Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

Minor virus issues

This is a discussion on Minor virus issues within the Resolved HJT Threads forums, part of the Tech Support Forum category.


 
 
Thread Tools Search this Thread
Old 03-14-2013, 11:20 PM   #1
Registered Member
 
Join Date: Apr 2010
Posts: 78
OS: Windows XP



My mom accidentally clicked on some pop ups and her computer got infected. At first I couldn't even get online, but after running rkill(i have log ready if requested), I could, but I could still see the fake anti-virus programs icons. Anyways, I did a system restore to see if that would work, but it didn't.

Right now there's not many symptoms, only that my homepage isn't what I assign it to be. I don't even see the fake anti-virus programs anymore.. but here are the logs required anyways

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 7.0.6001.18639 BrowserJavaVersion: 10.17.2
Run by buibui at 19:34:09 on 2013-03-14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4094.2596 [GMT -7:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Steam\steam.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\buibui\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\buibui\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\buibui\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\buibui\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\buibui\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\buibui\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
mWinlogon: Userinit = userinit.exe
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Yontoo: {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [Google Update] "C:\Users\buibui\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{2BEBF449-D8D4-488A-A42D-E834DE74EE3F} : DHCPNameServer = 192.168.1.1
LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg
x64-Run: [Windows Defender] C:\Program Files (x86)\Windows Defender\MSASCui.exe -hide
x64-mPolicies-Explorer: NoActiveDesktop = dword:1
x64-mPolicies-Explorer: NoActiveDesktopChanges = dword:1
x64-mPolicies-System: EnableUIADesktopToggle = dword:0
.
============= SERVICES / DRIVERS ===============
.
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 HCW85BDA;Hauppauge WinTV 885 Video Capture;C:\Windows\System32\drivers\HCW85BDA.sys [2009-7-14 1708800]
S3 hcw85cir;Hauppauge Consumer IR 3;C:\Windows\System32\drivers\hcw85cir3.sys [2009-7-14 32768]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2012-6-28 93184]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2013-03-10 21:49:33 95648 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-10 21:49:32 861088 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2013-03-10 21:49:32 782240 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-03-10 21:49:32 262560 ----a-w- C:\Windows\SysWow64\javaws.exe
2013-03-10 21:49:32 174496 ----a-w- C:\Windows\SysWow64\javaw.exe
2013-03-10 21:49:32 174496 ----a-w- C:\Windows\SysWow64\java.exe
2013-03-02 05:16:38 71024 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-02 05:16:38 691568 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-02-13 22:01:36 70004024 ----a-w- C:\Windows\System32\mrt.exe
2013-01-17 09:28:58 273840 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 19:35:41.14 ===============

I attached ark as a print screen of the finished scan because I couldn't save it, and when i copied and paste it looked fine, but when I tried to reopen it, it came out all cryptic. Thank you for the help. I'm running Windows XP and don't have access to resintallation CDs
Attached Thumbnails
Click image for larger version

Name:	ark.JPG
Views:	58
Size:	76.4 KB
ID:	123230  
Attached Files
File Type: txt attach.txt (2.5 KB, 34 views)

__________________
beancurd89 is offline  
Old 03-18-2013, 10:52 AM   #2
Registered Member
 
Join Date: Apr 2010
Posts: 78
OS: Windows XP



bump, please.

__________________
beancurd89 is offline  
Old 03-18-2013, 09:41 PM   #3
Security Team
Analyst
 
Piper's Avatar
 
Join Date: Jun 2010
Location: California
Posts: 972
OS: Windows XP Service Pack 3



Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.
__________________
Piper is offline  
Old 03-19-2013, 12:20 PM   #4
Security Team
Analyst
 
Piper's Avatar
 
Join Date: Jun 2010
Location: California
Posts: 972
OS: Windows XP Service Pack 3



Thank you for your patience while I was reviewing your logs.

To help make this fix go as smoothly as possible, please do not run any scans, use any tools, or install/uninstall any applications unless requested.

Even if your symptoms seem to disappear at some point during this fix, please stay with me until I confirm the infection is gone. An infection could still be present on your system even if there are no obvious signs.

Please be patient with me during the course of this fix, as it will likely require multiple steps to completely remove your infection.

During this process, read each of my posts carefully before you continue. If you have any questions about any of the instructions I give you, please ask them before you begin.

Also please note that this forum is very busy; if I don't hear back from you within three days, this thread will be closed.

---------------------

You said you have an rkill log ready-- please do include it in your next post so I can have a look.

---------------------
  • Please download ComboFix and Save it to your Desktop.
***It is very important that you save ComboFix directly to your Desktop.***
  • Close any open programs, including your browser(s). If you have any antivirus or antispyware programs installed, please disable them before you continue, as they may interfere with the running of ComboFix. If you need any help with this, please refer to our sticky topic How to disable your security applications.
  • Double click ComboFix.exe and follow the prompts.
  • NOTE:
    Do not mouseclick ComboFix's window while it is running. Doing so may cause it to stall.
  • Please do not worry if your Desktop goes blank while running ComboFix. This is normal. Your computer may reboot; this is also normal.
  • When ComboFix is finished, it will produce a log. Please post that log in your next reply.
  • After ComboFix is completely finished, remember to re-enable your antivirus and antispyware programs.
__________________
Piper is offline  
Old 03-19-2013, 07:31 PM   #5
Registered Member
 
Join Date: Apr 2010
Posts: 78
OS: Windows XP



ComboFix 13-03-19.01 - buibui 03/19/2013 19:17:34.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4094.2845 [GMT -7:00]
Running from: c:\users\buibui\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-02-20 to 2013-03-20 )))))))))))))))))))))))))))))))
.
.
2013-03-20 02:24 . 2013-03-20 02:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-20 02:24 . 2013-03-20 02:24 -------- d-----w- c:\users\buibui\AppData\Local\temp
2013-03-19 17:15 . 2013-02-08 00:28 9162192 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C767D9F6-3245-4654-BC27-19302C8CB1B7}\mpengine.dll
2013-03-14 00:37 . 2013-03-14 00:47 -------- d-----w- c:\users\buibui\AppData\Local\Smartbar
2013-03-14 00:36 . 2013-03-14 00:36 -------- d-----w- c:\program files (x86)\DefaultTab
2013-03-14 00:36 . 2013-03-14 00:36 -------- d-----w- c:\program files (x86)\OApps
2013-03-14 00:36 . 2013-03-14 00:36 -------- d-----w- c:\users\buibui\AppData\Local\SwvUpdater
2013-03-14 00:31 . 2013-03-14 00:31 -------- d-----w- c:\users\buibui\AppData\Roaming\SkypeTalking
2013-03-14 00:30 . 2013-03-14 00:41 -------- d-----w- c:\program files (x86)\SkypeTalking
2013-03-14 00:29 . 2013-03-14 00:29 -------- d-----w- c:\program files (x86)\24x7Help
2013-03-14 00:29 . 2013-03-14 00:34 -------- d-----w- c:\users\buibui\AppData\Roaming\PCFixSpeed
2013-03-14 00:29 . 2013-03-14 00:30 -------- d-----w- c:\programdata\PCFixSpeed
2013-03-14 00:29 . 2013-03-14 00:29 -------- d-----w- c:\program files (x86)\PCFixSpeed
2013-03-14 00:29 . 2013-03-14 00:29 -------- d-----w- c:\users\buibui\AppData\Local\Solid Savings
2013-03-14 00:28 . 2013-03-14 00:29 -------- d-----w- c:\program files (x86)\Solid Savings
2013-03-14 00:28 . 2013-03-14 00:28 -------- d-----w- c:\users\AppData
2013-03-14 00:27 . 2013-03-14 00:27 -------- d-----w- c:\program files (x86)\MixiDJ_V1
2013-03-14 00:27 . 2013-03-15 02:24 -------- d-----w- c:\program files (x86)\SearchProtect
2013-03-14 00:27 . 2013-03-14 00:27 -------- d-----w- c:\users\buibui\AppData\Roaming\SearchProtect
2013-03-14 00:27 . 2013-03-14 00:27 -------- d-----w- c:\users\buibui\AppData\Local\CRE
2013-03-10 22:22 . 2013-03-10 22:22 -------- d-----w- c:\program files (x86)\HP
2013-03-10 22:21 . 2013-03-10 22:21 -------- d-----w- c:\programdata\HP
2013-03-10 22:15 . 2013-03-15 02:08 -------- d-----w- C:\f50f9bf690af783e1b1fc2a06bc0
2013-03-10 22:00 . 2013-03-10 22:00 -------- d-----w- c:\users\buibui\AppData\Local\APN
2013-03-10 22:00 . 2013-03-10 22:00 -------- d-----w- c:\program files (x86)\Ask.com
2013-03-10 22:00 . 2013-03-10 22:00 -------- d-----w- C:\Firefox
2013-03-10 21:50 . 2013-03-10 21:50 -------- d-----w- c:\programdata\Ask
2013-03-10 21:50 . 2013-03-10 21:50 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-03-10 21:49 . 2013-03-10 21:49 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-10 21:49 . 2013-03-10 21:49 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-10 21:49 . 2013-03-10 21:49 -------- d-----w- c:\program files (x86)\Java
2013-03-10 21:48 . 2013-03-10 21:48 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-15 04:16 . 2012-07-22 08:23 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-15 04:16 . 2012-07-22 08:23 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-10 21:49 . 2012-07-18 11:57 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-02-13 22:01 . 2006-11-02 12:35 70004024 ----a-w- c:\windows\system32\mrt.exe
2013-01-17 08:28 . 2012-06-29 04:26 273840 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2013-02-08 1520776]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2013-02-08 21:55 1520776 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2011-12-09 01:11 194848 ----a-w- c:\program files (x86)\Yontoo\YontooIEClient.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2013-02-08 1520776]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-03-16 1632680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"ApnUpdater"="c:\program files (x86)\Ask.com\Updater\Updater.exe" [2013-02-08 1644680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-22 04:16]
.
2013-03-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351686954-2765394444-4087732683-1000Core.job
- c:\users\buibui\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 19:06]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351686954-2765394444-4087732683-1000UA.job
- c:\users\buibui\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 19:06]
.
2012-12-02 c:\windows\Tasks\User_Feed_Synchronization-{3D979ED0-54D6-4721-9A93-5B6593C819CA}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:50]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2013-03-19 19:26:43
ComboFix-quarantined-files.txt 2013-03-20 02:26
.
Pre-Run: 342,307,262,464 bytes free
Post-Run: 342,986,190,848 bytes free
.
- - End Of File - - 33A2E5A92FEBC5E5F13A8D2F0FD9A973

Rkill log:
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as buibui on 03/14/2013 at 18:44:53.


Processes terminated by Rkill or while it was running:


C:\Users\buibui\AppData\Roaming\SearchProtect\bin\cltmng.exe
C:\Users\buibui\AppData\Local\Smartbar\Application\QuickShare.exe
C:\Users\buibui\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\buibui\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe


Rkill completed on 03/14/2013 at 18:44:56.

Thanks for the help!
__________________
beancurd89 is offline  
Old 03-22-2013, 07:08 AM   #6
Security Team
Analyst
 
Piper's Avatar
 
Join Date: Jun 2010
Location: California
Posts: 972
OS: Windows XP Service Pack 3



Hello again! Thank you for those logs.
  • Please go to Start -> Control Panel -> Programs -> Programs and Features.
  • Look for the following in the list of installed programs; if they are present, uninstall them one at a time by selecting them and clicking Uninstall:
    • Ask Toolbar
    • Ask Toolbar Updater
    • Yontoo 1.10.02
---------------------

Next:

Print out or copy this page to Notepad in order to assist you when carrying out the following instructions, as you will not be able to view this page during the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
Folder::
C:\Program Files (x86)\Ask.com
c:\programdata\Ask
C:\Program Files (x86)\Yontoo
c:\users\buibui\AppData\Local\Smartbar
c:\program files (x86)\DefaultTab
C:\Users\buibui\AppData\Roaming\DefaultTab
c:\program files (x86)\OApps
c:\users\buibui\AppData\Local\SwvUpdater
c:\program files (x86)\24x7Help
c:\users\buibui\AppData\Roaming\PCFixSpeed
c:\programdata\PCFixSpeed
c:\program files (x86)\PCFixSpeed
c:\users\buibui\AppData\Local\Solid Savings
c:\program files (x86)\Solid Savings
c:\program files (x86)\MixiDJ_V1
c:\program files (x86)\SearchProtect
c:\users\buibui\AppData\Roaming\SearchProtect

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"=-

[-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

[-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]

[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]

[-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]

[-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ApnUpdater"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"=-

DirLook::
c:\users\buibui\AppData\Local\CRE
c:\users\buibui\AppData\Local\APN
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe.

ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
__________________
Piper is offline  
Old 03-22-2013, 11:52 AM   #7
Registered Member
 
Join Date: Apr 2010
Posts: 78
OS: Windows XP



Combofix log:
ComboFix 13-03-21.02 - buibui 03/22/2013 11:39:06.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4094.2510 [GMT -7:00]
Running from: c:\users\buibui\Desktop\ComboFix.exe
Command switches used :: c:\users\buibui\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\24x7Help
c:\program files (x86)\24x7Help\unins000.dat
c:\program files (x86)\24x7Help\unins000.msg
c:\program files (x86)\Ask.com
c:\program files (x86)\Ask.com\assets\oobe\b.png
c:\program files (x86)\Ask.com\assets\oobe\bl.png
c:\program files (x86)\Ask.com\assets\oobe\br.png
c:\program files (x86)\Ask.com\assets\oobe\l.png
c:\program files (x86)\Ask.com\assets\oobe\pointer.png
c:\program files (x86)\Ask.com\assets\oobe\r.png
c:\program files (x86)\Ask.com\assets\oobe\t.png
c:\program files (x86)\Ask.com\assets\oobe\tl.png
c:\program files (x86)\Ask.com\assets\oobe\tr.png
c:\program files (x86)\Ask.com\cobrand.ico
c:\program files (x86)\Ask.com\config.xml
c:\program files (x86)\Ask.com\favicon.ico
c:\program files (x86)\Ask.com\GenericAskToolbar.dll
c:\program files (x86)\Ask.com\mupcfg.xml
c:\program files (x86)\Ask.com\precache.exe
c:\program files (x86)\Ask.com\SaUpdate.exe
c:\program files (x86)\Ask.com\Updater\config.xml
c:\program files (x86)\Ask.com\Updater\Updater.exe
c:\program files (x86)\Ask.com\UpdateTask.exe
c:\program files (x86)\DefaultTab
c:\program files (x86)\DefaultTab\DefaultTab.crx
c:\program files (x86)\DefaultTab\uid
c:\program files (x86)\MixiDJ_V1
c:\program files (x86)\MixiDJ_V1\GottenAppsContextMenu.xml
c:\program files (x86)\MixiDJ_V1\OtherAppsContextMenu.xml
c:\program files (x86)\MixiDJ_V1\SharedAppsContextMenu.xml
c:\program files (x86)\MixiDJ_V1\ToolbarContextMenu.xml
c:\program files (x86)\OApps
c:\program files (x86)\OApps\status.txt
c:\program files (x86)\OApps\status2.txt
c:\program files (x86)\OApps\status4.txt
c:\program files (x86)\PCFixSpeed
c:\program files (x86)\PCFixSpeed\unins000.dat
c:\program files (x86)\PCFixSpeed\unins000.msg
c:\program files (x86)\SearchProtect
c:\program files (x86)\SearchProtect\Dialogs\spbd\bubble.css
c:\program files (x86)\SearchProtect\Dialogs\spbd\images\information.png
c:\program files (x86)\SearchProtect\Dialogs\spbd\images\x-default-LTR.png
c:\program files (x86)\SearchProtect\Dialogs\spbd\images\x-default-RTL.png
c:\program files (x86)\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\program files (x86)\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\program files (x86)\SearchProtect\Dialogs\spbd\main.html
c:\program files (x86)\SearchProtect\Dialogs\spsd\images\ok-button.png
c:\program files (x86)\SearchProtect\Dialogs\spsd\images\separation-line.png
c:\program files (x86)\SearchProtect\Dialogs\spsd\images\warning.png
c:\program files (x86)\SearchProtect\Dialogs\spsd\main.html
c:\program files (x86)\SearchProtect\Dialogs\spsd\SearchProtector.css
c:\program files (x86)\Solid Savings
c:\program files (x86)\Solid Savings\background.html
c:\program files (x86)\Solid Savings\Installer.log
c:\program files (x86)\Yontoo
c:\program files (x86)\Yontoo\YontooIEClient.dll
c:\programdata\Ask
c:\programdata\PCFixSpeed
c:\programdata\PCFixSpeed\addons.xml
c:\users\buibui\AppData\Local\Smartbar
c:\users\buibui\AppData\Local\Smartbar\Application\0Extension.crx
c:\users\buibui\AppData\Local\Smartbar\Application\1Extension.crx
c:\users\buibui\AppData\Local\Smartbar\Application\Configs\QueryParameters.xml
c:\users\buibui\AppData\Local\Smartbar\Application\Configs\XmlSideBySideProtocol.xml
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\FirefoxExtensionMain.css
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\FirefoxExtensionMain.xul
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\down-1.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\down-2.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\down-3.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\down.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\fb.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\fblike.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\gmail.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\googleplus.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\hide-1.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\hide-2.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\hide-3.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\left.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\maximize-1.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\maximize-2.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\maximize-3.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\mgsplusvideo.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\minimize-1.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\minimize-2.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\minimize-3.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\pinit.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\right.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\show-1.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\show-2.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\show-3.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\twitter.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\up-1.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\up-2.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\up-3.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\images\up.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\PublisherImages\QuickShare.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\PublisherImages\QuickShare128.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\chrome\PublisherImages\QuickShare16.png
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\components\ISmartbarFireFoxRemotePlugin.xpt
c:\users\buibui\AppData\Local\Smartbar\Application\helperbar@helperbar.com\install.rdf
c:\users\buibui\AppData\Local\Smartbar\Application\IEButton.png
c:\users\buibui\AppData\Local\Smartbar\Common\Configs\UserInfo.xml
c:\users\buibui\AppData\Local\Smartbar\Common\icons\00659FA4-2CAD-45fc-A8A0-DB7862840BA9.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\00659FA4-2CAD-45fc-A8A0-DB7862840BA9hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\00659FA4-2CAD-45fc-A8A0-DB7862840BA9press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\07a9a58b-c653-4285-a870-1fa70cb6c00c.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\07a9a58b-c653-4285-a870-1fa70cb6c00chover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\07a9a58b-c653-4285-a870-1fa70cb6c00cPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\0E29BC94-7C9B-4A23-B682-81D0D1A806E1.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\0E29BC94-7C9B-4A23-B682-81D0D1A806E1hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\0E29BC94-7C9B-4A23-B682-81D0D1A806E1press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\0FA6F971-16AA-4921-A39F-543C9839CABE.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\0FA6F971-16AA-4921-A39F-543C9839CABEhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\0FA6F971-16AA-4921-A39F-543C9839CABEpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\1A039A19-BD34-4760-8DE0-E9A8E8AA8827.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\1A039A19-BD34-4760-8DE0-E9A8E8AA8827Ehover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\1A039A19-BD34-4760-8DE0-E9A8E8AA8827press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133C.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\372FF78B-6E4B-4B38-8E3F-797B4680FB98.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\372FF78B-6E4B-4B38-8E3F-797B4680FB98hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\372FF78B-6E4B-4B38-8E3F-797B4680FB98press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\39079B96-6DD1-42DE-89E6-76F79C8BB4E4.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\39079B96-6DD1-42DE-89E6-76F79C8BB4E4Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\39079B96-6DD1-42DE-89E6-76F79C8BB4E4Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\3f9ac55c-6db5-4c01-9d34-a92da2347be6.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\3f9ac55c-6db5-4c01-9d34-a92da2347be6hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\3f9ac55c-6db5-4c01-9d34-a92da2347be6press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\4a110a71-0e7e-4552-af6e-3ef88b2d6511.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\4a110a71-0e7e-4552-af6e-3ef88b2d6511Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\4a110a71-0e7e-4552-af6e-3ef88b2d6511Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5252af60-ef03-41a8-babe-415dba235478.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5252af60-ef03-41a8-babe-415dba235478Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5252af60-ef03-41a8-babe-415dba235478Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\536b9063-fc09-4e82-8769-73c77317aae6.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\536b9063-fc09-4e82-8769-73c77317aae6hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\536b9063-fc09-4e82-8769-73c77317aae6press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5558C4C6-18C1-4AF3-8F8D-0E2CF70D19C8.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5558C4C6-18C1-4AF3-8F8D-0E2CF70D19C8hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5558C4C6-18C1-4AF3-8F8D-0E2CF70D19C8press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\56591C8E-DA35-4A97-AC9B-5055E0F7089E.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\56591C8E-DA35-4A97-AC9B-5055E0F7089Ehover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\56591C8E-DA35-4A97-AC9B-5055E0F7089Epress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5D0A6D97-85F2-47E9-8F04-04A747B25A0E.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5D0A6D97-85F2-47E9-8F04-04A747B25A0Ehover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5D0A6D97-85F2-47E9-8F04-04A747B25A0Epress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5F488FA5-C35B-44A9-A0E4-2C7B41035780.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5F488FA5-C35B-44A9-A0E4-2C7B41035780hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\5F488FA5-C35B-44A9-A0E4-2C7B41035780press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\65B1A402-FC79-410D-AE1C-AF92E206AC1D.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\65B1A402-FC79-410D-AE1C-AF92E206AC1Dhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\65B1A402-FC79-410D-AE1C-AF92E206AC1Dpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\69C7DFE3-CDAE-4A22-B753-93ABF8BAE7EC.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\69C7DFE3-CDAE-4A22-B753-93ABF8BAE7EChover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\69C7DFE3-CDAE-4A22-B753-93ABF8BAE7ECpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\708d8b1e-6545-474a-9f07-d854acf8ad43.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\708d8b1e-6545-474a-9f07-d854acf8ad43hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\708d8b1e-6545-474a-9f07-d854acf8ad43press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\72CDFC8C-6F2D-4df8-9811-18C4D682C406.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\72CDFC8C-6F2D-4df8-9811-18C4D682C406hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\72CDFC8C-6F2D-4df8-9811-18C4D682C406press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\7fe83ae9-caef-41f0-aa99-d114c0ce3941.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\7fe83ae9-caef-41f0-aa99-d114c0ce3941hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\7fe83ae9-caef-41f0-aa99-d114c0ce3941press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\8217d395-9ebe-4ebb-807c-38cc911a307f.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\8217d395-9ebe-4ebb-807c-38cc911a307fHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\8217d395-9ebe-4ebb-807c-38cc911a307fPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\83B4B6FE-910D-412E-BED4-E3AFA6E5CA61.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\83B4B6FE-910D-412E-BED4-E3AFA6E5CA61hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\83B4B6FE-910D-412E-BED4-E3AFA6E5CA61press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\87442BEF-FD31-405C-A807-650CB7CC8886.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\87442BEF-FD31-405C-A807-650CB7CC8886hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\87442BEF-FD31-405C-A807-650CB7CC8886press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\89582936-094C-4880-B87A-2AF16FC33B2C.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\89582936-094C-4880-B87A-2AF16FC33B2Chover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\89582936-094C-4880-B87A-2AF16FC33B2Cpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\8b3608b1-c2d5-4ad3-a382-33601228c6d3.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\8b3608b1-c2d5-4ad3-a382-33601228c6d3hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\8b3608b1-c2d5-4ad3-a382-33601228c6d3press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\8F4131CE-D4F0-4F08-9102-78C397F3748C.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\8F4131CE-D4F0-4F08-9102-78C397F3748CHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\8F4131CE-D4F0-4F08-9102-78C397F3748CPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\90165d32-a3ef-438c-8625-be9b538b6eba.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\90165d32-a3ef-438c-8625-be9b538b6ebaHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\90165d32-a3ef-438c-8625-be9b538b6ebaPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\929407CC-7E48-47E0-A9F9-A4A167AC24D1.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\929407CC-7E48-47E0-A9F9-A4A167AC24D1hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\929407CC-7E48-47E0-A9F9-A4A167AC24D1press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\95ae73f0-9799-46fd-bceb-57efcb7f0537.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\95ae73f0-9799-46fd-bceb-57efcb7f0537hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\95ae73f0-9799-46fd-bceb-57efcb7f0537press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\A1F75F5D-1D24-4F7A-9ABC-BDA55E332E67.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\A1F75F5D-1D24-4F7A-9ABC-BDA55E332E67hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\A1F75F5D-1D24-4F7A-9ABC-BDA55E332E67press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\A75C6A50-13B0-4704-AA87-8DD113E31310.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\A75C6A50-13B0-4704-AA87-8DD113E31310hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\A75C6A50-13B0-4704-AA87-8DD113E31310press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\a94e6710-6021-4cdc-82de-1c001238bd8f.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\a94e6710-6021-4cdc-82de-1c001238bd8fHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\a94e6710-6021-4cdc-82de-1c001238bd8fPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCB.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\bbf677d4-d0bc-4a59-be4a-6a6cfd3c6c28.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\bbf677d4-d0bc-4a59-be4a-6a6cfd3c6c28hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\bbf677d4-d0bc-4a59-be4a-6a6cfd3c6c28press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\bc8dcde3-3fd0-4f9b-af5d-15c20f3239ab.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\bc8dcde3-3fd0-4f9b-af5d-15c20f3239abhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\bc8dcde3-3fd0-4f9b-af5d-15c20f3239abpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\BCE4103A-6273-4E49-8B43-2BDEDA1C91B0.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\BCE4103A-6273-4E49-8B43-2BDEDA1C91B0hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\BCE4103A-6273-4E49-8B43-2BDEDA1C91B0press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\c1546a00-e42d-4ce7-aac5-5353a895f3cf.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\c1546a00-e42d-4ce7-aac5-5353a895f3cfhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\c1546a00-e42d-4ce7-aac5-5353a895f3cfpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\CE1500FE-6F59-421C-8005-3E137AC051A2.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\CE1500FE-6F59-421C-8005-3E137AC051A2hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\CE1500FE-6F59-421C-8005-3E137AC051A2press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D2B0680C-17C4-492D-85D7-D4CA3E724D50.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D2B0680C-17C4-492D-85D7-D4CA3E724D50hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D2B0680C-17C4-492D-85D7-D4CA3E724D50press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D469E1BA-B745-45B3-B7EE-378E000E74C8.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D469E1BA-B745-45B3-B7EE-378E000E74C8Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D469E1BA-B745-45B3-B7EE-378E000E74C8Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D5113B95-781C-4737-A26F-3ED3A2CB876F.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D5113B95-781C-4737-A26F-3ED3A2CB876Fhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D5113B95-781C-4737-A26F-3ED3A2CB876Fpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\d65acfc2-6ab9-4b66-84fc-ecc7813e35c1.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\d65acfc2-6ab9-4b66-84fc-ecc7813e35c1Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\d65acfc2-6ab9-4b66-84fc-ecc7813e35c1Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\d65acfc2-6ab9-4b66-84fc-ecc7813e35d0.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\d65acfc2-6ab9-4b66-84fc-ecc7813e35d0Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\d65acfc2-6ab9-4b66-84fc-ecc7813e35d0Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D8043E67-EBD0-4ABD-A5A4-63CF4DADFC85.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D8043E67-EBD0-4ABD-A5A4-63CF4DADFC85hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\D8043E67-EBD0-4ABD-A5A4-63CF4DADFC85press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\DBE2517B-67B8-4D8B-A7CC-B66F8FE52D82.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\DBE2517B-67B8-4D8B-A7CC-B66F8FE52D82hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\DBE2517B-67B8-4D8B-A7CC-B66F8FE52D82press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\e2870479-a572-412b-8a8f-5604d19b55cd.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\e2870479-a572-412b-8a8f-5604d19b55cdhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\e2870479-a572-412b-8a8f-5604d19b55cdpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E3345571-EEF9-4041-8C24-F7F5A9331C23.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E3345571-EEF9-4041-8C24-F7F5A9331C23hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E3345571-EEF9-4041-8C24-F7F5A9331C23press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\e357f164-c5d8-4257-aab2-fe0cad41c12e.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\e357f164-c5d8-4257-aab2-fe0cad41c12ehover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\e357f164-c5d8-4257-aab2-fe0cad41c12epress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E458493F-867F-4712-A3AF-D9664ED47C19.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E458493F-867F-4712-A3AF-D9664ED47C19hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E458493F-867F-4712-A3AF-D9664ED47C19press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E52BEFE7-6535-439c-B168-A3B105E4212E.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E52BEFE7-6535-439c-B168-A3B105E4212Ehover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E52BEFE7-6535-439c-B168-A3B105E4212Epress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E8584703-6CA5-4351-82CC-09E40938A066.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E8584703-6CA5-4351-82CC-09E40938A066hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\E8584703-6CA5-4351-82CC-09E40938A066press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\e8967c62-9ea0-4fde-9832-2c10f1d580de.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\e8967c62-9ea0-4fde-9832-2c10f1d580dehover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\e8967c62-9ea0-4fde-9832-2c10f1d580depress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\EA99E20A-FBBA-4197-954B-E2013280A29B.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\EA99E20A-FBBA-4197-954B-E2013280A29Bhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\EA99E20A-FBBA-4197-954B-E2013280A29Bpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\f7fd4890-7f89-4c73-8ff2-52105657cbb6.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\f7fd4890-7f89-4c73-8ff2-52105657cbb6Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\f7fd4890-7f89-4c73-8ff2-52105657cbb6Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\F84A3FBA-7CF5-4F44-A080-C26C04D0E3BD.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\F84A3FBA-7CF5-4F44-A080-C26C04D0E3BDhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\F84A3FBA-7CF5-4F44-A080-C26C04D0E3BDpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\fac5189f-f2c7-4eed-bae8-011eca170d7b.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\fac5189f-f2c7-4eed-bae8-011eca170d7bhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\icons\fac5189f-f2c7-4eed-bae8-011eca170d7bpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\00659FA4-2CAD-45fc-A8A0-DB7862840BA9.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\00659FA4-2CAD-45fc-A8A0-DB7862840BA9hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\00659FA4-2CAD-45fc-A8A0-DB7862840BA9press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\07a9a58b-c653-4285-a870-1fa70cb6c00c.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\07a9a58b-c653-4285-a870-1fa70cb6c00chover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\07a9a58b-c653-4285-a870-1fa70cb6c00cpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\0DB19630-EB33-4B18-8357-78FC2687C788.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\0DB19630-EB33-4B18-8357-78FC2687C788hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\0DB19630-EB33-4B18-8357-78FC2687C788press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\0E29BC94-7C9B-4A23-B682-81D0D1A806E1.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\0E29BC94-7C9B-4A23-B682-81D0D1A806E1hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\0E29BC94-7C9B-4A23-B682-81D0D1A806E1press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\0FA6F971-16AA-4921-A39F-543C9839CABE.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\0FA6F971-16AA-4921-A39F-543C9839CABEhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\0FA6F971-16AA-4921-A39F-543C9839CABEpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\139D15A7-C5E1-4C5E-ABF2-484DBE081313.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\139D15A7-C5E1-4C5E-ABF2-484DBE081313hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\139D15A7-C5E1-4C5E-ABF2-484DBE081313press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\139D15A7-C5E1-4C5E-ABF2-484DBE08E613.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\139D15A7-C5E1-4C5E-ABF2-484DBE08E613hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\139D15A7-C5E1-4C5E-ABF2-484DBE08E613press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\139D15A7-C5E1-4C5E-ABF2-484DBE131313.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\139D15A7-C5E1-4C5E-ABF2-484DBE131313hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\139D15A7-C5E1-4C5E-ABF2-484DBE131313press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\1A039A19-BD34-4760-8DE0-E9A8E8AA8827.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\1A039A19-BD34-4760-8DE0-E9A8E8AA8827hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\1A039A19-BD34-4760-8DE0-E9A8E8AA8827press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\2141A104-423C-43EF-A27A-CA0DADB7B9BC.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\2141A104-423C-43EF-A27A-CA0DADB7B9BChover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\2141A104-423C-43EF-A27A-CA0DADB7B9BCpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\28E2C7BC-F857-44D5-A42F-7DD66FAB5EE6.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\28E2C7BC-F857-44D5-A42F-7DD66FAB5EE6hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\28E2C7BC-F857-44D5-A42F-7DD66FAB5EE6press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\30DEBC8A-1CC6-4480-B3E5-C55E214043A8.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\30DEBC8A-1CC6-4480-B3E5-C55E214043A8Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\30DEBC8A-1CC6-4480-B3E5-C55E214043A8Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\30DFF8F0-BA79-4360-A3EA-51B6D006133C.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\30DFF8F0-BA79-4360-A3EA-51B6D006133CHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\372FF78B-6E4B-4B38-8E3F-797B4680FB98.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\372FF78B-6E4B-4B38-8E3F-797B4680FB98hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\372FF78B-6E4B-4B38-8E3F-797B4680FB98press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\39079B96-6DD1-42DE-89E6-76F79C8BB4E4.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\39079B96-6DD1-42DE-89E6-76F79C8BB4E4Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\39079B96-6DD1-42DE-89E6-76F79C8BB4E4Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\3f9ac55c-6db5-4c01-9d34-a92da2347be6.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\3f9ac55c-6db5-4c01-9d34-a92da2347be6hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\3f9ac55c-6db5-4c01-9d34-a92da2347be6press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\47BFF758-9581-4C68-9293-1181A70CDEE8.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\47BFF758-9581-4C68-9293-1181A70CDEE8Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\47BFF758-9581-4C68-9293-1181A70CDEE8Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\48A9C19C-5A4C-4652-A6E7-1C17AEE45675.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\48A9C19C-5A4C-4652-A6E7-1C17AEE45675Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\48A9C19C-5A4C-4652-A6E7-1C17AEE45675Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\4a110a71-0e7e-4552-af6e-3ef88b2d6511.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\4a110a71-0e7e-4552-af6e-3ef88b2d6511Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\4a110a71-0e7e-4552-af6e-3ef88b2d6511Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\511B6809-2468-4A36-A6FC-FC24F05499BE.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\511B6809-2468-4A36-A6FC-FC24F05499BEHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\511B6809-2468-4A36-A6FC-FC24F05499BEPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5252af60-ef03-41a8-babe-415dba235478.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5252af60-ef03-41a8-babe-415dba235478Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5252af60-ef03-41a8-babe-415dba235478Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\536b9063-fc09-4e82-8769-73c77317aae6.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\536b9063-fc09-4e82-8769-73c77317aae6hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\536b9063-fc09-4e82-8769-73c77317aae6press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5558C4C6-18C1-4AF3-8F8D-0E2CF70D19C8.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5558C4C6-18C1-4AF3-8F8D-0E2CF70D19C8hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5558C4C6-18C1-4AF3-8F8D-0E2CF70D19C8press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\56591C8E-DA35-4A97-AC9B-5055E0F7089E.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\56591C8E-DA35-4A97-AC9B-5055E0F7089Ehover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\56591C8E-DA35-4A97-AC9B-5055E0F7089Epress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5D0A6D97-85F2-47E9-8F04-04A747B25A0E.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5D0A6D97-85F2-47E9-8F04-04A747B25A0Ehover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5D0A6D97-85F2-47E9-8F04-04A747B25A0Epress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5F1B269B-7C66-474F-A473-BE7FA51BE5B2.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5F1B269B-7C66-474F-A473-BE7FA51BE5B2hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5F1B269B-7C66-474F-A473-BE7FA51BE5B2press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5F488FA5-C35B-44A9-A0E4-2C7B41035780.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5F488FA5-C35B-44A9-A0E4-2C7B41035780hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\5F488FA5-C35B-44A9-A0E4-2C7B41035780press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\65B1A402-FC79-410D-AE1C-AF92E206AC1D.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\65B1A402-FC79-410D-AE1C-AF92E206AC1Dhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\65B1A402-FC79-410D-AE1C-AF92E206AC1Dpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\69C7DFE3-CDAE-4A22-B753-93ABF8BAE7EC.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\69C7DFE3-CDAE-4A22-B753-93ABF8BAE7EChover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\69C7DFE3-CDAE-4A22-B753-93ABF8BAE7ECpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\708d8b1e-6545-474a-9f07-d854acf8ad43.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\708d8b1e-6545-474a-9f07-d854acf8ad43hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\708d8b1e-6545-474a-9f07-d854acf8ad43press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\72CDFC8C-6F2D-4df8-9811-18C4D682C406.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\72CDFC8C-6F2D-4df8-9811-18C4D682C406hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\72CDFC8C-6F2D-4df8-9811-18C4D682C406press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\7fe83ae9-caef-41f0-aa99-d114c0ce3941.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\7fe83ae9-caef-41f0-aa99-d114c0ce3941hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\7fe83ae9-caef-41f0-aa99-d114c0ce3941press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8217d395-9ebe-4ebb-807c-38cc911a307f.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8217d395-9ebe-4ebb-807c-38cc911a307fHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8217d395-9ebe-4ebb-807c-38cc911a307fPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\83B4B6FE-910D-412E-BED4-E3AFA6E5CA61.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\83B4B6FE-910D-412E-BED4-E3AFA6E5CA61hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\83B4B6FE-910D-412E-BED4-E3AFA6E5CA61press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\87442BEF-FD31-405C-A807-650CB7CC8886.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\87442BEF-FD31-405C-A807-650CB7CC8886hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\87442BEF-FD31-405C-A807-650CB7CC8886press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\89582936-094c-4880-b87a-2af16fc31313.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\89582936-094c-4880-b87a-2af16fc31313Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\89582936-094c-4880-b87a-2af16fc31313Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\89582936-094C-4880-B87A-2AF16FC33B2C.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\89582936-094C-4880-B87A-2AF16FC33B2Chover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\89582936-094C-4880-B87A-2AF16FC33B2Cpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8b3608b1-c2d5-4ad3-a382-33601228c6d3.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8b3608b1-c2d5-4ad3-a382-33601228c6d3hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8b3608b1-c2d5-4ad3-a382-33601228c6d3press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8D338D8F-3189-41AB-BCFF-2958D48AAA6A.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8D338D8F-3189-41AB-BCFF-2958D48AAA6AHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8D338D8F-3189-41AB-BCFF-2958D48AAA6APress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8F4131CE-D4F0-4F08-9102-78C397F3748C.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8F4131CE-D4F0-4F08-9102-78C397F3748CHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\8F4131CE-D4F0-4F08-9102-78C397F3748CPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\90165d32-a3ef-438c-8625-be9b538b6eba.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\90165d32-a3ef-438c-8625-be9b538b6ebaHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\90165d32-a3ef-438c-8625-be9b538b6ebaPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\929407CC-7E48-47E0-A9F9-A4A167AC24D1.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\929407CC-7E48-47E0-A9F9-A4A167AC24D1hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\929407CC-7E48-47E0-A9F9-A4A167AC24D1press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\95ae73f0-9799-46fd-bceb-57efcb7f0537.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\95ae73f0-9799-46fd-bceb-57efcb7f0537hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\95ae73f0-9799-46fd-bceb-57efcb7f0537press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\95D9E2EA-40AD-40B8-95D0-58209F584BBE.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\95D9E2EA-40AD-40B8-95D0-58209F584BBEHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\95D9E2EA-40AD-40B8-95D0-58209F584BBEPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\A1F75F5D-1D24-4F7A-9ABC-BDA55E332E67.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\A1F75F5D-1D24-4F7A-9ABC-BDA55E332E67hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\A1F75F5D-1D24-4F7A-9ABC-BDA55E332E67press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\A46C5E77-16B5-42A0-8761-C6F861D22308.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\A46C5E77-16B5-42A0-8761-C6F861D22308Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\A46C5E77-16B5-42A0-8761-C6F861D22308Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\A75C6A50-13B0-4704-AA87-8DD113E31310.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\A75C6A50-13B0-4704-AA87-8DD113E31310hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\A75C6A50-13B0-4704-AA87-8DD113E31310press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\a94e6710-6021-4cdc-82de-1c001238bd8f.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\a94e6710-6021-4cdc-82de-1c001238bd8fHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\a94e6710-6021-4cdc-82de-1c001238bd8fPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\B1BEF453-913F-4EC4-B057-A2BB21C09DCB.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\B1BEF453-913F-4EC4-B057-A2BB21C09DCBhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\bbf677d4-d0bc-4a59-be4a-6a6cfd3c6c28.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\bbf677d4-d0bc-4a59-be4a-6a6cfd3c6c28hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\bbf677d4-d0bc-4a59-be4a-6a6cfd3c6c28press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\BC303DD4-37E7-4242-8DDD-8DEE2171066B.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\BC303DD4-37E7-4242-8DDD-8DEE2171066Bhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\BC303DD4-37E7-4242-8DDD-8DEE2171066Bpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\bc8dcde3-3fd0-4f9b-af5d-15c20f3239ab.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\bc8dcde3-3fd0-4f9b-af5d-15c20f3239abhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\bc8dcde3-3fd0-4f9b-af5d-15c20f3239abpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\BCE4103A-6273-4E49-8B43-2BDEDA1C91B0.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\BCE4103A-6273-4E49-8B43-2BDEDA1C91B0hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\BCE4103A-6273-4E49-8B43-2BDEDA1C91B0press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\BE3608B1-C2D5-4AD3-A382-45635338C6D1.PNG
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\BE3608B1-C2D5-4AD3-A382-45635338C6D1HOVER.PNG
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\BE3608B1-C2D5-4AD3-A382-45635338C6D1PRESS.PNG
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\c1546a00-e42d-4ce7-aac5-5353a895f3cf.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\c1546a00-e42d-4ce7-aac5-5353a895f3cfhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\c1546a00-e42d-4ce7-aac5-5353a895f3cfpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\C41AD485-FE91-4EFE-A613-66CB2BA96EAB.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\C41AD485-FE91-4EFE-A613-66CB2BA96EABHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\C41AD485-FE91-4EFE-A613-66CB2BA96EABPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\CE1500FE-6F59-421C-8005-3E137AC051A2.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\CE1500FE-6F59-421C-8005-3E137AC051A2hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\CE1500FE-6F59-421C-8005-3E137AC051A2press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D2B0680C-17C4-492D-85D7-D4CA3E724D50.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D2B0680C-17C4-492D-85D7-D4CA3E724D50hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D2B0680C-17C4-492D-85D7-D4CA3E724D50press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D469E1BA-B745-45B3-B7EE-378E000E74C8.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D469E1BA-B745-45B3-B7EE-378E000E74C8Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D469E1BA-B745-45B3-B7EE-378E000E74C8Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D5113B95-781C-4737-A26F-3ED3A2CB876F.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D5113B95-781C-4737-A26F-3ED3A2CB876FHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D5113B95-781C-4737-A26F-3ED3A2CB876FPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\d65acfc2-6ab9-4b66-84fc-ecc7813e35c1.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\d65acfc2-6ab9-4b66-84fc-ecc7813e35c1Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\d65acfc2-6ab9-4b66-84fc-ecc7813e35c1Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\d65acfc2-6ab9-4b66-84fc-ecc7813e35d0.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\d65acfc2-6ab9-4b66-84fc-ecc7813e35d0Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\d65acfc2-6ab9-4b66-84fc-ecc7813e35d0Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D8043E67-EBD0-4ABD-A5A4-63CF4DADFC85.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D8043E67-EBD0-4ABD-A5A4-63CF4DADFC85hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\D8043E67-EBD0-4ABD-A5A4-63CF4DADFC85press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\DBE2517B-67B8-4D8B-A7CC-B66F8FE52D82.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\DBE2517B-67B8-4D8B-A7CC-B66F8FE52D82hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\DBE2517B-67B8-4D8B-A7CC-B66F8FE52D82press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e2870479-a572-412b-8a8f-5604d19b55cd.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e2870479-a572-412b-8a8f-5604d19b55cdhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e2870479-a572-412b-8a8f-5604d19b55cdpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E3345571-EEF9-4041-8C24-F7F5A9331C23.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E3345571-EEF9-4041-8C24-F7F5A9331C23hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E3345571-EEF9-4041-8C24-F7F5A9331C23press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e357f164-c5d8-4257-aab2-fe0cad41c12e.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e357f164-c5d8-4257-aab2-fe0cad41c12ehover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e357f164-c5d8-4257-aab2-fe0cad41c12epress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e3c610dc-deed-47cd-acc0-493d71556c16.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e3c610dc-deed-47cd-acc0-493d71556c16Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e3c610dc-deed-47cd-acc0-493d71556c16Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E458493F-867F-4712-A3AF-D9664ED47C19.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E458493F-867F-4712-A3AF-D9664ED47C19hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E458493F-867F-4712-A3AF-D9664ED47C19press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E52BEFE7-6535-439c-B168-A3B105E4212E.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E52BEFE7-6535-439c-B168-A3B105E4212Ehover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E52BEFE7-6535-439c-B168-A3B105E4212Epress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E8584703-6CA5-4351-82CC-09E40938A066.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E8584703-6CA5-4351-82CC-09E40938A066hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\E8584703-6CA5-4351-82CC-09E40938A066press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e8967c62-9ea0-4fde-9832-2c10f1d580de.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e8967c62-9ea0-4fde-9832-2c10f1d580dehover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\e8967c62-9ea0-4fde-9832-2c10f1d580depress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\EA99E20A-FBBA-4197-954B-E2013280A29B.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\EA99E20A-FBBA-4197-954B-E2013280A29Bhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\EA99E20A-FBBA-4197-954B-E2013280A29Bpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\EC116BC4-0583-4E07-908A-9D2AD3647177.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\EC116BC4-0583-4E07-908A-9D2AD3647177Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\EC116BC4-0583-4E07-908A-9D2AD3647177Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\f41901a8-2a78-4794-b455-d53a24b37aef.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\f41901a8-2a78-4794-b455-d53a24b37aefHover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\f41901a8-2a78-4794-b455-d53a24b37aefPress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\f7fd4890-7f89-4c73-8ff2-52105657cbb6.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\f7fd4890-7f89-4c73-8ff2-52105657cbb6Hover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\f7fd4890-7f89-4c73-8ff2-52105657cbb6Press.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\F84A3FBA-7CF5-4F44-A080-C26C04D0E3BD.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\F84A3FBA-7CF5-4F44-A080-C26C04D0E3BDhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\F84A3FBA-7CF5-4F44-A080-C26C04D0E3BDpress.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\fac5189f-f2c7-4eed-bae8-011eca170d7b.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\fac5189f-f2c7-4eed-bae8-011eca170d7bhover.png
c:\users\buibui\AppData\Local\Smartbar\Common\iconsWide\fac5189f-f2c7-4eed-bae8-011eca170d7bpress.png
c:\users\buibui\AppData\Local\Smartbar\DistributionFiles\Configs\IconsSettings.xml
c:\users\buibui\AppData\Local\Smartbar\DistributionFiles\Configs\LocalMethods.xml
c:\users\buibui\AppData\Local\Smartbar\DistributionFiles\Configs\ProfileManager.xml
c:\users\buibui\AppData\Local\Smartbar\DistributionFiles\Configs\PublisherSettings.xml
c:\users\buibui\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
c:\users\buibui\AppData\Local\Smartbar\DistributionFiles\Profiles\13131313-1313-1313-1313-131313131313.xml
c:\users\buibui\AppData\Local\Solid Savings
c:\users\buibui\AppData\Local\Solid Savings\Chrome\Installer.log
c:\users\buibui\AppData\Local\SwvUpdater
c:\users\buibui\AppData\Local\SwvUpdater\Updater.xml
c:\users\buibui\AppData\Roaming\PCFixSpeed
c:\users\buibui\AppData\Roaming\PCFixSpeed\faq.htm
c:\users\buibui\AppData\Roaming\SearchProtect
c:\users\buibui\AppData\Roaming\SearchProtect\bin\rep.dat
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spbd\bubble.css
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spbd\images\information.png
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spbd\images\x-default-LTR.png
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spbd\images\x-default-RTL.png
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spbd\main.html
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spsd\images\ok-button.png
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spsd\images\separation-line.png
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spsd\images\warning.png
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spsd\main.html
c:\users\buibui\AppData\Roaming\SearchProtect\Dialogs\spsd\SearchProtector.css
.
.
((((((((((((((((((((((((( Files Created from 2013-02-22 to 2013-03-22 )))))))))))))))))))))))))))))))
.
.
2013-03-22 18:45 . 2013-03-22 18:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-22 18:45 . 2013-03-22 18:45 -------- d-----w- c:\users\buibui\AppData\Local\temp
2013-03-22 18:38 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2D22BA9A-5BF1-44BA-B69A-0A792408E5BA}\mpengine.dll
2013-03-14 00:31 . 2013-03-14 00:31 -------- d-----w- c:\users\buibui\AppData\Roaming\SkypeTalking
2013-03-14 00:30 . 2013-03-14 00:41 -------- d-----w- c:\program files (x86)\SkypeTalking
2013-03-14 00:28 . 2013-03-20 02:26 -------- d-----w- c:\users\AppData
2013-03-14 00:27 . 2013-03-14 00:27 -------- d-----w- c:\users\buibui\AppData\Local\CRE
2013-03-10 22:22 . 2013-03-10 22:22 -------- d-----w- c:\program files (x86)\HP
2013-03-10 22:21 . 2013-03-10 22:21 -------- d-----w- c:\programdata\HP
2013-03-10 22:15 . 2013-03-15 02:08 -------- d-----w- C:\f50f9bf690af783e1b1fc2a06bc0
2013-03-10 22:00 . 2013-03-10 22:00 -------- d-----w- c:\users\buibui\AppData\Local\APN
2013-03-10 22:00 . 2013-03-10 22:00 -------- d-----w- C:\Firefox
2013-03-10 21:50 . 2013-03-10 21:50 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-03-10 21:49 . 2013-03-10 21:49 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-10 21:49 . 2013-03-10 21:49 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-10 21:49 . 2013-03-10 21:49 -------- d-----w- c:\program files (x86)\Java
2013-03-10 21:48 . 2013-03-10 21:48 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-15 04:16 . 2012-07-22 08:23 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-15 04:16 . 2012-07-22 08:23 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-10 21:49 . 2012-07-18 11:57 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-02-13 22:01 . 2006-11-02 12:35 70004024 ----a-w- c:\windows\system32\mrt.exe
2013-01-17 08:28 . 2012-06-29 04:26 273840 ------w- c:\windows\system32\MpSigStub.exe
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\buibui\AppData\Local\APN ----
.
2013-02-08 21:51 . 2013-02-08 21:51 173279 ----a-w- c:\users\buibui\AppData\Local\APN\GoogleCRXs\apnorjtoolbar.crx
2013-02-08 21:51 . 2013-03-10 22:00 299 ----a-w- c:\users\buibui\AppData\Local\APN\GoogleCRXs\Update.xml
.
---- Directory of c:\users\buibui\AppData\Local\CRE ----
.
2013-03-12 21:02 . 2013-03-12 21:02 2688327 ----a-w- c:\users\buibui\AppData\Local\CRE\jfjbflachhjbdbhfgknpgcgpchaikkok.crx
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-03-16 1632680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-22 04:16]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351686954-2765394444-4087732683-1000Core.job
- c:\users\buibui\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 19:06]
.
2013-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351686954-2765394444-4087732683-1000UA.job
- c:\users\buibui\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 19:06]
.
2012-12-02 c:\windows\Tasks\User_Feed_Synchronization-{3D979ED0-54D6-4721-9A93-5B6593C819CA}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:50]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files (x86)\Ask.com\GenericAskToolbar.dll
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files (x86)\Yontoo\YontooIEClient.dll
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2013-03-22 11:46:39
ComboFix-quarantined-files.txt 2013-03-22 18:46
ComboFix2.txt 2013-03-20 02:26
.
Pre-Run: 341,781,356,544 bytes free
Post-Run: 340,719,521,792 bytes free
.
- - End Of File - - 502FBF8A34C31AD7EC73650FC60D2294

I can't uninstall Yontoo though. "Error 2 while loading archive: The system cannot find the file specified"
__________________
beancurd89 is offline  
Old 03-22-2013, 08:53 PM   #8
Security Team
Analyst
 
Piper's Avatar
 
Join Date: Jun 2010
Location: California
Posts: 972
OS: Windows XP Service Pack 3



Quote:
Originally Posted by beancurd89 View Post
I can't uninstall Yontoo though. "Error 2 while loading archive: The system cannot find the file specified"
That's all right, it looks like ComboFix took care of it.
Does it still appear in your Installed Programs list in the Control Panel?

--- --- --- --- --- ---

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 7 and Save it to your Desktop.
  • Scroll down to where it says Java SE 7u17
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7u17-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are three options in the window to clear the cache - Leave these two Checked
      • Trace and Log Files
        Cached Applications and Applets
      • Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel.
NOTE: Java is a security risk, as it is a vulnerable application often exploited by malware. You may want to consider uninstalling it for this reason. However, some programs and websites require Java in order to run, so you may not want to uninstall it if you frequently use such programs/websites. If that is the case, we recommend at least disabling Java in your browsers and enabling it only when it is needed. Please see here: Disable Java in browsers

--- --- --- --- --- ---

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.
--- --- --- --- --- ---

It's important to run an online scan to search for any remnants that may be lurking. Please go to here to run the online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
__________________
Piper is offline  
Old 03-23-2013, 06:25 PM   #9
Registered Member
 
Join Date: Apr 2010
Posts: 78
OS: Windows XP



Yes, Yontoo still appears under my Control Panel.

I cannot complete the Java step. I was able to uninstall, but I'm not able to find the Java Icon under Control Panel, classic view. Basically I only go to the link, then click on Download under "JRE" right? So only one thing I need to download? Well, I did and it didn't work. I can find the folder it installed into, but even with the search function, I can't find anything with Java in it except the installer..

This is the MBAM log requested:
Malwarebytes Anti-Malware 1.70.0.1100
Malwarebytes : Free anti-malware download

Database version: v2013.03.23.11

Windows Vista Service Pack 1 x64 NTFS
Internet Explorer 7.0.6001.18000
buibui :: BUIBUI-PC [administrator]

3/23/2013 4:47:53 PM
mbam-log-2013-03-23 (16-47-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215088
Time elapsed: 1 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Users\buibui\Downloads\Extreme_Flash_Player_Setup (1).exe (PUP.IBryte) -> Quarantined and deleted successfully.
C:\Users\buibui\Downloads\Extreme_Flash_Player_Setup (2).exe (PUP.IBryte) -> Quarantined and deleted successfully.
C:\Users\buibui\Downloads\Extreme_Flash_Player_Setup (3).exe (PUP.IBryte) -> Quarantined and deleted successfully.
C:\Users\buibui\Downloads\Extreme_Flash_Player_Setup (4).exe (PUP.IBryte) -> Quarantined and deleted successfully.
C:\Users\buibui\Downloads\Extreme_Flash_Player_Setup (5).exe (PUP.IBryte) -> Quarantined and deleted successfully.
C:\Users\buibui\Downloads\Extreme_Flash_Player_Setup.exe (PUP.IBryte) -> Quarantined and deleted successfully.

(end)

ESET log

C:\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\Program Files (x86)\Yontoo\YontooIEClient.dll.vir a variant of Win32/Adware.Yontoo.A application
C:\Users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
__________________
beancurd89 is offline  
Old 03-24-2013, 05:51 PM   #10
Security Team
Analyst
 
Piper's Avatar
 
Join Date: Jun 2010
Location: California
Posts: 972
OS: Windows XP Service Pack 3



Quote:
I cannot complete the Java step. I was able to uninstall, but I'm not able to find the Java Icon under Control Panel, classic view. Basically I only go to the link, then click on Download under "JRE" right? So only one thing I need to download? Well, I did and it didn't work. I can find the folder it installed into, but even with the search function, I can't find anything with Java in it except the installer..
I'm not quite sure what you mean by this. It sounds like you were having trouble with these steps:
Quote:
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are three options in the window to clear the cache - Leave these two Checked
      • Trace and Log Files
        Cached Applications and Applets
      • Click OK on Delete Temporary Files Window
        Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
      • Click OK to leave the Temporary Files Window
      • Click OK to leave the Java Control Panel.
Does this mean that you already ran the installer you downloaded? If so, we should be able to do the rest with another ComboFix script.

--- --- --- --- --- --- ---

Print out or copy this page to Notepad in order to assist you when carrying out the following instructions, as you will not be able to view this page during the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
ClearJavaCache::

Folder::
C:\ProgramData\Tarma Installer
C:\Users\All Users\Tarma Installer
c:\users\buibui\AppData\Local\APN
c:\users\buibui\AppData\Local\CRE
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe.

ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Please also include the contents of the following file in your next post:

C:\Qoobox\Add-Remove Programs.txt

--- --- --- --- --- --- ---

After running the script, check again to see if Yontoo is still listed as an installed program. If it is, try this:
  • Go here to download the Microsoft Fix It tool
  • Click the green Run Now button and save the file to your Desktop
  • Double-click the Microsoft Fix It icon on your Desktop to run the tool
  • Click Accept
  • Click Detect problems and apply the fixes for me (Recommended)
  • When asked if you are having a problem installing or uninstalling a program, select Uninstalling
  • The tool will provide a list of programs; select Yontoo 1.10.02 if it is listed
  • The tool should attempt to fully uninstall Yontoo; follow any further prompts
After running this tool, check again to see if Yontoo still appears in your list of installed programs and let me know.
__________________
Piper is offline  
Old 03-25-2013, 11:03 AM   #11
Registered Member
 
Join Date: Apr 2010
Posts: 78
OS: Windows XP



Basically the problem I had with Java was that I installed it, but I can't find it under Control panel, Classic View. Anyways, carried out the steps as instructed.

Combofix log:
ComboFix 13-03-25.01 - buibui 03/25/2013 10:41:33.3.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4094.2764 [GMT -7:00]
Running from: c:\users\buibui\Desktop\ComboFix.exe
Command switches used :: c:\users\buibui\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\programdata\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setup.dll
c:\programdata\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll
c:\programdata\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.dat
c:\programdata\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.exe
c:\programdata\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.ico
c:\users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\users\All Users\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setup.dll
c:\users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll
c:\users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.dat
c:\users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.exe
c:\users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\Setup.ico
c:\users\buibui\AppData\Local\CRE
c:\users\buibui\AppData\Local\CRE\jfjbflachhjbdbhfgknpgcgpchaikkok.crx
.
.
((((((((((((((((((((((((( Files Created from 2013-02-25 to 2013-03-25 )))))))))))))))))))))))))))))))
.
.
2013-03-25 17:52 . 2013-03-25 17:52 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-25 17:52 . 2013-03-25 17:52 -------- d-----w- c:\users\buibui\AppData\Local\temp
2013-03-23 23:59 . 2013-03-23 23:59 -------- d-----w- c:\program files (x86)\ESET
2013-03-23 23:47 . 2013-03-23 23:47 -------- d-----w- c:\users\buibui\AppData\Roaming\Malwarebytes
2013-03-23 23:47 . 2013-03-23 23:47 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-23 23:47 . 2013-03-23 23:47 -------- d-----w- c:\programdata\Malwarebytes
2013-03-23 23:47 . 2012-12-14 23:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-23 23:45 . 2013-03-23 23:45 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-03-23 23:44 . 2013-03-23 23:44 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-23 23:44 . 2013-03-23 23:44 -------- d-----w- c:\program files (x86)\lib
2013-03-23 23:44 . 2013-03-23 23:44 -------- d-----w- c:\program files (x86)\bin
2013-03-22 18:38 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{2D22BA9A-5BF1-44BA-B69A-0A792408E5BA}\mpengine.dll
2013-03-14 00:31 . 2013-03-14 00:31 -------- d-----w- c:\users\buibui\AppData\Roaming\SkypeTalking
2013-03-14 00:30 . 2013-03-14 00:41 -------- d-----w- c:\program files (x86)\SkypeTalking
2013-03-14 00:28 . 2013-03-20 02:26 -------- d-----w- c:\users\AppData
2013-03-10 22:22 . 2013-03-10 22:22 -------- d-----w- c:\program files (x86)\HP
2013-03-10 22:21 . 2013-03-10 22:21 -------- d-----w- c:\programdata\HP
2013-03-10 22:15 . 2013-03-15 02:08 -------- d-----w- C:\f50f9bf690af783e1b1fc2a06bc0
2013-03-10 22:00 . 2013-03-22 18:49 -------- d-----w- C:\Firefox
2013-03-10 21:49 . 2013-03-23 23:44 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-10 21:48 . 2013-03-10 21:48 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-23 23:44 . 2012-07-18 11:57 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-15 04:16 . 2012-07-22 08:23 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-15 04:16 . 2012-07-22 08:23 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-13 22:01 . 2006-11-02 12:35 70004024 ----a-w- c:\windows\system32\mrt.exe
2013-01-17 08:28 . 2012-06-29 04:26 273840 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
c:\program files (x86)\Ask.com\GenericAskToolbar.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
c:\program files (x86)\Yontoo\YontooIEClient.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-03-16 1632680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-22 04:16]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351686954-2765394444-4087732683-1000Core.job
- c:\users\buibui\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 19:06]
.
2013-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351686954-2765394444-4087732683-1000UA.job
- c:\users\buibui\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 19:06]
.
2012-12-02 c:\windows\Tasks\User_Feed_Synchronization-{3D979ED0-54D6-4721-9A93-5B6593C819CA}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:50]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2013-03-25 10:53:09
ComboFix-quarantined-files.txt 2013-03-25 17:53
ComboFix2.txt 2013-03-22 18:46
ComboFix3.txt 2013-03-20 02:26
.
Pre-Run: 356,092,317,696 bytes free
Post-Run: 355,078,455,296 bytes free
.
- - End Of File - - 12727D2F3C0B1D48577F2E0CD31364ED

Qoobox:
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
DarksidersInstaller
Drug Wars
ESET Online Scanner v3
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java 7 Update 17
Java Auto Updater
Left 4 Dead 2
Magic: The Gathering - Duels of the Planeswalkers 2013
Malwarebytes Anti-Malware version 1.70.0.1100
Metro 2033
Microsoft Office XP Professional
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Red Faction: Armageddon
Saints Row: The Third
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Steam
Team Fortress 2
Team Fortress Classic
The Sims(TM) 3
Uninstall Neocodex Program Manager
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Fix it couldn't find Yontoo, and I still see it under Add-remove programs.

Thanks for the help so far
__________________
beancurd89 is offline  
Old 03-26-2013, 07:57 AM   #12
Security Team
Analyst
 
Piper's Avatar
 
Join Date: Jun 2010
Location: California
Posts: 972
OS: Windows XP Service Pack 3



Let's see if we can get a better look as to why Yontoo is still listed as an installed program.

Please download SystemLook from here and save it to your Desktop.
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
    
    :regfind
    Yontoo
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
__________________
Piper is offline  
Old 03-26-2013, 09:35 AM   #13
Registered Member
 
Join Date: Apr 2010
Posts: 78
OS: Windows XP



SystemLook 04.09.10 by jpshortstuff
Log created at 09:34 on 26/03/2013 by buibui
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 3.5 SP1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Client Profile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NVIDIA Display Control Panel]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NVIDIA Drivers]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3D3E663D-4E7E-4577-A560-7ECDDD45548A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}]


[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player Plugin]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ESET Online Scanner]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Geek Phase Drug Wars]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\KB885884]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Malwarebytes' Anti-Malware_is1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Neocodex Program Manager_is1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 43110]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 47890]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 550]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 55110]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 55230]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 97330]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{048298C9-A4D3-490B-9FF9-AB023A9238F3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F83217017FF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91110409-6000-11D3-8CFE-0050048383C9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9A25302D-30C0-39D9-BD6F-21E6EC160475}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9BE518E6-ECC6-35A9-88E4-87755C07200F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B93EEE50-9C8F-45DF-95E4-3D85A6E242F3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB2416473]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB350003]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB953595]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB958484]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB960043]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2160841]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2162169]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2446708]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2446708v2]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2468871]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2473228]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2478063]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2478663]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2514805]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}.KB2518870]


========== regfind ==========

Searching for "Yontoo"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
@="YontooIEClient"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\YontooIEClient.DLL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
@="YontooIEClient"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32]
@="C:\Program Files (x86)\Yontoo\YontooIEClient.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
@="Yontoo Api"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32]
@="C:\Program Files (x86)\Yontoo\YontooIEClient.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ProgID]
@="YontooIEClient.Api.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\VersionIndependentProgID]
@="YontooIEClient.Api"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
@="Yontoo"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32]
@="C:\Program Files (x86)\Yontoo\YontooIEClient.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ProgID]
@="YontooIEClient.Layers.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\VersionIndependentProgID]
@="YontooIEClient.Layers"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\YontooIEClient.Api]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\YontooIEClient.Api]
@="Yontoo Api"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\YontooIEClient.Api\CurVer]
@="YontooIEClient.Api.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\YontooIEClient.Api.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\YontooIEClient.Api.1]
@="Yontoo Api"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api]
@="Yontoo Api"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api\CurVer]
@="YontooIEClient.Api.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1]
@="Yontoo Api"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
"InstallLocation"="C:\Program Files (x86)\Yontoo"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
"DisplayName"="Yontoo 1.10.02"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
"Publisher"="Yontoo LLC"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
"URLInfoAbout"="http://www.yontoo.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
"Contact"="support@yontoo.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\YontooIEClient.DLL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
@="YontooIEClient"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32]
@="C:\Program Files (x86)\Yontoo\YontooIEClient.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
@="Yontoo Api"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32]
@="C:\Program Files (x86)\Yontoo\YontooIEClient.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ProgID]
@="YontooIEClient.Api.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\VersionIndependentProgID]
@="YontooIEClient.Api"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
@="Yontoo"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32]
@="C:\Program Files (x86)\Yontoo\YontooIEClient.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ProgID]
@="YontooIEClient.Layers.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\VersionIndependentProgID]
@="YontooIEClient.Layers"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\YontooIEClient.Api]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\YontooIEClient.Api]
@="Yontoo Api"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\YontooIEClient.Api\CurVer]
@="YontooIEClient.Api.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\YontooIEClient.Api.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\YontooIEClient.Api.1]
@="Yontoo Api"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc]
"path"="C:\Users\buibui\AppData\Local\Temp\YontooLayers.crx"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
@="Yontoo Layers"

-= EOF =-
__________________
beancurd89 is offline  
Old 03-27-2013, 07:48 PM   #14
Security Team
Analyst
 
Piper's Avatar
 
Join Date: Jun 2010
Location: California
Posts: 972
OS: Windows XP Service Pack 3



Thank you for the log!
Let's try running ComboFix again:

--- --- --- --- --- --- ---

Print out or copy this page to Notepad in order to assist you when carrying out the following instructions, as you will not be able to view this page during the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\YontooIEClient.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\YontooIEClient.Api]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\YontooIEClient.Api.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\YontooIEClient.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\YontooIEClient.Api]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\YontooIEClient.Api.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe.

ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

--- --- --- --- --- --- ---

Does Yontoo still appear in your program list after running the above script?
__________________
Piper is offline  
Old 03-28-2013, 11:30 AM   #15
Registered Member
 
Join Date: Apr 2010
Posts: 78
OS: Windows XP



ComboFix 13-03-27.01 - buibui 03/28/2013 11:22:24.4.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4094.3016 [GMT -7:00]
Running from: c:\users\buibui\Desktop\ComboFix.exe
Command switches used :: c:\users\buibui\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-02-28 to 2013-03-28 )))))))))))))))))))))))))))))))
.
.
2013-03-28 18:27 . 2013-03-28 18:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-28 18:27 . 2013-03-28 18:27 -------- d-----w- c:\users\buibui\AppData\Local\temp
2013-03-26 16:41 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4AE3D052-733C-4925-8590-CB56CCB5045B}\mpengine.dll
2013-03-23 23:59 . 2013-03-23 23:59 -------- d-----w- c:\program files (x86)\ESET
2013-03-23 23:47 . 2013-03-23 23:47 -------- d-----w- c:\users\buibui\AppData\Roaming\Malwarebytes
2013-03-23 23:47 . 2013-03-23 23:47 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-23 23:47 . 2013-03-23 23:47 -------- d-----w- c:\programdata\Malwarebytes
2013-03-23 23:47 . 2012-12-14 23:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-23 23:45 . 2013-03-23 23:45 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-03-23 23:44 . 2013-03-23 23:44 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-23 23:44 . 2013-03-23 23:44 -------- d-----w- c:\program files (x86)\lib
2013-03-23 23:44 . 2013-03-23 23:44 -------- d-----w- c:\program files (x86)\bin
2013-03-14 00:31 . 2013-03-14 00:31 -------- d-----w- c:\users\buibui\AppData\Roaming\SkypeTalking
2013-03-14 00:30 . 2013-03-14 00:41 -------- d-----w- c:\program files (x86)\SkypeTalking
2013-03-14 00:28 . 2013-03-20 02:26 -------- d-----w- c:\users\AppData
2013-03-10 22:22 . 2013-03-10 22:22 -------- d-----w- c:\program files (x86)\HP
2013-03-10 22:21 . 2013-03-10 22:21 -------- d-----w- c:\programdata\HP
2013-03-10 22:15 . 2013-03-15 02:08 -------- d-----w- C:\f50f9bf690af783e1b1fc2a06bc0
2013-03-10 22:00 . 2013-03-22 18:49 -------- d-----w- C:\Firefox
2013-03-10 21:49 . 2013-03-23 23:44 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-10 21:48 . 2013-03-10 21:48 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-23 23:44 . 2012-07-18 11:57 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-15 04:16 . 2012-07-22 08:23 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-15 04:16 . 2012-07-22 08:23 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-13 22:01 . 2006-11-02 12:35 70004024 ----a-w- c:\windows\system32\mrt.exe
2013-01-17 08:28 . 2012-06-29 04:26 273840 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
c:\program files (x86)\Ask.com\GenericAskToolbar.dll [BU]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-03-16 1632680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-28 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-22 04:16]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351686954-2765394444-4087732683-1000Core.job
- c:\users\buibui\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 19:06]
.
2013-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351686954-2765394444-4087732683-1000UA.job
- c:\users\buibui\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 19:06]
.
2012-12-02 c:\windows\Tasks\User_Feed_Synchronization-{3D979ED0-54D6-4721-9A93-5B6593C819CA}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:50]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2013-03-28 11:28:12
ComboFix-quarantined-files.txt 2013-03-28 18:28
ComboFix2.txt 2013-03-25 17:53
ComboFix3.txt 2013-03-22 18:46
ComboFix4.txt 2013-03-20 02:26
.
Pre-Run: 335,479,058,432 bytes free
Post-Run: 335,436,488,704 bytes free
.
- - End Of File - - 48377862183E489A9920B92D0F582764

And Yontoo is finally not on my Program list anymore :D
__________________
beancurd89 is offline  
Old 03-29-2013, 06:53 PM   #16
Security Team
Analyst
 
Piper's Avatar
 
Join Date: Jun 2010
Location: California
Posts: 972
OS: Windows XP Service Pack 3



I'm glad to hear that Yontoo is gone!
We're almost finished, but your logs are not quite clean yet.

Please run SystemLook again.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
    Ask.com
    AskToolbar
    Ask Toolbar
    
    :folderfind
    Ask.com
    AskToolbar
    Ask Toolbar
    
    :regfind
    Ask.com
    AskToolbar
    Ask Toolbar
    {D4027C7F-154A-4066-A1AD-4243D8127440}
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
__________________
Piper is offline  
Old 03-30-2013, 09:06 AM   #17
Registered Member
 
Join Date: Apr 2010
Posts: 78
OS: Windows XP



SystemLook 04.09.10 by jpshortstuff
Log created at 08:55 on 30/03/2013 by buibui
Administrator - Elevation successful

========== filefind ==========

Searching for "Ask.com"
No files found.

Searching for "AskToolbar"
No files found.

Searching for "Ask Toolbar"
No files found.

========== folderfind ==========

Searching for "Ask.com"
C:\Qoobox\Quarantine\C\Program Files (x86)\Ask.com d------ [18:44 22/03/2013]

Searching for "AskToolbar"
No folders found.

Searching for "Ask Toolbar"
No folders found.

========== regfind ==========

Searching for "Ask.com"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
"URL"="http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=^TV&apn_dtid=^OSJ000^YY^US&apn_uid=C26F83FB-4BEA-4017-9B6A-F595435B4FF3&apn_sauid=79D54C20-EF3F-400D-8405-6450224AF6DB"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
"FaviconUrl"="http://www.ask.com/favicon.ico"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
"SuggestionsURL_JSON"="http://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms}"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"="Ask Updater"
[HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"="Ask Updater"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MAPI/IPM.Task]
"PreviewDetails"="prop:*System.DueDate;*System.Task.CompletionStatus;*System.Task.Owner;*System.Keywords"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\MAPI/IPM.Task]
"PreviewDetails"="prop:*System.DueDate;*System.Task.CompletionStatus;*System.Task.Owner;*System.Keywords"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\InprocServer32]
@="C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\InprocServer32]
@="C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\MAPI/IPM.Task]
"PreviewDetails"="prop:*System.DueDate;*System.Task.CompletionStatus;*System.Task.Owner;*System.Keywords"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\SystemFileAssociations\MAPI/IPM.Task]
"PreviewDetails"="prop:*System.DueDate;*System.Task.CompletionStatus;*System.Task.Owner;*System.Keywords"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Firefox\toolbar@ask.com\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Firefox\toolbar@ask.com\chrome\content\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Firefox\toolbar@ask.com\chrome\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Firefox\toolbar@ask.com\chrome\skin\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Firefox\toolbar@ask.com\defaults\preferences\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Firefox\toolbar@ask.com\defaults\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Firefox\toolbar@ask.com\searchplugins\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Firefox\toolbar@ask.com\chrome\skin\ ask_32x.png"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Program Files (x86)\Ask.com\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Program Files (x86)\Ask.com\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Program Files (x86)\Ask.com\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Program Files (x86)\Ask.com\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Program Files (x86)\Ask.com\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Program Files (x86)\Ask.com\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Firefox\toolbar@ask.com\defaults\preferences\defaults.js"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Firefox\toolbar@ask.com\searchplugins\askcom.xml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Program Files (x86)\Ask.com\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Firefox\toolbar@ask.com\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E]
"A28B4D68DEBAA244EB686953B7074FEF"="C:\Firefox\toolbar@ask.com\chrome\content\about.js"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\InprocServer32]
@="C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\InprocServer32]
@="C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\MAPI/IPM.Task]
"PreviewDetails"="prop:*System.DueDate;*System.Task.CompletionStatus;*System.Task.Owner;*System.Keywords"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\SystemFileAssociations\MAPI/IPM.Task]
"PreviewDetails"="prop:*System.DueDate;*System.Task.CompletionStatus;*System.Task.Owner;*System.Keywords"
[HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
"URL"="http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=^TV&apn_dtid=^OSJ000^YY^US&apn_uid=C26F83FB-4BEA-4017-9B6A-F595435B4FF3&apn_sauid=79D54C20-EF3F-400D-8405-6450224AF6DB"
[HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
"FaviconUrl"="http://www.ask.com/favicon.ico"
[HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
"SuggestionsURL_JSON"="http://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms}"
[HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"="Ask Updater"
[HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"="Ask Updater"
[HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"="Ask Updater"
[HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000_Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"="Ask Updater"

Searching for "AskToolbar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}]
@="GenericAskToolbar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}]
@="IAskToolbar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\GenericAskToolbar.DLL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}]
@="GenericAskToolbar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\InprocServer32]
@="C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\InprocServer32]
@="C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ProgID]
@="GenericAskToolbar.ToolbarWnd.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\VersionIndependentProgID]
@="GenericAskToolbar.ToolbarWnd"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}]
@="IAskToolbar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\GenericAskToolbar.DLL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}]
@="GenericAskToolbar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}\InprocServer32]
@="C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\InprocServer32]
@="C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ProgID]
@="GenericAskToolbar.ToolbarWnd.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\VersionIndependentProgID]
@="GenericAskToolbar.ToolbarWnd"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}]
@="IAskToolbar"

Searching for "Ask Toolbar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}]
@="Ask Toolbar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}]
@="Ask Toolbar"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
@="Ask Toolbar BHO"

Searching for "{D4027C7F-154A-4066-A1AD-4243D8127440}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]

-= EOF =-
__________________
beancurd89 is offline  
Old 03-30-2013, 02:28 PM   #18
Security Team
Analyst
 
Piper's Avatar
 
Join Date: Jun 2010
Location: California
Posts: 972
OS: Windows XP Service Pack 3



Thanks for the SystemLook log, it revealed quite a bit! Let's run ComboFix one more time to take care of what it found.

--- --- --- --- --- --- ---

Print out or copy this page to Notepad in order to assist you when carrying out the following instructions, as you will not be able to view this page during the fix.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
Registry::
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"=-
[HKEY_CURRENT_USER\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Firefox\toolbar@ask.com\"=-
"C:\Firefox\toolbar@ask.com\chrome\content\"=-
"C:\Firefox\toolbar@ask.com\chrome\"=-
"C:\Firefox\toolbar@ask.com\chrome\skin\"=-
"C:\Firefox\toolbar@ask.com\defaults\preferences\"=-
"C:\Firefox\toolbar@ask.com\defaults\"=-
"C:\Firefox\toolbar@ask.com\searchplugins\"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E]
"A28B4D68DEBAA244EB686953B7074FEF"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}]
[-HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"=-
[HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"=-
[HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"=-
[HKEY_USERS\S-1-5-21-2351686954-2765394444-4087732683-1000_Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Program Files (x86)\Ask.com\Updater\Updater.exe"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\GenericAskToolbar.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\GenericAskToolbar.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe.

ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
__________________
Piper is offline  
Old 03-30-2013, 03:18 PM   #19
Registered Member
 
Join Date: Apr 2010
Posts: 78
OS: Windows XP



ComboFix 13-03-30.01 - buibui 03/30/2013 15:11:20.5.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.4094.2965 [GMT -7:00]
Running from: c:\users\buibui\Desktop\ComboFix.exe
Command switches used :: c:\users\buibui\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2013-02-28 to 2013-03-30 )))))))))))))))))))))))))))))))
.
.
2013-03-30 22:16 . 2013-03-30 22:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-03-30 22:16 . 2013-03-30 22:16 -------- d-----w- c:\users\buibui\AppData\Local\temp
2013-03-30 01:25 . 2013-03-15 06:28 9311288 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EF705D54-72EE-4DEB-8DBA-DC296BD5E334}\mpengine.dll
2013-03-23 23:59 . 2013-03-23 23:59 -------- d-----w- c:\program files (x86)\ESET
2013-03-23 23:47 . 2013-03-23 23:47 -------- d-----w- c:\users\buibui\AppData\Roaming\Malwarebytes
2013-03-23 23:47 . 2013-03-23 23:47 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-23 23:47 . 2013-03-23 23:47 -------- d-----w- c:\programdata\Malwarebytes
2013-03-23 23:47 . 2012-12-14 23:49 24176 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-23 23:45 . 2013-03-23 23:45 -------- d-----w- c:\program files (x86)\Common Files\Java
2013-03-23 23:44 . 2013-03-23 23:44 95648 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-03-23 23:44 . 2013-03-23 23:44 -------- d-----w- c:\program files (x86)\lib
2013-03-23 23:44 . 2013-03-23 23:44 -------- d-----w- c:\program files (x86)\bin
2013-03-14 00:31 . 2013-03-14 00:31 -------- d-----w- c:\users\buibui\AppData\Roaming\SkypeTalking
2013-03-14 00:30 . 2013-03-14 00:41 -------- d-----w- c:\program files (x86)\SkypeTalking
2013-03-14 00:28 . 2013-03-20 02:26 -------- d-----w- c:\users\AppData
2013-03-10 22:22 . 2013-03-10 22:22 -------- d-----w- c:\program files (x86)\HP
2013-03-10 22:21 . 2013-03-10 22:21 -------- d-----w- c:\programdata\HP
2013-03-10 22:15 . 2013-03-15 02:08 -------- d-----w- C:\f50f9bf690af783e1b1fc2a06bc0
2013-03-10 22:00 . 2013-03-22 18:49 -------- d-----w- C:\Firefox
2013-03-10 21:49 . 2013-03-23 23:44 861088 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2013-03-10 21:48 . 2013-03-10 21:48 -------- d-----w- c:\programdata\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-23 23:44 . 2012-07-18 11:57 782240 ----a-w- c:\windows\SysWow64\deployJava1.dll
2013-03-15 04:16 . 2012-07-22 08:23 73432 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-03-15 04:16 . 2012-07-22 08:23 693976 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2013-02-13 22:01 . 2006-11-02 12:35 70004024 ----a-w- c:\windows\system32\mrt.exe
2013-01-17 08:28 . 2012-06-29 04:26 273840 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2013-03-16 1632680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-22 04:16]
.
2013-03-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351686954-2765394444-4087732683-1000Core.job
- c:\users\buibui\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 19:06]
.
2013-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2351686954-2765394444-4087732683-1000UA.job
- c:\users\buibui\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-30 19:06]
.
2012-12-02 c:\windows\Tasks\User_Feed_Synchronization-{3D979ED0-54D6-4721-9A93-5B6593C819CA}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:50]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Completion time: 2013-03-30 15:17:12
ComboFix-quarantined-files.txt 2013-03-30 22:17
ComboFix2.txt 2013-03-28 18:28
ComboFix3.txt 2013-03-25 17:53
ComboFix4.txt 2013-03-22 18:46
ComboFix5.txt 2013-03-30 22:08
.
Pre-Run: 331,684,491,264 bytes free
Post-Run: 331,642,257,408 bytes free
.
- - End Of File - - 66FAA5254E266E793C8E1BE05689AB5E

Thanks again!
__________________
beancurd89 is offline  
Old 04-01-2013, 05:11 PM   #20
Security Team
Analyst
 
Piper's Avatar
 
Join Date: Jun 2010
Location: California
Posts: 972
OS: Windows XP Service Pack 3



Congratulations, your log is clean!
Just a few things left to take care of now.

--- --- --- --- --- --- ---

I see no evidence of an AntiVirus program on your system. This must be resolved. Here are a few very good free Antivirus products which are available:Select one of these, or another of your choice. Download, install, update definitions, and run a full system scan.

--- --- --- --- --- --- ---

The following will implement some cleanup procedures as well as reset System Restore points (this is an important step-- please do not skip it):

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

You can delete any tools and logs we've used up until now, if any remain.

--- --- --- --- --- --- ---

To help prevent any future infections, please see the information below.


MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.


SPYWARE PREVENTION

In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article:

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop

    WOT has an add-on available for IE, Firefox, and Chrome.
  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows 7 here.
  • Secunia will scan for outdated and vulnerable common applications on your computer.
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

----------------------

Let me know if you have any questions or if any problems persist.

Please respond to this thread one more time so we can mark this thread as resolved.

__________________
Piper is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hard Drive Issues and Data Loss. Please Help!
I have been having issues with my Toshiba 640 GB USB 2.0/eSATA Desktop External Hard Dive PH3064U-1EXB, working on a Macbook Mac OS X Version 10.6.8 Processor 2.4 GHz Intel Core Duo Memory 2 GB 1067 MHz DDR3 Startup Disk Macintosh HD and a Windows7 partitioned on part. I am in no way an expert. ...
DesperSeekiSusa Hard Drive Support 19 02-06-2013 08:34 AM
New PC issues
Hi there, I've just spent A BUNCH of money on trying to build a new PC and am having EXTREME problems with getting it to work completely, or just in general, without issues. Here's the history- 1.- bought all of the following components for the new PC Power Supply- OCZ ModXStream Pro...
Trtreiber BSOD, App Crashes And Hangs 1 02-01-2013 08:58 AM
Strange connectivity issues.
As of late I've been noticing some connectivity issues on my computers. The weird thing, however, is that the issues are different on each computer in my home, and they also don't happen at the same time. My router/modem are set up in my living room. The computer I'm on now is a tower in my...
supercrazyguy Networking Support 9 08-11-2011 03:05 PM
So many issues
OKAY I'm on my Dell Dimension DIM3000 with an Intel Pentium 4 CPU 2.80 GHz and 1GB of RAM. I'm running Win XP Home SP3. This computer is my family's "old dinosaur that sits upstairs and collects dust" that I'm sure you are all familiar with. I decided to make it my summer project to restore my...
Otterwhisker Windows XP Support 5 08-06-2011 04:49 PM
[SOLVED] New computer, List of issues
Alright so i built my first computer, and have stumbled into many issues. The issues spread over a list of forum sections so i chose to put it here. -Msi 870U-G55 Motherboard -Nvidia GTX Geforce 550 Ti -Windows 7 x64 -Netgear WNR1000 (router) 2-3 years old -Scientific atlantic astound modem...
drako350 RAM and Power Supply Support 11 07-30-2011 07:38 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 12:43 PM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts