Whitesmoke

[MGBod]

Got infected with the Whitesmoke "toolbar"

Of course I tried to hack it out on my own. Managed to delete the file and a couple extras (conduit and brainservice) using CCleaner.

Then found this board and tried to follow someone elses solution (ComboFix and Malwarebytes) before I figured out the proper process.

So far I've been unsuccessful.

Avira no longer recognizes anything (it did early on but not since CCleaner). Malwarebytes does not see anything.

I'm running a Win7 computer

Here are my log files -- and thanks in advance for the help. Just having access to this forum is great much less the prospect of personal assistance.

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29

Run by Owner at 23:38:07 on 2011-12-13

Microsoft Windows 7 Home Premium 6.1.7601.1.1252.2.1033.18.2815.1401 [GMT -4:00]

.

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe

C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe

C:\Windows\system32\conhost.exe

C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe

C:\Program Files (x86)\Acer\Registration\GregHSRW.exe

c:\PROGRA~2\mcafee\SITEAD~1\McSACore.exe

C:\Windows\system32\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe

C:\Program Files\Acer\Acer Updater\UpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k HPService

C:\Windows\System32\svchost.exe -k secsvcs

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe

C:\Program Files (x86)\Windows Live\Family Safety\fsui.exe

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe

C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe

C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin

C:\Program Files (x86)\iTunes\iTunesHelper.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUI.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Windows\System32\svchost.exe -k LocalServicePeerNet

C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\wuauclt.exe

C:\Windows\system32\DllHost.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\cscript.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.ca/

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=1009&m=aspire_x1400&r=173612105307p0438v145w4581v200

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

TB: MP3Bar: {f6bd6330-76f8-44d9-b775-87614e2d8374} - C:\Program Files (x86)\Fiesta Download Manager\mp3bar.dll

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

mRun: [Hotkey Utility] C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe

mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

StartupFolder: C:\Users\Owner\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: &MP3Bar - C:\Program Files (x86)\Fiesta Download Manager\mp3bar.dll/MENUSEARCH.HTM

IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200

IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{4B465585-FEAB-42F3-B02A-362AC721AF01} : DhcpNameServer = 192.168.0.1

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

BHO-X64: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll

BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

BHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll

TB-X64: MP3Bar: {F6BD6330-76F8-44d9-B775-87614E2D8374} - C:\Program Files (x86)\Fiesta Download Manager\mp3bar.dll

TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

mRun-x64: [Hotkey Utility] C:\Program Files (x86)\Acer\Hotkey Utility\HotkeyUtility.exe

mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min

mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ujs1ows1.default\

FF - prefs.js: browser.startup.homepage - www.google.ca

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3007394&SearchSource=2&q=

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll

FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\McAfee\SiteAdvisor\NPMcFFPlg32.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll

FF - plugin: C:\Users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\ujs1ows1.default\extensions\{167d9323-f7cc-48f5-948a-6f012831a69f}\plugins\np-mswmp.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll

.

============= SERVICES / DRIVERS ===============

.

R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-2-5 136360]

R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-2-5 269480]

R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]

R2 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]

R2 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]

R2 Greg_Service;GRegService;C:\Program Files (x86)\Acer\Registration\GregHSRW.exe [2009-8-28 1150496]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\PROGRA~2\mcafee\SITEAD~1\McSACore.exe [2011-9-8 102608]

R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-4-21 243232]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]

S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-12-30 136176]

S3 evserial;Virtual Serial Ports Driver (Eltima Softwate);C:\Windows\system32\DRIVERS\evserial.sys --> C:\Windows\system32\DRIVERS\evserial.sys [?]

S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-12-30 136176]

S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]

S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]

S3 VSBC;Virtual Serial Bus Enumerator (Eltima Software);C:\Windows\system32\DRIVERS\evsbc.sys --> C:\Windows\system32\DRIVERS\evsbc.sys [?]

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]

.

=============== Created Last 30 ================

.

2011-12-14 03:28:25 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{19430294-8EB1-4B03-ADEC-15854E238A9E}\offreg.dll

2011-12-14 03:28:22 8822856 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{19430294-8EB1-4B03-ADEC-15854E238A9E}\mpengine.dll

2011-12-14 03:27:59 -------- d-----w- C:\Users\Owner\AppData\Local\{59952CC4-3376-47F0-8070-A4678AB013B2}

2011-12-14 03:27:23 -------- d-----w- C:\Users\Owner\AppData\Local\{F03F62F8-FF2A-482A-826B-023782A173E5}

2011-12-14 03:27:22 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

2011-12-11 18:43:34 -------- d-----w- C:\$RECYCLE.BIN

2011-12-11 17:52:48 -------- d-----w- C:\Users\Owner\AppData\Local\{203875B6-9B5D-4709-9297-9AD78AE9315E}

2011-12-11 17:52:37 -------- d-----w- C:\Users\Owner\AppData\Local\{B93C08C1-36B0-4029-ACCF-21DFBEB1B089}

2011-12-10 20:41:09 -------- d-----w- C:\Users\Owner\AppData\Local\{08371A93-F343-4082-84DE-9A89C3453FDF}

2011-12-10 20:40:57 -------- d-----w- C:\Users\Owner\AppData\Local\{129B15B7-5330-49C0-885D-B13CF8FBEE18}

2011-12-10 18:38:49 -------- d-----w- C:\Users\Owner\AppData\Local\{7E5175D4-C2D2-4420-9734-F8E42A40362B}

2011-12-10 18:38:39 -------- d-----w- C:\Users\Owner\AppData\Local\{F6BDE3A8-E920-482D-9B95-0CADAC8EF237}

2011-12-10 18:32:49 -------- d-----w- C:\Users\Owner\AppData\Roaming\Malwarebytes

2011-12-10 18:32:44 -------- d-----w- C:\ProgramData\Malwarebytes

2011-12-10 18:32:41 25416 ----a-w- C:\Windows\System32\drivers\mbam.sys

2011-12-10 18:32:41 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2011-12-10 18:10:50 -------- d-----w- C:\Program Files\CCleaner

2011-12-10 18:02:44 -------- d-----w- C:\Users\Owner\AppData\Local\{95868A75-DE72-4181-8308-54EEAA4B5B72}

2011-12-10 18:02:33 -------- d-----w- C:\Users\Owner\AppData\Local\{78407B4C-7419-4673-A012-0325C84B510C}

2011-12-10 04:41:05 98816 ----a-w- C:\Windows\sed.exe

2011-12-10 04:41:05 518144 ----a-w- C:\Windows\SWREG.exe

2011-12-10 04:41:05 256000 ----a-w- C:\Windows\PEV.exe

2011-12-10 04:41:05 208896 ----a-w- C:\Windows\MBR.exe

2011-12-10 03:57:31 -------- d-----w- C:\Users\Owner\AppData\Local\{93E28F4E-61B2-42A1-8695-23947E201605}

2011-12-10 03:57:20 -------- d-----w- C:\Users\Owner\AppData\Local\{0881E674-549A-4986-8C4B-94F137BBA5F2}

2011-12-10 03:32:57 -------- d-----w- C:\Users\Owner\AppData\Local\Conduit

2011-12-10 03:22:26 -------- d-----w- C:\Users\Owner\AppData\Local\{1A4B5751-5CC9-45CF-950F-E0E7F19D88B2}

2011-12-10 03:22:14 -------- d-----w- C:\Users\Owner\AppData\Local\{29CFFB35-482F-4089-B56D-D36C252ED4F5}

2011-12-09 23:29:00 -------- d-----w- C:\Users\Owner\AppData\Local\{A91A2B0F-59D2-4171-8E42-24A87CED944D}

2011-12-09 23:28:48 -------- d-----w- C:\Users\Owner\AppData\Local\{E1E4324B-9BD2-49E9-95B7-D0FB160ADD5A}

2011-12-09 01:09:22 -------- d-----w- C:\Users\Owner\AppData\Local\{E5CEBCCB-87CE-4F06-A263-485F2B7655F9}

2011-12-09 01:09:11 -------- d-----w- C:\Users\Owner\AppData\Local\{E9A678BD-7B77-4A3B-AA45-041B02D6124E}

2011-12-08 20:16:09 -------- d-----w- C:\Users\Owner\AppData\Local\{EF6A3EB5-1354-45C4-B985-ED616CADECD6}

2011-12-08 20:15:58 -------- d-----w- C:\Users\Owner\AppData\Local\{8B1D8CF1-877E-4496-A9AA-48A28C3747B8}

2011-12-08 01:29:45 -------- d-----w- C:\Users\Owner\AppData\Local\{CF33B55E-6F06-4782-979E-C9BF8A2CB3E9}

2011-12-08 01:29:34 -------- d-----w- C:\Users\Owner\AppData\Local\{15BD140C-C7AF-4108-A39B-59F39D946E5F}

2011-12-07 19:59:47 -------- d-----w- C:\Users\Owner\AppData\Local\{015E4341-B20E-4EF3-A94F-B596EAA3CA9A}

2011-12-07 19:59:36 -------- d-----w- C:\Users\Owner\AppData\Local\{653EEBA3-69DF-49FE-A569-F020EF88523A}

2011-12-04 10:19:33 -------- d-----w- C:\Users\Owner\AppData\Local\{AF3CDAB8-D7C3-4A62-8843-90DC593279EF}

2011-12-04 10:19:22 -------- d-----w- C:\Users\Owner\AppData\Local\{9B9896DA-BE1D-4E51-A766-C7194BF5D714}

2011-12-03 00:18:05 -------- d-----w- C:\Users\Owner\AppData\Local\{55E19F71-D035-4A27-9C19-0E4FAF71B56E}

2011-12-03 00:17:54 -------- d-----w- C:\Users\Owner\AppData\Local\{763E1C92-F374-4405-954A-0C9A5C9DE220}

2011-12-02 16:05:18 -------- d-----w- C:\Users\Owner\AppData\Local\{BF8B1A8B-7F59-42F2-88A2-BF512AD4FE3D}

2011-12-02 16:05:00 -------- d-----w- C:\Users\Owner\AppData\Local\{63CEBF04-E2AE-4A9F-8E15-4CCCCC29B06A}

2011-12-02 02:30:58 -------- d-----w- C:\Users\Owner\AppData\Local\{BF9460AC-A4C9-48B8-8454-F46317C89FF2}

2011-12-02 02:30:47 -------- d-----w- C:\Users\Owner\AppData\Local\{BCD79DCB-FD12-44C3-AC73-52CEAEBB99E0}

2011-12-01 17:12:02 -------- d-----w- C:\Users\Owner\AppData\Local\{76356B0E-DFF4-43F9-8DD6-2A62F0BCE213}

2011-12-01 17:11:50 -------- d-----w- C:\Users\Owner\AppData\Local\{27E643E4-4068-454B-8AA2-FC4AAAA477F2}

2011-11-30 01:14:23 476904 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

2011-11-30 01:01:34 -------- d-----w- C:\Program Files\iPod

2011-11-30 01:01:33 -------- d-----w- C:\Program Files\iTunes

2011-11-30 01:01:33 -------- d-----w- C:\Program Files (x86)\iTunes

2011-11-30 00:59:31 -------- d-----w- C:\Program Files\Bonjour

2011-11-30 00:59:31 -------- d-----w- C:\Program Files (x86)\Bonjour

2011-11-29 15:40:53 -------- d-----w- C:\Users\Owner\AppData\Local\{E5855DB0-5D14-4F4F-99B3-11B22299CA95}

2011-11-29 15:40:41 -------- d-----w- C:\Users\Owner\AppData\Local\{34F63B93-3160-4BEA-B5E9-AE11FBAEBDF0}

2011-11-25 23:02:28 -------- d-----w- C:\Windows\System32\SPReview

2011-11-25 23:00:43 -------- d-----w- C:\Windows\System32\EventProviders

2011-11-25 22:59:31 -------- d-----w- C:\Users\Owner\AppData\Local\{9A9E2785-1560-4BE2-A0AE-4045BF197C9C}

2011-11-25 22:59:20 -------- d-----w- C:\Users\Owner\AppData\Local\{9B79EC03-5A1D-45A8-883F-3CED9CAC1ED2}

2011-11-25 18:23:36 158056 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10139.bin

2011-11-19 23:20:59 -------- d-----w- C:\Users\Owner\AppData\Local\{C213FA47-E5A5-4E7F-83C8-60C3F22442F1}

2011-11-19 23:20:47 -------- d-----w- C:\Users\Owner\AppData\Local\{F80C8229-B200-488C-99B9-018DF215BD82}

2011-11-19 16:33:11 -------- d-----w- C:\Users\Owner\AppData\Local\{080F74AE-E1F7-4E6F-B9DA-603AA420F114}

2011-11-19 16:33:00 -------- d-----w- C:\Users\Owner\AppData\Local\{C231B85B-B736-4268-9740-0B812E8EE3A4}

2011-11-19 05:03:09 -------- d-----w- C:\Users\Owner\AppData\Local\{5AD3AD05-ED56-4D48-B576-730D1159614C}

2011-11-19 05:02:58 -------- d-----w- C:\Users\Owner\AppData\Local\{8AC9EC4B-F620-4AD7-BDED-A96E3369E26A}

2011-11-19 04:42:05 -------- d-----w- C:\Users\Owner\AppData\Local\{79C1D989-AA65-436C-A87D-727A16240EC0}

2011-11-19 04:37:33 -------- d-----w- C:\Users\Owner\AppData\Local\{3FE36884-D3A6-4D06-87F2-A553AEA27B59}

.

==================== Find3M ====================

.

2011-11-25 23:20:06 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll

2011-11-25 23:20:04 175616 ----a-w- C:\Windows\System32\msclmd.dll

2011-11-25 22:59:50 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2011-10-03 09:06:03 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll

2011-10-01 03:25:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb

2011-10-01 02:42:56 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb

2011-09-29 16:29:28 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2011-09-29 04:03:32 3144704 ----a-w- C:\Windows\System32\win32k.sys

.

============= FINISH: 23:38:44.36 ===============

-----------------

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft Windows 7 Home Premium

Boot Device: \Device\HarddiskVolume2

Install Date: 21/12/2010 10:25:03 AM

System Uptime: 13/12/2011 8:26:22 PM (3 hours ago)

.

Motherboard: Acer | | Aspire X1400

Processor: AMD Athlon II X2 215 Processor | CPU 1 | 2700/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 452 GiB total, 378.812 GiB free.

D: is CDROM ()

E: is CDROM ()

.

==== Disabled Device Manager Items =============

.

Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}

Description: Officejet J6400 series

Device ID: ROOT\MULTIFUNCTION\0000

Manufacturer: HP

Name: Officejet J6400 series

PNP Device ID: ROOT\MULTIFUNCTION\0000

Service:

.

Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}

Description: Microsoft PS/2 Mouse

Device ID: ACPI\PNP0F03\4&5532EA8&0

Manufacturer: Microsoft

Name: Microsoft PS/2 Mouse

PNP Device ID: ACPI\PNP0F03\4&5532EA8&0

Service: i8042prt

.

Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}

Description: Officejet J6400 series

Device ID: ROOT\IMAGE\0000

Manufacturer: HP

Name: Officejet J6400 series

PNP Device ID: ROOT\IMAGE\0000

Service: StillCam

.

==== System Restore Points ===================

.

RP146: 26/11/2011 11:25:43 AM - Windows Update

RP147: 29/11/2011 11:43:39 AM - Windows Update

RP148: 29/11/2011 9:13:30 PM - Installed Java 6 Update 29

RP149: 02/12/2011 12:08:22 PM - Windows Update

RP150: 07/12/2011 1:41:55 PM - Windows Update

RP151: 10/12/2011 12:41:08 AM - ComboFix created restore point

RP152: 13/12/2011 11:27:25 PM - Windows Update

.

==== Installed Programs ======================

.

6400_Help

Acer eRecovery Management

Acer Game Console

Acer Games

Acer Registration

Acer ScreenSaver

Acer Updater

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.1)

Advertising Center

Apple Application Support

Apple Software Update

Avira AntiVir Personal - Free Antivirus

Bejeweled 2 Deluxe

Blackhawk Striker 2

Bob the Builder Can-Do-Zoo

bpd_scan

BPDSoftware

BPDSoftware_Ini

Build-a-lot 2

Clay Animation

ClearView

CyberLink PowerDVD 9

D3DX10

Escape Rosecliff Island

Faerie Solitaire

FATE - The Traitor Soul

Fiesta Download Manager

Google Earth

Google SketchUp 8

Google Update Helper

Hotkey Utility

Identity Card

ImagXpress

J6400_Basic

Java Auto Updater

Java 6 Update 29

Jewel Quest Solitaire 3

Junk Mail filter update

Malwarebytes' Anti-Malware version 1.51.2.1300

McAfee SiteAdvisor

Mesh Runtime

Messenger Companion

Microsoft Application Compatibility Toolkit 5.6

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Silverlight

Microsoft SQL Server 2005 Compact Edition [ENU]

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Works

Monopoly

Mozilla Firefox 8.0.1 (x86 en-US)

MSVCRT

MSVCRT_amd64

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

Mystery P.I. - Lost in Los Angeles

Nero 9 Essentials

Nero ControlCenter

Nero DiscSpeed

Nero DiscSpeed Help

Nero DriveSpeed

Nero DriveSpeed Help

Nero Express Help

Nero InfoTool

Nero InfoTool Help

Nero Installer

Nero Online Upgrade

Nero StartSmart

Nero StartSmart Help

Nero StartSmart OEM

NeroExpress

neroxml

Norton Online Backup

NVIDIA ForceWare Network Access Manager

OpenOffice.org 3.2

Penguins!

Picasa 3

Plants vs. Zombies

Polar Bowler

Polar Golfer

QuickTime

Realtek High Definition Audio Driver

Scan

Scrabble Plus

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Sweet Home 3D version 3.0

The Price is Right

Toolbox

UltraISO Premium V9.2

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Virtual Families

Virtual Villagers - A New Home

WebReg

Welcome Center

Windows Live Communications Platform

Windows Live Essentials

Windows Live Installer

Windows Live Mail

Windows Live Mesh

Windows Live Mesh ActiveX Control for Remote Connections

Windows Live Messenger

Windows Live Messenger Companion Core

Windows Live Movie Maker

Windows Live Photo Common

Windows Live Photo Gallery

Windows Live PIMT Platform

Windows Live SOXE

Windows Live SOXE Definitions

Windows Live Sync

Windows Live UX Platform

Windows Live UX Platform Language Pack

Windows Live Writer

Windows Live Writer Resources

Yahtzee

Zuma Deluxe

.

==== Event Viewer Messages From Past Week ========

.

11/12/2011 2:15:16 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

10/12/2011 3:14:15 PM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

10/12/2011 2:38:31 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

10/12/2011 2:38:31 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error %%-1073473535.

09/12/2011 2:09:13 PM, Error: Schannel [36888] - The following fatal alert was generated: 70. The internal error state is 11.

07/12/2011 8:06:46 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D3DCB472-7261-43CE-924B-0704BD730D5F} and APPID {D3DCB472-7261-43CE-924B-0704BD730D5F} to the user Owner-PC\Emma SID (S-1-5-21-3162460503-160396144-279914255-1003) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

07/12/2011 8:06:46 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {145B4335-FE2A-4927-A040-7C35AD3180EF} and APPID {145B4335-FE2A-4927-A040-7C35AD3180EF} to the user Owner-PC\Emma SID (S-1-5-21-3162460503-160396144-279914255-1003) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

.

==== End Of File ===========================

BTW - only Firefox seems affected by the Whitesmoke toolbar. IE is not.

I assume that simply deleting Firefox will just hide the malware from view, but it will still be there

Ok - did some more searching. Unable to find any "whitesmoke" programs anywhere - but the toolbar kept popping up just in Firefox. After seeing a note in another forum I checked the extensions in Firefox - sure enough there it was. I deleted it and the toolbar disappeared.

Hope that's it.

If anyone has suggestions let me know, but I'm assuming it's cleared

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the contents of C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!