TheDarkKnight

Hey PackALunch. OK good. Sounds like OTL being restarted before it finished left files unhidden. Once I see your logs I will proceed to help you rehide them. The .ini files contain information pertaining to your Desktop, which is why they are normally hidden.

Hello knit. Awesome! I made a slight error in my script before, so those Conduit entries still remain. Please run OTL.exe. Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :file C:\Program Files (x86)\Conduit C:\Users\Jennifer\AppData\Local\Conduit C:\Users\Jennifer\AppData\Local\Shopping Sidekick :Commands [EmptyTemp] [EmptyFlash] [Reboot] Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste. Click the red Run Fix button. A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTL.exe If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. =========== Then, please run a free online scan with the ESET Online Scanner. Note: You can use Internet Explorer or Mozilla Firefox for this scan. Tick the box next to YES, I accept the Terms of Use. Click Start. When asked, allow the ActiveX control to install. Click Start. Make sure that the option Remove found threats is unchecked and the option Scan unwanted applications is checked. Click Scan. Wait for the scan to finish. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt. Copy and paste that log as a reply to this topic. =========== In your next reply please provide OTL fix log, log.txt and a description of any current issues on your computer.

Hey PackALunch. Please do not run ComboFix until after running OTL as instructed below. Do you recognise this folder at all: C:\32788R22FWJFW Please run OTL.exe. Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :files C:\Users\Alan\AppData\Roaming\Exve C:\Users\Alan\AppData\Roaming\Salao C:\Users\Alan\AppData\Roaming\Yqicc C:\Windows\tasks\At*.job C:\Windows\Installer\{c32a4258-bbee-3148-b360-01fd4a19d043} C:\Users\Alan\AppData\Local\{c32a4258-bbee-3148-b360-01fd4a19d043} :OTL IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://isearch.avg.c...sa&d=2012-08-10 18:26:55&v=11.1.0.7&sap=hp IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.c...sa&d=2012-08-10 18:26:55&v=11.1.0.7&sap=dsp&q={searchTerms} IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found. O4:64bit: - HKLM..\Run: [hcfxvc] rundll32.exe "C:\Users\Alan\AppData\Roaming\hcfxvc.dll",HrIndexOfMonth File not found O4:64bit: - HKLM..\Run: [hntmc] "C:\Windows\System32\rundll32.exe" "C:\Users\Alan\AppData\Roaming\hntmc.dll",State_Next File not found O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 9365 = C:\PROGRA~3\LOCALS~1\Temp\msverov.bat [2012/07/30 00:51:57 | 000,000,000 | ---D | C] -- C:\Users\Alan\AppData\Local\{461531DE-DA02-11E1-8270-B8AC6F996F26} [2012/07/30 00:51:57 | 000,000,000 | ---D | C] -- C:\Users\Alan\AppData\Local\{46150052-DA02-11E1-8270-B8AC6F996F26} :Commands [EmptyTemp] [EMPTYFLASH] [Reboot] Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste. Click the red Run Fix button. A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTL.exe If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. =========== Next, please delete your current copy of ComboFix. Then, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingc...to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review. =========== In your next post please provide the following: OTL fix log. ComboFix.txt. If you recognise the folder C:\32788R22FWJFW? Are there any current issues on your computer?

Good afternoon knit. Yes, it would seem so. Conduit can be taken of with OTL. Please run OTL.exe. Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): :OTL IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1 IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.condui...&ctid=CT3198785 IE - HKCU\..\SearchScopes\{99FE889A-3EDD-4187-8B3C-41AB53380DBA}: "URL" = http://www.mysearchr...q={searchTerms} FF - prefs.js..browser.search.selectedEngine: "WhiteSmoke US Customized Web Search" FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3198785&SearchSource=13" FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q=" [2012/08/10 21:55:12 | 000,000,919 | ---- | M] () -- C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\hq7q2cty.default\searchplugins\conduit.xml [2012/08/11 12:23:04 | 000,002,030 | ---- | M] () -- C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\hq7q2cty.default\searchplugins\search-here.xml CHR - homepage: http://search.condui...SearchSource=48 O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present :file C:\Program Files (x86)\Conduit C:\Users\Jennifer\AppData\Local\Conduit C:\Users\Jennifer\AppData\Local\Shopping Sidekick :Commands [EmptyTemp] [EmptyFlash] [Reboot] Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste. Click the red Run Fix button. A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTL.exe If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. Are you still being hijacked by WhiteSmoke?

Hey PackALunch. Please go to Start and in the box at the bottom of the menu type in ComboFix.txt Does anything appear? Thank you for letting me know. After I have seen the report from the below tool that can be fixed. Please download OTL.exe by OldTimer to your Desktop. Close all windows and double click OTL.exe. In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold: netsvcs drivers32 %SYSTEMDRIVE%\*.* %systemroot%\*. /mp /s CREATERESTOREPOINT HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs Click Run Scan and let the program run uninterrupted. When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread. You may need to use two posts to get it all.

Hello knit. I notice that you have Conduit installed. This program has been known to exhibit suspicious behaviour and it is for this reason I recommend removing it (please see here for more information). Please go to Start>Control Panel>Programs and Features>Programs and uninstall Conduit if you so wish. Then restart your computer after this program removal. ========== Next, please download OTL.exe by OldTimer to your Desktop. Close all windows and double click OTL.exe. In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold: netsvcs drivers32 %SYSTEMDRIVE%\*.* %systemroot%\*. /mp /s CREATERESTOREPOINT HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs Click Run Scan and let the program run uninterrupted. When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread. You may need to use two posts to get it all. ============ Finally, please download to your Desktop: TDSSKiller.zip from here and extract it (right click on it => "Extract here"). >>> TDSSKiller: Double-click on TDSSKiller.exe to run the application. Click on the Start Scan button and wait for the scan and disinfection process to be over. If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue If a suspicious file is detected, the default action will be Skip, click on Continue If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here. ========== In your reply I would like to see the following please: OTL.txt. Extras.txt. TDSSKiller log.

Hey gdsimms. Yes I thought as much. Please proceed with OTL.

Welcome PackALunch to Malwarebytes. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. HJT is not reliable for Windows 7 so some of the things shown in the log may be inaccurate. Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingc...to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review. ========== Next, please download to your Desktop: TDSSKiller.zip from here and extract it (right click on it => "Extract here"). >>> TDSSKiller: Double-click on TDSSKiller.exe to run the application. Click on the Start Scan button and wait for the scan and disinfection process to be over. If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue If a suspicious file is detected, the default action will be Skip, click on Continue If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here. =========== In your reply please post the following: ComboFix.txt. TDSSKiller log. How is your computer currently running?

Welcome knit to Malwarebytes. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. Please go to Start>Control Panel>Programs and Features>Programs and uninstall the following (if present): QuickLinx Shopping Sidekick Shop To Win WhiteSmoke US Toolbar Yontoo Please restart your computer after these program removals. ========== Next, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingc...to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review. ========== In your next post I would like to see the following please: Fresh MBAM log. ComboFix.txt. How is your computer running now?

Hello gdsimms. If ComboFix still hasn't finished running then please restart your computer into Normal Mode. Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com). There are 3 different versions. If one of them won't run then download and try to run the other one. Vista and Win7 users need to right click and choose Run as Admin. You only need to get one of them to run, not all of them. rkill.exe rkill.com rkill.scr It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the Desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive. Before proceeding any further the processes that belong to Windows Recovery need to be terminated so that it does not interfere with the cleaning procedure. Double-click on the RKill.exe icon in order to automatically attempt to stop any processes associated with Windows Recovery and other Rogue programs. === Please do not reboot your computer. Then, please download OTL.exe by OldTimer to your Desktop. Close all windows and double click OTL.exe. In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold: netsvcs drivers32 %SYSTEMDRIVE%\*.* %systemroot%\*. /mp /s CREATERESTOREPOINT HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs Click Run Scan and let the program run uninterrupted. When the scan completes, it will open two Notepad windows. OTL.txt and Extras.txt. These are saved in the same location as OTL. Post both logs in this thread. You may need to use two posts to get it all.

Hey gdsimms. If it is still running and it does not look like it is progressing please restart your computer and try running it again.

Hello gdsimms. Thank you for the log from MBAM. Please go ahead and continue with running ComboFix.

Welcome gdsimms to Malwarebytes. I am TheDark Knight and will be assisting you. Please ask questions if anything is unclear. Please open MBAM, click Quick Scan and post the contents of the log in your reply. Then, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool: http://www.bleepingc...to-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF). Please go here to see a list of programs that need to be disabled. **Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.** **Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.** Please include the C:\ComboFix.txt in your next reply for further review. In your reply I would please like to see the results from MBAM and ComboFix.txt, along with how your computer is running.