MGBod Posted December 14, 2011 ID:504822 Share Posted December 14, 2011 Got infected with the Whitesmoke "toolbar"Of course I tried to hack it out on my own. Managed to delete the file and a couple extras (conduit and brainservice) using CCleaner.Then found this board and tried to follow someone elses solution (ComboFix and Malwarebytes) before I figured out the proper process.So far I've been unsuccessful.Avira no longer recognizes anything (it did early on but not since CCleaner). Malwarebytes does not see anything.I'm running a Win7 computerHere are my log files -- and thanks in advance for the help. Just having access to this forum is great much less the prospect of personal assistance..DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29Run by Owner at 23:38:07 on 2011-12-13Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.2815.1401 [GMT -4:00].AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\nvvsvc.exeC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Program Files (x86)\Avira\AntiVir Desktop\sched.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeC:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exeC:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exeC:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exeC:\Windows\system32\conhost.exeC:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exeC:\Program Files (x86)\Acer\Registration\GregHSRW.exec:\PROGRA~2\mcafee\SITEAD~1\McSACore.exeC:\Windows\system32\rundll32.exeC:\Windows\SysWOW64\rundll32.exeC:\Program Files\Acer\Acer Updater\UpdaterService.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k HPServiceC:\Windows\System32\svchost.exe -k secsvcsC:\Program Files\Windows Media Player\wmpnetwk.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\taskhost.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Realtek\Audio\HDA\RAVCpl64.exeC:\Program Files (x86)\Windows Live\Family Safety\fsui.exeC:\Program Files (x86)\OpenOffice.org 3\program\soffice.exeC:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exeC:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exeC:\Program Files (x86)\OpenOffice.org 3\program\soffice.binC:\Program Files (x86)\iTunes\iTunesHelper.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeC:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUI.exeC:\Windows\servicing\TrustedInstaller.exeC:\Program Files\iPod\bin\iPodService.exeC:\Windows\System32\svchost.exe -k LocalServicePeerNetC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exeC:\Windows\system32\wuauclt.exeC:\Windows\system32\DllHost.exeC:\Program Files (x86)\Mozilla Firefox\firefox.exeC:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Windows\SysWOW64\cmd.exeC:\Windows\system32\conhost.exeC:\Windows\SysWOW64\cscript.exeC:\Windows\system32\wbem\wmiprvse.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://www.google.ca/mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_x1400&r=173612105307p0438v145w4581v200uInternet Settings,ProxyOverride = *.localuURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dllBHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllTB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dllTB: MP3Bar: {f6bd6330-76f8-44d9-b775-87614e2d8374} - C:\Program Files (x86)\Fiesta Download Manager\mp3bar.dllTB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No FilemRun: [Hotkey Utility] C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exemRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /minmRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimemRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exemPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: &MP3Bar - C:\Program Files (x86)\Fiesta Download Manager\mp3bar.dll/MENUSEARCH.HTMIE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dllIE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabTCP: DhcpNameServer = 192.168.0.1TCP: Interfaces\{4B465585-FEAB-42F3-B02A-362AC721AF01} : DhcpNameServer = 192.168.0.1Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dllHandler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dllHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllBHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllBHO-X64: AcroIEHelperStub - No FileBHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dllBHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dllBHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllTB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dllTB-X64: MP3Bar: {F6BD6330-76F8-44d9-B775-87614E2D8374} - C:\Program Files (x86)\Fiesta Download Manager\mp3bar.dllTB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No FilemRun-x64: [Hotkey Utility] C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exemRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /minmRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottimemRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe".================= FIREFOX ===================.FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ujs1ows1.default\FF - prefs.js: browser.startup.homepage - www.google.caFF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=2&q=FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dllFF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dllFF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dllFF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dllFF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dllFF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dllFF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dllFF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dllFF - plugin: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ujs1ows1.default\extensions\{167d9323-f7cc-48f5-948a-6f012831a69f}\plugins\np-mswmp.dllFF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll.============= SERVICES / DRIVERS ===============.R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-2-5 136360]R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-2-5 269480]R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]R2 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]R2 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]R2 Greg_Service;GRegService;C:\Program Files (x86)\Acer\Registration\GregHSRW.exe [2009-8-28 1150496]R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\McSACore.exe [2011-9-8 102608]R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-4-21 243232]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-12-30 136176]S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);C:\Windows\system32\DRIVERS\evserial.sys --> C:\Windows\system32\DRIVERS\evserial.sys [?]S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-12-30 136176]S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]S3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);C:\Windows\system32\DRIVERS\evsbc.sys --> C:\Windows\system32\DRIVERS\evsbc.sys [?]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184].=============== Created Last 30 ================.2011-12-14 03:28:25 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{19430294-8EB1-4B03-ADEC-15854E238A9E}\offreg.dll2011-12-14 03:28:22 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{19430294-8EB1-4B03-ADEC-15854E238A9E}\mpengine.dll2011-12-14 03:27:59 -------- d-----w- C:\Users\Owner\AppData\Local\{59952CC4-3376-47F0-8070-A4678AB013B2}2011-12-14 03:27:23 -------- d-----w- C:\Users\Owner\AppData\Local\{F03F62F8-FF2A-482A-826B-023782A173E5}2011-12-14 03:27:22 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys2011-12-11 18:43:34 -------- d-----w- C:\$RECYCLE.BIN2011-12-11 17:52:48 -------- d-----w- C:\Users\Owner\AppData\Local\{203875B6-9B5D-4709-9297-9AD78AE9315E}2011-12-11 17:52:37 -------- d-----w- C:\Users\Owner\AppData\Local\{B93C08C1-36B0-4029-ACCF-21DFBEB1B089}2011-12-10 20:41:09 -------- d-----w- C:\Users\Owner\AppData\Local\{08371A93-F343-4082-84DE-9A89C3453FDF}2011-12-10 20:40:57 -------- d-----w- C:\Users\Owner\AppData\Local\{129B15B7-5330-49C0-885D-B13CF8FBEE18}2011-12-10 18:38:49 -------- d-----w- C:\Users\Owner\AppData\Local\{7E5175D4-C2D2-4420-9734-F8E42A40362B}2011-12-10 18:38:39 -------- d-----w- C:\Users\Owner\AppData\Local\{F6BDE3A8-E920-482D-9B95-0CADAC8EF237}2011-12-10 18:32:49 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes2011-12-10 18:32:44 -------- d-----w- C:\ProgramData\Malwarebytes2011-12-10 18:32:41 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys2011-12-10 18:32:41 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2011-12-10 18:10:50 -------- d-----w- C:\Program Files\CCleaner2011-12-10 18:02:44 -------- d-----w- C:\Users\Owner\AppData\Local\{95868A75-DE72-4181-8308-54EEAA4B5B72}2011-12-10 18:02:33 -------- d-----w- C:\Users\Owner\AppData\Local\{78407B4C-7419-4673-A012-0325C84B510C}2011-12-10 04:41:05 98816 ----a-w- C:\Windows\sed.exe2011-12-10 04:41:05 518144 ----a-w- C:\Windows\SWREG.exe2011-12-10 04:41:05 256000 ----a-w- C:\Windows\PEV.exe2011-12-10 04:41:05 208896 ----a-w- C:\Windows\MBR.exe2011-12-10 03:57:31 -------- d-----w- C:\Users\Owner\AppData\Local\{93E28F4E-61B2-42A1-8695-23947E201605}2011-12-10 03:57:20 -------- d-----w- C:\Users\Owner\AppData\Local\{0881E674-549A-4986-8C4B-94F137BBA5F2}2011-12-10 03:32:57 -------- d-----w- C:\Users\Owner\AppData\Local\Conduit2011-12-10 03:22:26 -------- d-----w- C:\Users\Owner\AppData\Local\{1A4B5751-5CC9-45CF-950F-E0E7F19D88B2}2011-12-10 03:22:14 -------- d-----w- C:\Users\Owner\AppData\Local\{29CFFB35-482F-4089-B56D-D36C252ED4F5}2011-12-09 23:29:00 -------- d-----w- C:\Users\Owner\AppData\Local\{A91A2B0F-59D2-4171-8E42-24A87CED944D}2011-12-09 23:28:48 -------- d-----w- C:\Users\Owner\AppData\Local\{E1E4324B-9BD2-49E9-95B7-D0FB160ADD5A}2011-12-09 01:09:22 -------- d-----w- C:\Users\Owner\AppData\Local\{E5CEBCCB-87CE-4F06-A263-485F2B7655F9}2011-12-09 01:09:11 -------- d-----w- C:\Users\Owner\AppData\Local\{E9A678BD-7B77-4A3B-AA45-041B02D6124E}2011-12-08 20:16:09 -------- d-----w- C:\Users\Owner\AppData\Local\{EF6A3EB5-1354-45C4-B985-ED616CADECD6}2011-12-08 20:15:58 -------- d-----w- C:\Users\Owner\AppData\Local\{8B1D8CF1-877E-4496-A9AA-48A28C3747B8}2011-12-08 01:29:45 -------- d-----w- C:\Users\Owner\AppData\Local\{CF33B55E-6F06-4782-979E-C9BF8A2CB3E9}2011-12-08 01:29:34 -------- d-----w- C:\Users\Owner\AppData\Local\{15BD140C-C7AF-4108-A39B-59F39D946E5F}2011-12-07 19:59:47 -------- d-----w- C:\Users\Owner\AppData\Local\{015E4341-B20E-4EF3-A94F-B596EAA3CA9A}2011-12-07 19:59:36 -------- d-----w- C:\Users\Owner\AppData\Local\{653EEBA3-69DF-49FE-A569-F020EF88523A}2011-12-04 10:19:33 -------- d-----w- C:\Users\Owner\AppData\Local\{AF3CDAB8-D7C3-4A62-8843-90DC593279EF}2011-12-04 10:19:22 -------- d-----w- C:\Users\Owner\AppData\Local\{9B9896DA-BE1D-4E51-A766-C7194BF5D714}2011-12-03 00:18:05 -------- d-----w- C:\Users\Owner\AppData\Local\{55E19F71-D035-4A27-9C19-0E4FAF71B56E}2011-12-03 00:17:54 -------- d-----w- C:\Users\Owner\AppData\Local\{763E1C92-F374-4405-954A-0C9A5C9DE220}2011-12-02 16:05:18 -------- d-----w- C:\Users\Owner\AppData\Local\{BF8B1A8B-7F59-42F2-88A2-BF512AD4FE3D}2011-12-02 16:05:00 -------- d-----w- C:\Users\Owner\AppData\Local\{63CEBF04-E2AE-4A9F-8E15-4CCCCC29B06A}2011-12-02 02:30:58 -------- d-----w- C:\Users\Owner\AppData\Local\{BF9460AC-A4C9-48B8-8454-F46317C89FF2}2011-12-02 02:30:47 -------- d-----w- C:\Users\Owner\AppData\Local\{BCD79DCB-FD12-44C3-AC73-52CEAEBB99E0}2011-12-01 17:12:02 -------- d-----w- C:\Users\Owner\AppData\Local\{76356B0E-DFF4-43F9-8DD6-2A62F0BCE213}2011-12-01 17:11:50 -------- d-----w- C:\Users\Owner\AppData\Local\{27E643E4-4068-454B-8AA2-FC4AAAA477F2}2011-11-30 01:14:23 476904 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll2011-11-30 01:01:34 -------- d-----w- C:\Program Files\iPod2011-11-30 01:01:33 -------- d-----w- C:\Program Files\iTunes2011-11-30 01:01:33 -------- d-----w- C:\Program Files (x86)\iTunes2011-11-30 00:59:31 -------- d-----w- C:\Program Files\Bonjour2011-11-30 00:59:31 -------- d-----w- C:\Program Files (x86)\Bonjour2011-11-29 15:40:53 -------- d-----w- C:\Users\Owner\AppData\Local\{E5855DB0-5D14-4F4F-99B3-11B22299CA95}2011-11-29 15:40:41 -------- d-----w- C:\Users\Owner\AppData\Local\{34F63B93-3160-4BEA-B5E9-AE11FBAEBDF0}2011-11-25 23:02:28 -------- d-----w- C:\Windows\System32\SPReview2011-11-25 23:00:43 -------- d-----w- C:\Windows\System32\EventProviders2011-11-25 22:59:31 -------- d-----w- C:\Users\Owner\AppData\Local\{9A9E2785-1560-4BE2-A0AE-4045BF197C9C}2011-11-25 22:59:20 -------- d-----w- C:\Users\Owner\AppData\Local\{9B79EC03-5A1D-45A8-883F-3CED9CAC1ED2}2011-11-25 18:23:36 158056 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin2011-11-19 23:20:59 -------- d-----w- C:\Users\Owner\AppData\Local\{C213FA47-E5A5-4E7F-83C8-60C3F22442F1}2011-11-19 23:20:47 -------- d-----w- C:\Users\Owner\AppData\Local\{F80C8229-B200-488C-99B9-018DF215BD82}2011-11-19 16:33:11 -------- d-----w- C:\Users\Owner\AppData\Local\{080F74AE-E1F7-4E6F-B9DA-603AA420F114}2011-11-19 16:33:00 -------- d-----w- C:\Users\Owner\AppData\Local\{C231B85B-B736-4268-9740-0B812E8EE3A4}2011-11-19 05:03:09 -------- d-----w- C:\Users\Owner\AppData\Local\{5AD3AD05-ED56-4D48-B576-730D1159614C}2011-11-19 05:02:58 -------- d-----w- C:\Users\Owner\AppData\Local\{8AC9EC4B-F620-4AD7-BDED-A96E3369E26A}2011-11-19 04:42:05 -------- d-----w- C:\Users\Owner\AppData\Local\{79C1D989-AA65-436C-A87D-727A16240EC0}2011-11-19 04:37:33 -------- d-----w- C:\Users\Owner\AppData\Local\{3FE36884-D3A6-4D06-87F2-A553AEA27B59}.==================== Find3M ====================.2011-11-25 23:20:06 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll2011-11-25 23:20:04 175616 ----a-w- C:\Windows\System32\msclmd.dll2011-11-25 22:59:50 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2011-10-03 09:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll2011-10-01 03:25:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb2011-10-01 02:42:56 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys2011-09-29 04:03:32 3144704 ----a-w- C:\Windows\System32\win32k.sys.============= FINISH: 23:38:44.36 ===============-----------------.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2011-08-26.01).Microsoft Windows 7 Home Premium Boot Device: \Device\HarddiskVolume2Install Date: 21/12/2010 10:25:03 AMSystem Uptime: 13/12/2011 8:26:22 PM (3 hours ago).Motherboard: Acer | | Aspire X1400Processor: AMD Athlon II X2 215 Processor | CPU 1 | 2700/200mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 452 GiB total, 378.812 GiB free.D: is CDROM ()E: is CDROM ().==== Disabled Device Manager Items =============.Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}Description: Officejet J6400 seriesDevice ID: ROOT\MULTIFUNCTION\0000Manufacturer: HPName: Officejet J6400 seriesPNP Device ID: ROOT\MULTIFUNCTION\0000Service: .Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}Description: Microsoft PS/2 MouseDevice ID: ACPI\PNP0F03\4&5532EA8&0Manufacturer: MicrosoftName: Microsoft PS/2 MousePNP Device ID: ACPI\PNP0F03\4&5532EA8&0Service: i8042prt.Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}Description: Officejet J6400 seriesDevice ID: ROOT\IMAGE\0000Manufacturer: HPName: Officejet J6400 seriesPNP Device ID: ROOT\IMAGE\0000Service: StillCam.==== System Restore Points ===================.RP146: 26/11/2011 11:25:43 AM - Windows UpdateRP147: 29/11/2011 11:43:39 AM - Windows UpdateRP148: 29/11/2011 9:13:30 PM - Installed Java 6 Update 29RP149: 02/12/2011 12:08:22 PM - Windows UpdateRP150: 07/12/2011 1:41:55 PM - Windows UpdateRP151: 10/12/2011 12:41:08 AM - ComboFix created restore pointRP152: 13/12/2011 11:27:25 PM - Windows Update.==== Installed Programs ======================.6400_HelpAcer eRecovery ManagementAcer Game ConsoleAcer GamesAcer RegistrationAcer ScreenSaverAcer UpdaterAcrobat.comAdobe AIRAdobe Flash Player 10 ActiveXAdobe Flash Player 11 PluginAdobe Reader X (10.1.1)Advertising CenterApple Application SupportApple Software UpdateAvira AntiVir Personal - Free AntivirusBejeweled 2 DeluxeBlackhawk Striker 2Bob the Builder Can-Do-Zoobpd_scanBPDSoftwareBPDSoftware_IniBuild-a-lot 2Clay AnimationClearViewCyberLink PowerDVD 9D3DX10Escape Rosecliff IslandFaerie SolitaireFATE - The Traitor SoulFiesta Download ManagerGoogle EarthGoogle SketchUp 8Google Update HelperHotkey UtilityIdentity CardImagXpressJ6400_BasicJava Auto UpdaterJava 6 Update 29Jewel Quest Solitaire 3Junk Mail filter updateMalwarebytes' Anti-Malware version 1.51.2.1300McAfee SiteAdvisorMesh RuntimeMessenger CompanionMicrosoft Application Compatibility Toolkit 5.6Microsoft Office PowerPoint Viewer 2007 (English)Microsoft SilverlightMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161Microsoft WorksMonopolyMozilla Firefox 8.0.1 (x86 en-US)MSVCRTMSVCRT_amd64MSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)Mystery P.I. - Lost in Los AngelesNero 9 EssentialsNero ControlCenterNero DiscSpeedNero DiscSpeed HelpNero DriveSpeedNero DriveSpeed HelpNero Express HelpNero InfoToolNero InfoTool HelpNero InstallerNero Online UpgradeNero StartSmartNero StartSmart HelpNero StartSmart OEMNeroExpressneroxmlNorton Online BackupNVIDIA ForceWare Network Access ManagerOpenOffice.org 3.2Penguins!Picasa 3Plants vs. ZombiesPolar BowlerPolar GolferQuickTimeRealtek High Definition Audio DriverScanScrabble PlusSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2160841)Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Sweet Home 3D version 3.0The Price is RightToolboxUltraISO Premium V9.2Update for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2473228)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Virtual FamiliesVirtual Villagers - A New HomeWebRegWelcome CenterWindows Live Communications PlatformWindows Live EssentialsWindows Live InstallerWindows Live MailWindows Live MeshWindows Live Mesh ActiveX Control for Remote ConnectionsWindows Live MessengerWindows Live Messenger Companion CoreWindows Live Movie MakerWindows Live Photo CommonWindows Live Photo GalleryWindows Live PIMT PlatformWindows Live SOXEWindows Live SOXE DefinitionsWindows Live SyncWindows Live UX PlatformWindows Live UX Platform Language PackWindows Live WriterWindows Live Writer ResourcesYahtzeeZuma Deluxe.==== Event Viewer Messages From Past Week ========.11/12/2011 2:15:16 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.10/12/2011 3:14:15 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.10/12/2011 2:38:31 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.10/12/2011 2:38:31 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.09/12/2011 2:09:13 PM, Error: Schannel [36888] - The following fatal alert was generated: 70. The internal error state is 11.07/12/2011 8:06:46 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D3DCB472-7261-43CE-924B-0704BD730D5F} and APPID {D3DCB472-7261-43CE-924B-0704BD730D5F} to the user Owner-PC\Emma SID (S-1-5-21-3162460503-160396144-279914255-1003) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.07/12/2011 8:06:46 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {145B4335-FE2A-4927-A040-7C35AD3180EF} and APPID {145B4335-FE2A-4927-A040-7C35AD3180EF} to the user Owner-PC\Emma SID (S-1-5-21-3162460503-160396144-279914255-1003) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool..==== End Of File ===========================BTW - only Firefox seems affected by the Whitesmoke toolbar. IE is not.I assume that simply deleting Firefox will just hide the malware from view, but it will still be thereOk - did some more searching. Unable to find any "whitesmoke" programs anywhere - but the toolbar kept popping up just in Firefox. After seeing a note in another forum I checked the extensions in Firefox - sure enough there it was. I deleted it and the toolbar disappeared.Hope that's it.If anyone has suggestions let me know, but I'm assuming it's cleared Link to post Share on other sites More sharing options...
Staff screen317 Posted December 23, 2011 Staff ID:508295 Share Posted December 23, 2011 Hi and welcome to Malwarebytes. Please update MBAM, run a Quick Scan, and post its log. Next, please visit this webpage for instructions for running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix When the tool is finished, it will produce a report for you.Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system. Link to post Share on other sites More sharing options...
Maurice Naggar Posted February 18, 2012 ID:528001 Share Posted February 18, 2012 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts