Help with WhiteSmoke Search

BrandiGuadalupe · January 30, 2012

Hello,

I've tried to uninstall/reinstall Mozilla and have run TDSKiller and Malwarebytes Anti-malware but still have the WhiteSmoke Search in my Mozilla toolbar. Any help would be greatly appreciated.

Thanks,

Brandi

Maniac · January 31, 2012

Hello Brandi! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
Make sure you read all of the instructions and fixes thoroughly before continuing with them.
Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

Please follow the instructions here:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#use

Post the log file when you are ready.

BrandiGuadalupe · January 31, 2012

Hello,

Thanks for your help. Here is the log:

ComboFix 12-01-30.02 - Owner 01/31/2012 10:54:08.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.403 [GMT -8:00]

Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator.INTERCPU\WINDOWS

c:\documents and settings\All Users\Application Data\Tarma Installer

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico

c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setup.dll

c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\_Setupx.dll

c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.dat

c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.exe

c:\documents and settings\All Users\Application Data\Tarma Installer\{DA00D550-BB91-4A26-AAE5-9172D626CAAE}\Setup.ico

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\Owner\delme.bat

c:\documents and settings\Owner\g2ax_customer_downloadhelper_win32_x86.exe

c:\documents and settings\Owner\g2mdlhlpx.exe

c:\documents and settings\Owner\Local Settings\Application Data\{B4365998-C101-4767-A05A-CD1013394BFF}

c:\documents and settings\Owner\Local Settings\Application Data\{B4365998-C101-4767-A05A-CD1013394BFF}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{B4365998-C101-4767-A05A-CD1013394BFF}\chrome\content\overlay.xul

c:\documents and settings\Owner\Local Settings\Application Data\{B4365998-C101-4767-A05A-CD1013394BFF}\install.rdf

c:\documents and settings\Owner\System

c:\documents and settings\Owner\System\win_qs8.jqx

c:\documents and settings\Owner\WINDOWS

c:\windows\isRS-000.tmp

c:\windows\system32\26.tmp

c:\windows\system32\27.tmp

c:\windows\system32\28.tmp

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\Thumbs.db

D:\Autorun.inf

.

((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))

.

2012-01-31 18:44 . 2012-01-31 18:44 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{57D5046C-39C4-4C2B-AF87-1DC20066B266}\MpKsld202ce0d.sys

2012-01-31 18:11 . 2012-01-06 04:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{57D5046C-39C4-4C2B-AF87-1DC20066B266}\mpengine.dll

2012-01-31 18:11 . 2012-01-31 18:15 -------- d-----w- C:\fd5f900c5d358755c4de4db66f5f

2012-01-31 18:10 . 2012-01-31 18:10 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-01-30 18:36 . 2012-01-30 18:36 -------- d-----w- c:\program files\VS Revo Group

2012-01-30 18:35 . 2012-01-30 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder

2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2012-01-03 13:10 . 2012-01-03 13:10 182672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-06 04:19 . 2011-06-23 17:14 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll

2012-01-03 17:59 . 2011-11-09 17:28 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-10 23:24 . 2011-04-06 20:49 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-12-21 07:24 . 2012-01-30 19:02 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

2011-08-19 16:45 790304 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Owner\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Linkury Chrome Smartbar"="c:\documents and settings\Owner\Local Settings\Application Data\Linkury\Application\Linkury.exe" [2012-01-25 19768]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2011-09-10 2338656]

"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]

.

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Owner\Application Data\Dropbox\bin\Dropbox.exe [2011-9-1 24183152]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]

2011-05-03 16:26 147832 ----a-w- c:\program files\Citrix\GoToAssist Express Customer\274\g2ax_winlogon.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]

NA [X]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2009-10-03 07:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]

2009-10-03 12:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2012-01-03 13:10 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 11:43 69632 ----a-w- c:\windows\Alcmtr.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

2006-10-31 07:35 7634944 ----a-w- c:\windows\system32\nvcpl.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

2006-10-31 06:35 1622016 ----a-w- c:\windows\system32\nwiz.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]

2002-09-14 07:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]

2005-02-26 02:24 966656 ----a-w- c:\windows\creator\Remind_XP.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-09-27 07:20 16844800 ----a-w- c:\windows\RTHDCPL.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]

2007-08-03 06:22 1826816 ----a-w- c:\windows\SkyTel.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"CiSvc"=3 (0x3)

"gusvc"=3 (0x3)

"gupdatem"=3 (0x3)

"gupdate"=2 (0x2)

"FastUserSwitchingCompatibility"=3 (0x3)

"Eventlog"=2 (0x2)

"ERSvc"=2 (0x2)

"WMPNetworkSvc"=3 (0x3)

"SeaPort"=2 (0x2)

"osppsvc"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

"PrismXL"=2 (0x2)

"WSearch"=2 (0x2)

"MDM"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Documents and Settings\\Owner\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=

"c:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2/22/2011 7:13 AM 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [3/16/2011 3:03 PM 32592]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [1/7/2011 5:41 AM 248656]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [4/4/2011 11:59 PM 297168]

R1 MpKsld202ce0d;MpKsld202ce0d;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{57D5046C-39C4-4C2B-AF87-1DC20066B266}\MpKsld202ce0d.sys [1/31/2012 10:44 AM 29904]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 10:41 AM 67656]

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [5/31/2011 6:36 AM 18816]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [8/18/2011 12:33 AM 7390560]

R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2/8/2011 4:33 AM 269520]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/6/2011 12:50 PM 652360]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [4/14/2011 8:28 PM 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2/10/2011 6:53 AM 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2/10/2011 6:53 AM 27216]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/6/2011 12:49 PM 20464]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/31/2012 10:10 AM 40776]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/5/2010 1:17 PM 136176]

S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\DRIVERS\el575nd5.sys --> c:\windows\system32\DRIVERS\el575nd5.sys [?]

S3 GoToAssist Express Customer;GoToAssist Express Customer;c:\program files\Citrix\GoToAssist Express Customer\274\g2ax_service.exe [5/3/2011 8:26 AM 161144]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/5/2010 1:17 PM 136176]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\23.tmp --> c:\windows\system32\23.tmp [?]

S3 MR97310_VGA_DUAL_CAMERA;VGA Dual-Mode Camera;c:\windows\system32\drivers\mr97310v.sys [7/18/2006 12:40 PM 99840]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

S4 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - MBAMSWISSARMY

*NewlyCreated* - MPKSLD202CE0D

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-10-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc932daf8fe51a.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-05 21:17]

.

2012-01-31 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 19:26]

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = hxxp://isearch.whitesmoke.com/?q={searchTerms}&babsrc=home&s=web&as=0&isid=9860

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

TCP: DhcpNameServer = 192.168.1.254 64.4.128.254 207.154.64.10

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\jznn3j5q.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - WhiteSmoke Search

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - hxxp://isearch.whitesmoke.com/?babsrc=home&s=web&as=0&isid=9860&q=

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 60202

FF - prefs.js: network.proxy.type - 0

FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(extentions.y2layers.installId, 070cd75f-f7a4-4b7d-a3bb-9cf11cf91eca

FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

Toolbar-Locked - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

MSConfigStartUp-BigFix - c:\program files\Bigfix\bigfix.exe

MSConfigStartUp-Mcimoniqivuxegeq - c:\windows\osopixox.dll

MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe

AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-31 11:05

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

"ImagePath"="\??\c:\windows\system32\23.tmp"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(824)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\program files\Citrix\GoToAssist Express Customer\274\g2ax_winlogon.dll

.

Completion time: 2012-01-31 11:10:51

ComboFix-quarantined-files.txt 2012-01-31 19:10

.

Pre-Run: 130,551,050,240 bytes free

Post-Run: 131,025,424,384 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - 94E4096511DB5D1990797C4DF8C5EBBE

Maniac · January 31, 2012

Please post the content of C:\Qoobox\Add or Remove Programs.txt

BrandiGuadalupe · January 31, 2012

Acrobat.com

Adobe Acrobat 9 Pro Extended - English, Français, Deutsch

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.2)

ASPCA Reminder by We-Care.com v5.0.5.1

AVG 2011

BetterLinks v1.0.7 (remove only)

Community Smartbar

Compatibility Pack for the 2007 Office system

Definition update for Microsoft Office 2010 (KB982726)

Dropbox

Google Earth

Google Toolbar for Internet Explorer

Google Update Helper

GoToAssist Customer 1.5.0.274

GoToMeeting 4.8.0.723

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB981793)

Java 6 Update 15

Java SE Runtime Environment 6 Update 1

Juniper Networks Secure Meeting 6.5.0

Juniper Networks Setup Client

Juniper Networks Setup Client Activex Control

Malwarebytes Anti-Malware version 1.60.1.1000

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft Antimalware

Microsoft Application Error Reporting

Microsoft Base Smart Card Cryptographic Service Provider Package

Microsoft Choice Guard

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office Live Add-in 1.3

Microsoft Office Outlook Connector

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Professional Edition 2003

Microsoft Office Project MUI (English) 2010

Microsoft Office Project Professional 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Project Professional 2010

Microsoft Search Enhancement Pack

Microsoft Security Client

Microsoft Security Essentials

Microsoft Software Update for Web Folders (English) 14

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft WSE 2.0 SP3 Runtime

Mozilla Firefox 9.0.1 (x86 en-US)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB973686)

NVIDIA Drivers

Picasa 3

Power2Go 5.0

Realtek High Definition Audio Driver

Recovery Software Suite eMachines

Revo Uninstaller 1.93

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Search 4 - KB963093

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB913433)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953155)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982381)

Security Update for Windows XP (KB982665)

SmartDraw VP

Soft Data Fax Modem with SmartCP

Sophos Anti-Rootkit 1.5.4

Spotify

SUPERAntiSpyware

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office 2010 (KB2202188)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 8 (KB2447568)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB961503)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

WebEx

WebFldrs XP

WebReg

Windows Driver Package - Camera Maker (MR97310_VGA_DUAL_CAMERA) Image 07/18/2006 2.0.1.0

Windows Driver Package - NVIDIA (NVENETFD) Net (11/27/2006 65.4.8)

Windows Driver Package - NVIDIA (nvnetbus) NVIDIA Network Bus Enumerator (11/27/2006 65.4.8)

Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 8

Windows Management Framework Core

Windows Media Format 11 runtime

Windows Media Player 11

Windows XP Service Pack 3

WinZip 14.0

XAMPP 1.7.7

Yontoo Layers Runtime 1.10.01

Maniac · January 31, 2012

Step 1

It is not a good idea to have more than one antivirus program running at the same time, because this can cause poor perfomance and system crash too. Please uninstall one of these antivirus programs:

AVG 2011
Microsoft Security Essentials

Step 2

I suggest you to uninstall this program: Yontoo Layers Runtime 1.10.01 . More information:

Yontoo.Pagerage is a browser extension for Internet Explorer, Chrome and Firefox that enables customization of ones Facebook profile. However Yontoo.Pagerage gets installed as bundled software without proper display of an EULA and privacy policy. Yontoo.Pagerage also displays advertising which is not stated when installed as bundled software.

I would suggest ASPCA Reminder by We-Care.com v5.0.5.1 too. Because this program has bad characters. Take a look at this analyse of the program:

http://www.threatexpert.com/report.aspx?md5=987d7b06b78cebf2e3c1faf51b744128

If you don't want to uninstall one or both of them, don't proceed with next step. Just let me know.

Step 3

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\program files\Yontoo Layers Runtime

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

DDS::
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://isearch.whitesmoke.com/?q={searchTerms}&babsrc=home&s=web&as=0&isid=9860

FireFox::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\jznn3j5q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - WhiteSmoke Search
FF - prefs.js: keyword.URL - hxxp://isearch.whitesmoke.com/?babsrc=home&s=web&as=0&isid=9860&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60202
FF - prefs.js: network.proxy.type - 0
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,BuzzdockTease,DropDownDeals,DropDownDeals,

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

BrandiGuadalupe · January 31, 2012

ComboFix 12-01-30.02 - Owner 01/31/2012 12:56:51.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.895.386 [GMT -8:00]

Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe

Command switches used :: c:\qoobox\CFScript.txt