09:26 AM **#26**

Hi,

It looks like you didn't manage to disable Defender. Did you have problems?

Your Internet Explorer is out of date. Even if you don't use the browser, it is very important that you have the latest version.
Go here and download and install Internet Explorer 9.

---------------------------------------------------------------------------------------------------

Your Adobe Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and if you prefer a smaller program you can get Foxit 2.0 here.

There is a newer version of Adobe Reader available.

Please go to this link Adobe Reader Download Link
Untick any program(s) you do not wish to include in the installation.
Click Download Now
Follow all on screen prompts

When the installation is complete go to Add/Remove Programs and uninstall all previous versions.

---------------------------------------------------------------------------------------------------

One more scan to be sure theres nothing lurking.

Go here to run an online scannner from ESET.

Note: For browsers other than Internet Explorer, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

Also, please let me know how the system is running now.

tanusgreystar · 07-Apr-2012, 09:48 AM **#27**

Hi, I'm running the scan right now. I was unable to update IE through that link. It says I have the wrong version of Windows?? Also, when going to the site to the online scan, this page came up which comes up a lot when trying to visit web pages:

http://63.209.69.107/search/web/onli...44561-24645/v5

I'll post the txt file when finished. Thanks!

Deejay100six · 07-Apr-2012, 01:13 PM **#28**

Quote:

Originally Posted by tanusgreystar

Hi, I'm running the scan right now. I was unable to update IE through that link. It says I have the wrong version of Windows??

Apologies, I forgot you are running 64bit.

The correct link >> http://www.microsoft.com/download/en...ng=en&id=23332

Regarding the redirecting, do you have a router? If you do, please let me know what make/model in your next post.

tanusgreystar · 07-Apr-2012, 02:32 PM **#29**

C:\Qoobox\Quarantine\C\Program Files (x86)\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application
C:\Users\Lyn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\58630b2b-4f2203ce Java/TrojanDownloader.OpenStream.NCM trojan
C:\Users\Lyn\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\43\6bb753eb-5a6923a2 Java/Agent.DR trojan
C:\Users\Lyn\Downloads\SoftonicDownloader_for_adobe-flash-player.exe a variant of Win32/SoftonicDownloader.A application
C:\Users\Lyn\Downloads\SoftonicDownloader_for_openpaint(2).exe a variant of Win32/SoftonicDownloader.A application
C:\Users\Lyn\Downloads\SoftonicDownloader_for_openpaint.exe a variant of Win32/SoftonicDownloader.A application
C:\Users\Lyn\Downloads\SoftonicDownloader_for_paint-net.exe a variant of Win32/SoftonicDownloader.A application
C:\Users\Lyn\Downloads\SoftonicDownloader_for_photofiltre.exe a variant of Win32/SoftonicDownloader.A application

I have a Linksys E1000

Deejay100six · 10:29 PM

Hi,

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Code:

ClearJavaCache::

http://forums.techguy.org/virus-other-malware-removal/1042798-browser-redirect.html

suspect::[71]
C:\Users\Lyn\Downloads\SoftonicDownloader_for_adobe-flash-player.exe
C:\Users\Lyn\Downloads\SoftonicDownloader_for_openpaint(2).exe
C:\Users\Lyn\Downloads\SoftonicDownloader_for_openpaint.exe
C:\Users\Lyn\Downloads\SoftonicDownloader_for_paint-net.exe
C:\Users\Lyn\Downloads\SoftonicDownloader_for_photofiltre.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

Very Important! --> If you receive a prompt saying there is an updated version of ComboFix available, please allow it to update.

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

----------------------------------------------------------------------------------

Softonic Downloader is obviously downloading files from dubious sources. I would advise you to cease using it. I actually struggled to find negative feedback about this but I did find some interesting reading here.

I believe Microsoft Windows is perfectly capable of downloading software without the help of these so called download managers. I'm not sure how it is installed as I don't see anything in your logs so if you agree that you'd rather remove it, I need you to run this small tool.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the contents of the following codebox into the main textfield:
Code:
```
:filefind
**softonic**
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

---------------------------------------------------------------------------------

As I said earlier, if you are still having redirect issues, it may be that your router has been hijacked so we need to reset it to factory defaults.

This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
If you don’t know the router's default password, you can look it up. HERE
You also need to reconfigure any security settings you had in place prior to the reset.
You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Let me know if you are still being redirected.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Solved: Browser Redirect

Find the solution to your computer problem!

Find the solution to your
computer problem!