Jump to content

Whitesmoke Virus/Toolbar


Recommended Posts

Hello,

I've been looking over the forms for a solution. My wife somehow got the whitesmoke toolbar/malware on the computer and it keeps hijacking the internet browsing. I've tried a scan with Malwarebytes' Anti-Malware but to no avail. Anyway I've been looking for a way to get it off and any help you could give would really be appreciated.

Below are my DDS.txt Attach.txt and I have ran Combofix:

DDS.txt

-----------------------------------------------------------------------------------------------------------------------------------------

.

DDS (Ver_2011-08-26.01) - NTFSAMD64

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26

Run by Susannah at 21:34:02 on 2012-05-30

.

============== Running Processes ===============

.

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe

C:\Program Files (x86)\Nero\Update\NASvc.exe

C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe

C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe

C:\Program Files (x86)\Nova Development\Photo Explosion Deluxe 3.0\CalCheck.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe

C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe

C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe

C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe

C:\Program Files (x86)\AVG\AVG2012\avgtray.exe

C:\Program Files (x86)\Mozilla Firefox\firefox.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe

C:\Program Files (x86)\AVG\AVG2012\avgcfgex.exe

C:\Users\Susannah\Desktop\Virus\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3198785

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll

BHO: PlusIEEventHelper Class: {551a852f-39a6-44a7-9c13-afbec9185a9d} - C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

uRun: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

uRun: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe -scheduler

mRun: [PhotoExplosionCalCheck] C:\Program Files (x86)\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe

mRun: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun: [indexSearch] "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe"

mRun: [PaperPort PTD] "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe"

mRun: [PPort12reminder] "C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini"

mRun: [PDFHook] C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe

mRun: [PDF5 Registry Controller] C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe

mRun: [ControlCenter4] "C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe" /autorun

mRun: [brStsMon00] "C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe" /AUTORUN

mRun: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"

mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Open with PDF Viewer Plus - C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm

IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll

IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{3428694F-CAF6-4D53-AC0A-6444815FB9E6} : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{FAD664F1-E5D1-4CB3-B368-EDED782DFBDD} : DhcpNameServer = 192.168.0.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

BHO-X64: AcroIEHelperStub - No File

BHO-X64: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll

BHO-X64: AVG Do Not Track - No File

BHO-X64: PlusIEEventHelper Class: {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll

BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL

BHO-X64: URLRedirectionBHO - No File

BHO-X64: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll

BHO-X64: WeCareReminder - No File

BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll

mRun-x64: [PhotoExplosionCalCheck] C:\Program Files (x86)\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe

mRun-x64: [bCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

mRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

mRun-x64: [indexSearch] "C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe"

mRun-x64: [PaperPort PTD] "C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe"

mRun-x64: [PPort12reminder] "C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\12\Config\Ereg\Ereg.ini"

mRun-x64: [PDFHook] C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe

mRun-x64: [PDF5 Registry Controller] C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe

mRun-x64: [ControlCenter4] "C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe" /autorun

mRun-x64: [brStsMon00] "C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe" /AUTORUN

mRun-x64: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"

mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"

SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=13

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q=

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL

FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL

FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll

FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll

FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll

.

============= SERVICES / DRIVERS ===============

.

R? AVGIDSAgent;AVGIDSAgent

R? BrYNSvc;BrYNSvc

R? clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64

R? Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service

R? MozillaMaintenance;Mozilla Maintenance Service

R? osppsvc;Office Software Protection Platform

R? PerfHost;Performance Counter DLL Host

R? SBRE;SBRE

R? VST64_DPV;VST64_DPV

R? VST64HWBS2;VST64HWBS2

R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0

S? AdobeARMservice;Adobe Acrobat Update Service

S? AVGIDSDriver;AVGIDSDriver

S? AVGIDSFilter;AVGIDSFilter

S? AVGIDSHA;AVGIDSHA

S? Avgldx64;AVG AVI Loader Driver

S? Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield

S? Avgrkx64;AVG Anti-Rootkit Driver

S? Avgtdia;AVG TDI Driver

S? avgwd;AVG WatchDog

S? CAXHWBS2;CAXHWBS2

S? FontCache;Windows Font Cache Service

S? NAUpdate;Nero Update

S? netr28x;Ralink 802.11n Wireless Driver for Windows Vista

S? PDFProFiltSrvPP;PDFProFiltSrvPP

.

=============== File Associations ===============

.

JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*

.

=============== Created Last 30 ================

.

2012-05-30 14:08:25 -------- d-----w- C:\Users\Susannah\AppData\Local\temp

2012-05-30 13:13:35 98816 ----a-w- C:\Windows\sed.exe

2012-05-30 13:13:35 518144 ----a-w- C:\Windows\SWREG.exe

2012-05-30 13:13:35 256000 ----a-w- C:\Windows\PEV.exe

2012-05-30 13:13:35 208896 ----a-w- C:\Windows\MBR.exe

2012-05-29 13:48:09 8955792 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{EDD59F08-BFF3-4FF7-B5AC-26D5A5FAD3EF}\mpengine.dll

2012-05-28 01:19:32 -------- d-----w- C:\Users\Susannah\AppData\Roaming\Malwarebytes

2012-05-28 01:19:22 -------- d-----w- C:\ProgramData\Malwarebytes

2012-05-28 01:19:21 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys

2012-05-28 01:19:21 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware

2012-05-28 01:06:17 -------- d-----w- C:\ProgramData\GFI Software

2012-05-26 22:08:37 -------- d-----w- C:\Users\Susannah\AppData\Roaming\AVG2012

2012-05-26 22:01:23 -------- d--h--w- C:\ProgramData\Common Files

2012-05-26 22:00:58 -------- d-----w- C:\Windows\SysWow64\drivers\AVG

2012-05-26 22:00:23 -------- d-----w- C:\Windows\System32\drivers\AVG

2012-05-26 22:00:23 -------- d-----w- C:\ProgramData\AVG2012

2012-05-26 22:00:23 -------- d-----w- C:\$AVG

2012-05-26 21:58:13 -------- d-----w- C:\Program Files (x86)\AVG

2012-05-26 21:54:20 -------- d-----w- C:\Users\Susannah\AppData\Local\jetmp3

2012-05-26 21:54:20 -------- d-----w- C:\Program Files (x86)\Conduit

2012-05-26 21:54:19 -------- d-----w- C:\ProgramData\MFAData

2012-05-26 21:54:15 -------- d-----w- C:\Users\Susannah\AppData\Local\Conduit

2012-05-26 21:47:00 -------- d-----w- C:\Users\Susannah\AppData\Local\adaware

2012-05-26 21:46:56 -------- d-----w- C:\ProgramData\Ad-Aware Browsing Protection

2012-05-13 16:10:25 419488 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe

2012-05-12 15:54:59 72576 ----a-w- C:\Windows\System32\drivers\partmgr.sys

2012-05-12 15:54:45 4699520 ----a-w- C:\Windows\System32\ntoskrnl.exe

2012-05-12 15:54:44 2766848 ----a-w- C:\Windows\System32\win32k.sys

2012-05-05 20:30:49 -------- d-----w- C:\ProgramData\MumboJumbo

2012-05-05 20:24:39 -------- d-----w- C:\Program Files (x86)\MumboJumbo

2012-05-04 19:03:54 -------- d-----w- C:\Program Files (x86)\Mozilla Maintenance Service

2012-05-04 19:03:50 157352 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice_installer.exe

2012-05-04 19:03:50 129976 ----a-w- C:\Program Files (x86)\Mozilla Firefox\maintenanceservice.exe

.

==================== Find3M ====================

.

2012-05-13 16:10:25 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

2012-04-19 10:50:26 28480 ----a-w- C:\Windows\System32\drivers\avgidsha.sys

2012-03-30 12:45:03 1423744 ----a-w- C:\Windows\System32\drivers\tcpip.sys

2012-03-19 11:17:26 383808 ----a-w- C:\Windows\System32\drivers\avgtdia.sys

.

============= FINISH: 21:34:38.49 ===============

Attach.txt

-----------------------------------------------------------------------------------------------------------------------------------------

.

==== Installed Programs ======================

.

µTorrent

Ad-Aware Browsing Protection

Adobe AIR

Adobe Reader X (10.1.3)

Adobe Shockwave Player 11.6

ASPCA Reminder by We-Care.com v5.0.5.1

Auslogics Registry Cleaner

AVCutty 3.2

Brother MFL-Pro Suite DCP-7065DN

Compatibility Pack for the 2007 Office system

Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition

erLT

Google SketchUp 8

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Java Auto Updater

Java™ 6 Update 26

JetMP3

Logitech SetPoint

LUXOR

LUXOR - Amun Rising

LUXOR - Mah Jong

LUXOR 2

Luxor: Amun Rising

Malwarebytes Anti-Malware version 1.61.0.1400

Microsoft Office 2010 Service Pack 1 (SP1)

Microsoft Office Access MUI (English) 2010

Microsoft Office Access Setup Metadata MUI (English) 2010

Microsoft Office Excel MUI (English) 2010

Microsoft Office Groove MUI (English) 2010

Microsoft Office InfoPath MUI (English) 2010

Microsoft Office OneNote MUI (English) 2010

Microsoft Office Outlook MUI (English) 2010

Microsoft Office PowerPoint MUI (English) 2010

Microsoft Office Professional Plus 2010

Microsoft Office Proof (English) 2010

Microsoft Office Proof (French) 2010

Microsoft Office Proof (Spanish) 2010

Microsoft Office Proofing (English) 2010

Microsoft Office Publisher MUI (English) 2010

Microsoft Office Shared MUI (English) 2010

Microsoft Office Shared Setup Metadata MUI (English) 2010

Microsoft Office Word MUI (English) 2010

Microsoft Silverlight

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Microsoft Web Publishing Wizard 1.52

MozBackup 1.4.10

Mozilla Firefox 12.0 (x86 en-US)

Mozilla Maintenance Service

Mozilla Thunderbird 12.0.1 (x86 en-US)

MSXML 4.0 SP3 Parser

MSXML 4.0 SP3 Parser (KB973685)

Nero Burning ROM 11

Nero Burning ROM 11 Help (CHM)

Nero ControlCenter 11

Nero ControlCenter 11 Help (CHM)

Nero Core Components 11

Nero RescueAgent 11

Nero RescueAgent 11 Help (CHM)

Nero Update

nero.prerequisites.msi

Nuance PaperPort 12

Nuance PDF Viewer Plus

NVIDIA PhysX

Oblivion

Photo Explosion Deluxe 3.0

Realtek High Definition Audio Driver

Scansoft PDF Professional

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)

Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2553091)

Security Update for Microsoft Office 2010 (KB2553096)

Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition

Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition

Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition

Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)

Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition

Snood for Windows version 3.52-W

swMSM

Unreal Tournament 2004

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft Office 2010 (KB2494150)

Update for Microsoft Office 2010 (KB2553065)

Update for Microsoft Office 2010 (KB2553092)

Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition

Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition

Update for Microsoft Office 2010 (KB2566458)

Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition

Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition

Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition

Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition

Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition

Visual Studio 2008 x64 Redistributables

Windows Media Player Firefox Plugin

.

==== End Of File ===========================

Combofix log

-----------------------------------------------------------------------------------------------------------------------------------------

ComboFix 12-05-30.03 - Susannah 05/30/2012 7:48.2.2 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8190.6466 [GMT -6:00]

Running from: c:\users\Susannah\Desktop\Virus\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-30 )))))))))))))))))))))))))))))))

.

.

2012-05-30 13:58 . 2012-05-30 14:02 -------- d-----w- c:\users\Susannah\AppData\Local\temp

2012-05-30 13:58 . 2012-05-30 13:58 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-05-29 13:48 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EDD59F08-BFF3-4FF7-B5AC-26D5A5FAD3EF}\mpengine.dll

2012-05-28 01:19 . 2012-05-28 01:19 -------- d-----w- c:\users\Susannah\AppData\Roaming\Malwarebytes

2012-05-28 01:19 . 2012-05-28 01:19 -------- d-----w- c:\programdata\Malwarebytes

2012-05-28 01:19 . 2012-05-28 01:19 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-05-28 01:19 . 2012-04-04 21:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-28 01:06 . 2012-05-28 01:06 -------- d-----w- c:\programdata\GFI Software

2012-05-26 22:08 . 2012-05-26 22:08 -------- d-----w- c:\users\Susannah\AppData\Roaming\AVG2012

2012-05-26 22:01 . 2012-05-26 22:01 -------- d--h--w- c:\programdata\Common Files

2012-05-26 22:00 . 2012-05-26 22:00 -------- d-----w- c:\windows\SysWow64\drivers\AVG

2012-05-26 22:00 . 2012-05-29 23:22 -------- d-----w- c:\windows\system32\drivers\AVG

2012-05-26 22:00 . 2012-05-26 22:09 -------- d-----w- c:\programdata\AVG2012

2012-05-26 22:00 . 2012-05-26 22:00 -------- d-----w- C:\$AVG

2012-05-26 21:58 . 2012-05-26 21:58 -------- d-----w- c:\program files (x86)\AVG

2012-05-26 21:54 . 2012-05-30 13:40 -------- d-----w- c:\users\AppData

2012-05-26 21:54 . 2012-05-26 21:54 -------- d-----w- c:\users\Susannah\AppData\Local\jetmp3

2012-05-26 21:54 . 2012-05-26 21:54 -------- d-----w- c:\program files (x86)\Conduit

2012-05-26 21:54 . 2012-05-29 23:22 -------- d-----w- c:\programdata\MFAData

2012-05-26 21:54 . 2012-05-27 13:41 -------- d-----w- c:\users\Susannah\AppData\Local\Conduit

2012-05-26 21:47 . 2012-05-26 21:47 -------- d-----w- c:\users\Susannah\AppData\Local\adaware

2012-05-26 21:46 . 2012-05-26 21:46 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection

2012-05-13 16:10 . 2012-05-13 16:10 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-05-12 15:54 . 2012-03-20 23:34 72576 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-05-12 15:54 . 2012-04-03 08:22 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-12 15:54 . 2012-04-02 13:59 2766848 ----a-w- c:\windows\system32\win32k.sys

2012-05-05 20:30 . 2012-05-05 20:30 -------- d-----w- c:\programdata\MumboJumbo

2012-05-05 20:24 . 2012-05-05 20:24 -------- d-----w- c:\program files (x86)\MumboJumbo

2012-05-04 19:03 . 2012-05-04 19:03 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service

2012-05-04 19:03 . 2012-05-04 19:03 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe

2012-05-04 19:03 . 2012-05-04 19:03 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-05-13 16:10 . 2011-05-29 17:37 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-04-19 10:50 . 2012-04-19 10:50 28480 ----a-w- c:\windows\system32\drivers\avgidsha.sys

2012-03-19 11:17 . 2012-03-19 11:17 383808 ----a-w- c:\windows\system32\drivers\avgtdia.sys

2012-03-06 23:15 . 2011-01-17 17:41 258520 ----a-w- c:\windows\system32\aswBoot.exe

.

.

((((((((((((((((((((((((((((( SnapShot@2012-05-30_13.32.05 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-21 02:23 . 2012-05-30 14:01 39212 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2006-11-02 15:45 . 2012-05-30 14:02 72398 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin

+ 2010-12-18 21:22 . 2012-05-30 14:02 12012 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2477298372-428459766-202237345-1000_UserData.bin

- 2012-05-30 13:31 . 2012-05-30 13:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

+ 2012-05-30 13:59 . 2012-05-30 13:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2012-05-30 13:31 . 2012-05-30 13:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2012-05-30 13:59 . 2012-05-30 13:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2006-11-02 12:46 . 2012-05-30 13:38 604502 c:\windows\system32\perfh009.dat

- 2006-11-02 12:46 . 2012-05-28 03:40 604502 c:\windows\system32\perfh009.dat

- 2006-11-02 12:46 . 2012-05-28 03:40 104202 c:\windows\system32\perfc009.dat

+ 2006-11-02 12:46 . 2012-05-30 13:38 104202 c:\windows\system32\perfc009.dat

- 2011-02-10 14:56 . 2012-05-30 13:29 392016 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2011-02-10 14:56 . 2012-05-30 13:58 392016 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2012-05-30 13:29 . 2012-05-30 13:58 1507292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2477298372-428459766-202237345-1000-8192.dat

- 2012-05-30 13:29 . 2012-05-30 13:29 1507292 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2477298372-428459766-202237345-1000-8192.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]

"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"PhotoExplosionCalCheck"="c:\program files (x86)\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe" [2006-05-10 69632]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]

"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]

"PPort12reminder"="c:\program files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]

"PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]

"PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]

"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2010-10-26 139264]

"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]

"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]

"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-12-25 1207312]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart

.

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

.

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3198785

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Open with PDF Viewer Plus - c:\program files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files (x86)\AVG\AVG2012\avgdtiex.dll

TCP: DhcpNameServer = 192.168.0.1

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=13

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q=

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe

c:\program files (x86)\Nero\Update\NASvc.exe

c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe

c:\program files (x86)\AVG\AVG2012\avgidsagent.exe

c:\program files\Logitech\SetPoint\x86\SetPoint32.exe

.

**************************************************************************

.

Completion time: 2012-05-30 08:08:22 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-30 14:08

ComboFix2.txt 2012-05-30 13:40

.

Pre-Run: 183,526,543,360 bytes free

Post-Run: 183,918,620,672 bytes free

.

- - End Of File - - A247374F71FD391B3C4C47964372761C

Link to post
Share on other sites

  • Staff

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us


  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

    [*]Please do not attach logs or use code boxes, just copy and paste the text.

    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

    [*]Please read every post completely before doing anything.

    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.

    [*]Please provide feedback about your experience as we go.

    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from
here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Link to post
Share on other sites

Gringo thanks for getting back to me. I have run the security check and combofix you sent me. The computer is still the same with the Whitesmoke Toolbar trying to redirect me.

The log for security check and combofix are as follows:

Results of screen317's Security Check version 0.99.41

Windows Vista Service Pack 2 x64 (UAC is enabled)

Internet Explorer 9

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

WMI entry may not exist for antivirus; attempting automatic update.

AVG2012 successfully updated!

`````````Anti-malware/Other Utilities Check:`````````

Ad-Aware

Malwarebytes Anti-Malware version 1.61.0.1400

Auslogics Registry Cleaner

Java™ 6 Update 26

Java version out of date!

Adobe Reader X (10.1.3)

Mozilla Firefox (12.0)

Mozilla Thunderbird (12.0.1)

````````Process Check: objlist.exe by Laurent````````

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

AVG avgwdsvc.exe

AVG avgtray.exe

Susannah Desktop Virus SecurityCheck.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1 %

````````````````````End of Log``````````````````````

ComboFix 12-05-31.01 - Susannah 05/31/2012 6:38.3.2 - x64

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8190.6066 [GMT -6:00]

Running from: c:\users\Susannah\Desktop\Virus\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-31 )))))))))))))))))))))))))))))))

.

.

2012-05-31 12:47 . 2012-05-31 12:52 -------- d-----w- c:\users\Susannah\AppData\Local\temp

2012-05-31 12:47 . 2012-05-31 12:47 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-05-29 13:48 . 2012-05-08 17:02 8955792 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EDD59F08-BFF3-4FF7-B5AC-26D5A5FAD3EF}\mpengine.dll

2012-05-28 01:19 . 2012-05-28 01:19 -------- d-----w- c:\users\Susannah\AppData\Roaming\Malwarebytes

2012-05-28 01:19 . 2012-05-28 01:19 -------- d-----w- c:\programdata\Malwarebytes

2012-05-28 01:19 . 2012-05-31 03:36 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware

2012-05-28 01:19 . 2012-04-04 21:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-05-28 01:06 . 2012-05-28 01:06 -------- d-----w- c:\programdata\GFI Software

2012-05-26 22:08 . 2012-05-26 22:08 -------- d-----w- c:\users\Susannah\AppData\Roaming\AVG2012

2012-05-26 22:01 . 2012-05-26 22:01 -------- d--h--w- c:\programdata\Common Files

2012-05-26 22:00 . 2012-05-26 22:00 -------- d-----w- c:\windows\SysWow64\drivers\AVG

2012-05-26 22:00 . 2012-05-31 12:16 -------- d-----w- c:\windows\system32\drivers\AVG

2012-05-26 22:00 . 2012-05-26 22:09 -------- d-----w- c:\programdata\AVG2012

2012-05-26 22:00 . 2012-05-26 22:00 -------- d-----w- C:\$AVG

2012-05-26 21:58 . 2012-05-26 21:58 -------- d-----w- c:\program files (x86)\AVG

2012-05-26 21:54 . 2012-05-30 13:40 -------- d-----w- c:\users\AppData

2012-05-26 21:54 . 2012-05-26 21:54 -------- d-----w- c:\users\Susannah\AppData\Local\jetmp3

2012-05-26 21:54 . 2012-05-26 21:54 -------- d-----w- c:\program files (x86)\Conduit

2012-05-26 21:54 . 2012-05-31 12:16 -------- d-----w- c:\programdata\MFAData

2012-05-26 21:54 . 2012-05-27 13:41 -------- d-----w- c:\users\Susannah\AppData\Local\Conduit

2012-05-26 21:47 . 2012-05-26 21:47 -------- d-----w- c:\users\Susannah\AppData\Local\adaware

2012-05-26 21:46 . 2012-05-26 21:46 -------- d-----w- c:\programdata\Ad-Aware Browsing Protection

2012-05-13 16:10 . 2012-05-13 16:10 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe

2012-05-12 15:54 . 2012-03-20 23:34 72576 ----a-w- c:\windows\system32\drivers\partmgr.sys

2012-05-12 15:54 . 2012-04-03 08:22 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-05-12 15:54 . 2012-04-02 13:59 2766848 ----a-w- c:\windows\system32\win32k.sys

2012-05-05 20:30 . 2012-05-05 20:30 -------- d-----w- c:\programdata\MumboJumbo

2012-05-05 20:24 . 2012-05-05 20:24 -------- d-----w- c:\program files (x86)\MumboJumbo

2012-05-04 19:03 . 2012-05-04 19:03 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service

2012-05-04 19:03 . 2012-05-04 19:03 157352 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice_installer.exe

2012-05-04 19:03 . 2012-05-04 19:03 129976 ----a-w- c:\program files (x86)\Mozilla Firefox\maintenanceservice.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-05-13 16:10 . 2011-05-29 17:37 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl

2012-04-19 10:50 . 2012-04-19 10:50 28480 ----a-w- c:\windows\system32\drivers\avgidsha.sys

2012-03-19 11:17 . 2012-03-19 11:17 383808 ----a-w- c:\windows\system32\drivers\avgtdia.sys

2012-03-06 23:15 . 2011-01-17 17:41 258520 ----a-w- c:\windows\system32\aswBoot.exe

.

.

((((((((((((((((((((((((((((( SnapShot@2012-05-30_13.32.05 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-01-21 02:23 . 2012-05-31 12:51 39284 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin

+ 2006-11-02 15:45 . 2012-05-31 12:51 72590 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin

+ 2010-12-18 21:22 . 2012-05-31 12:51 12306 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2477298372-428459766-202237345-1000_UserData.bin

+ 2012-05-31 12:49 . 2012-05-31 12:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2012-05-30 13:31 . 2012-05-30 13:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

- 2012-05-30 13:31 . 2012-05-30 13:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2012-05-31 12:49 . 2012-05-31 12:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat

+ 2006-11-02 12:46 . 2012-05-30 14:07 604502 c:\windows\system32\perfh009.dat

- 2006-11-02 12:46 . 2012-05-28 03:40 604502 c:\windows\system32\perfh009.dat

+ 2006-11-02 12:46 . 2012-05-30 14:07 104202 c:\windows\system32\perfc009.dat

- 2006-11-02 12:46 . 2012-05-28 03:40 104202 c:\windows\system32\perfc009.dat

- 2011-02-10 14:56 . 2012-05-30 13:29 392016 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2011-02-10 14:56 . 2012-05-31 12:48 392016 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat

+ 2012-05-31 12:48 . 2012-05-31 12:48 392784 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2477298372-428459766-202237345-1000-4096.dat

+ 2012-05-30 13:29 . 2012-05-31 12:48 2207028 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2477298372-428459766-202237345-1000-8192.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]

"ISUSPM"="c:\programdata\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-05 222496]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

"PhotoExplosionCalCheck"="c:\program files (x86)\Nova Development\Photo Explosion Deluxe 3.0\calcheck.exe" [2006-05-10 69632]

"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"IndexSearch"="c:\program files (x86)\Nuance\PaperPort\IndexSearch.exe" [2010-03-09 46368]

"PaperPort PTD"="c:\program files (x86)\Nuance\PaperPort\pptd40nt.exe" [2010-03-09 29984]

"PPort12reminder"="c:\program files (x86)\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]

"PDFHook"="c:\program files (x86)\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]

"PDF5 Registry Controller"="c:\program files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]

"ControlCenter4"="c:\program files (x86)\ControlCenter4\BrCcBoot.exe" [2010-10-26 139264]

"BrStsMon00"="c:\program files (x86)\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]

"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2011-10-21 198032]

"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2010-12-25 1207312]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart

.

S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]

.

.

.

--------- x86-64 -----------

.

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 130576]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3198785

IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000

IE: Open with PDF Viewer Plus - c:\program files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm

IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105

IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files (x86)\AVG\AVG2012\avgdtiex.dll

TCP: DhcpNameServer = 192.168.0.1

CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll

FF - ProfilePath - c:\users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3198785&SearchSource=13

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q=

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]

"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]

@Denied: (A) (Everyone)

"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]

@Denied: (A) (Everyone)

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]

"Key"="ActionsPane3"

"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Other Running Processes ------------------------

.

c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe

c:\program files (x86)\Nero\Update\NASvc.exe

c:\program files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe

c:\program files (x86)\ControlCenter4\BrCtrlCntr.exe

c:\program files (x86)\ControlCenter4\BrCcUxSys.exe

c:\program files\Logitech\SetPoint\x86\SetPoint32.exe

c:\program files (x86)\AVG\AVG2012\avgcfgex.exe

.

**************************************************************************

.

Completion time: 2012-05-31 06:58:04 - machine was rebooted

ComboFix-quarantined-files.txt 2012-05-31 12:58

ComboFix2.txt 2012-05-30 14:08

ComboFix3.txt 2012-05-30 13:40

.

Pre-Run: 181,102,157,824 bytes free

Post-Run: 187,205,722,112 bytes free

.

- - End Of File - - C9E610CBCDA7CCBC685D23669735AA0F

Link to post
Share on other sites

  • Staff

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later

    [*]Please post the contents of OTL.txt in your next reply.

Gringo

Link to post
Share on other sites

OTL logfile created on: 6/1/2012 5:03:21 PM - Run 1

OTL by OldTimer - Version 3.2.45.0 Folder = C:\Users\Susannah\Desktop\Virus

64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 9.0.8112.16421)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

8.00 Gb Total Physical Memory | 6.24 Gb Available Physical Memory | 78.08% Memory free

16.20 Gb Paging File | 14.42 Gb Available in Paging File | 89.01% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 298.09 Gb Total Space | 173.09 Gb Free Space | 58.06% Space Free | Partition Type: NTFS

Drive D: | 578.42 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: SUSANNAH-PC | User Name: Susannah | Logged in as Administrator.

Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans

Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Susannah\Desktop\Virus\OTL.exe (OldTimer Tools)

PRC - C:\Program Files (x86)\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files (x86)\AVG\AVG2012\avgcfgex.exe (AVG Technologies CZ, s.r.o.)

PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)

PRC - C:\Program Files (x86)\Nero\Update\NASvc.exe (Nero AG)

PRC - C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe (Brother Industries, Ltd.)

PRC - C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe (Brother Industries, Ltd.)

PRC - C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe (Nuance Communications, Inc.)

PRC - C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe (Nuance Communications, Inc.)

PRC - C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe (Nuance Communications, Inc.)

PRC - C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe ()

PRC - C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe (Acresso Corporation)

PRC - C:\Program Files (x86)\Nova Development\Photo Explosion Deluxe 3.0\CalCheck.exe (Ulead Systems, Inc.)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe ()

MOD - C:\Program Files (x86)\Brother\BrUtilities\BrLogAPI.dll ()

MOD - C:\Program Files (x86)\Nova Development\Photo Explosion Deluxe 3.0\uviplPX.dll ()

MOD - C:\Program Files (x86)\Nova Development\Photo Explosion Deluxe 3.0\uvipl.dll ()

MOD - C:\Program Files (x86)\Nova Development\Photo Explosion Deluxe 3.0\Cpuinf32.dll ()

========== Win32 Services (SafeList) ==========

SRV:64bit: - (LBTServ) -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe (Logitech, Inc.)

SRV:64bit: - (Mcx2Svc) -- C:\Windows\SysNative\Mcx2Svc.dll (Microsoft Corporation)

SRV:64bit: - (RemoteAccess) -- C:\Windows\SysNative\mprdim.dll (Microsoft Corporation)

SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)

SRV:64bit: - (XAudioService) -- C:\Windows\SysNative\DRIVERS\xaudio64.exe (Conexant Systems, Inc.)

SRV - (MozillaMaintenance) -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe (Mozilla Foundation)

SRV - (AVGIDSAgent) -- C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe (AVG Technologies CZ, s.r.o.)

SRV - (avgwd) -- C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)

SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)

SRV - (NAUpdate) @C:\Program Files (x86) -- C:\Program Files (x86)\Nero\Update\NASvc.exe (Nero AG)

SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)

SRV - (PDFProFiltSrvPP) -- C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe (Nuance Communications, Inc.)

SRV - (BrYNSvc) -- C:\Program Files (x86)\Browny02\BrYNSvc.exe (Brother Industries, Ltd.)

SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

SRV - (clr_optimization_v2.0.50727_64) -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe (Microsoft Corporation)

SRV - (RemoteAccess) -- C:\Windows\SysWOW64\mprdim.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV:64bit: - (AVGIDSHA) -- C:\Windows\SysNative\DRIVERS\avgidsha.sys (AVG Technologies CZ, s.r.o. )

DRV:64bit: - (Avgtdia) -- C:\Windows\SysNative\DRIVERS\avgtdia.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)

DRV:64bit: - (Avgldx64) -- C:\Windows\SysNative\DRIVERS\avgldx64.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (Avgrkx64) -- C:\Windows\SysNative\DRIVERS\avgrkx64.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (Avgmfx64) -- C:\Windows\SysNative\DRIVERS\avgmfx64.sys (AVG Technologies CZ, s.r.o.)

DRV:64bit: - (AVGIDSFilter) -- C:\Windows\SysNative\DRIVERS\avgidsfiltera.sys (AVG Technologies CZ, s.r.o. )

DRV:64bit: - (AVGIDSDriver) -- C:\Windows\SysNative\DRIVERS\avgidsdrivera.sys (AVG Technologies CZ, s.r.o. )

DRV:64bit: - (WpdUsb) -- C:\Windows\SysNative\DRIVERS\wpdusb.sys (Microsoft Corporation)

DRV:64bit: - (netr28x) -- C:\Windows\SysNative\DRIVERS\netr28x.sys (Ralink Technology, Corp.)

DRV:64bit: - (LUsbFilt) -- C:\Windows\SysNative\Drivers\LUsbFilt.Sys (Logitech, Inc.)

DRV:64bit: - (LMouFilt) -- C:\Windows\SysNative\DRIVERS\LMouFilt.Sys (Logitech, Inc.)

DRV:64bit: - (LHidFilt) -- C:\Windows\SysNative\DRIVERS\LHidFilt.Sys (Logitech, Inc.)

DRV:64bit: - (L8042Kbd) -- C:\Windows\SysNative\DRIVERS\L8042Kbd.sys (Logitech, Inc.)

DRV:64bit: - (udfs) -- C:\Windows\SysNative\DRIVERS\udfs.sys (Microsoft Corporation)

DRV:64bit: - (KMWDFILTER) -- C:\Windows\SysNative\DRIVERS\KMWDFILTER.sys (Windows ® Codename Longhorn DDK provider)

DRV:64bit: - (CAXHWBS2) -- C:\Windows\SysNative\DRIVERS\CAXHWBS2.sys (Conexant Systems, Inc.)

DRV:64bit: - (winachsf) -- C:\Windows\SysNative\DRIVERS\CAX_CNXT.sys (Conexant Systems, Inc.)

DRV:64bit: - (HSF_DP) -- C:\Windows\SysNative\DRIVERS\CAX_DP.sys (Conexant Systems, Inc.)

DRV:64bit: - (Amusbprt) -- C:\Windows\SysNative\DRIVERS\Amusbx64.sys (A4Tech Co.,Ltd.)

DRV:64bit: - (IPMIDRV) -- C:\Windows\SysNative\drivers\ipmidrv.sys (Microsoft Corporation)

DRV:64bit: - (i2omp) -- C:\Windows\SysNative\drivers\i2omp.sys (Microsoft Corporation)

DRV:64bit: - (adpu320) -- C:\Windows\SysNative\drivers\adpu320.sys (Adaptec, Inc.)

DRV:64bit: - (Wd) -- C:\Windows\SysNative\drivers\wd.sys (Microsoft Corporation)

DRV:64bit: - (mpio) -- C:\Windows\SysNative\drivers\mpio.sys (Microsoft Corporation)

DRV:64bit: - (SiSRaid4) -- C:\Windows\SysNative\drivers\sisraid4.sys (Silicon Integrated Systems)

DRV:64bit: - (vsmraid) -- C:\Windows\SysNative\drivers\vsmraid.sys (VIA Technologies Inc.,Ltd)

DRV:64bit: - (fdc) -- C:\Windows\SysNative\DRIVERS\fdc.sys (Microsoft Corporation)

DRV:64bit: - (usbuhci) -- C:\Windows\SysNative\DRIVERS\usbuhci.sys (Microsoft Corporation)

DRV:64bit: - (StillCam) -- C:\Windows\SysNative\DRIVERS\serscan.sys (Microsoft Corporation)

DRV:64bit: - (msdsm) -- C:\Windows\SysNative\drivers\msdsm.sys (Microsoft Corporation)

DRV:64bit: - (blbdrive) -- C:\Windows\SysNative\drivers\blbdrive.sys (Microsoft Corporation)

DRV:64bit: - (circlass) -- C:\Windows\SysNative\drivers\circlass.sys (Microsoft Corporation)

DRV:64bit: - (LSI_SCSI) -- C:\Windows\SysNative\drivers\lsi_scsi.sys (LSI Logic)

DRV:64bit: - (arcsas) -- C:\Windows\SysNative\drivers\arcsas.sys (Adaptec, Inc.)

DRV:64bit: - (sffdisk) -- C:\Windows\SysNative\drivers\sffdisk.sys (Microsoft Corporation)

DRV:64bit: - (elxstor) -- C:\Windows\SysNative\drivers\elxstor.sys (Emulex)

DRV:64bit: - (iaStorV) -- C:\Windows\SysNative\drivers\iastorv.sys (Intel Corporation)

DRV:64bit: - (HpCISSs) -- C:\Windows\SysNative\drivers\hpcisss.sys (Hewlett-Packard Company)

DRV:64bit: - (megasas) -- C:\Windows\SysNative\drivers\megasas.sys (LSI Corporation)

DRV:64bit: - (sermouse) -- C:\Windows\SysNative\drivers\sermouse.sys (Microsoft Corporation)

DRV:64bit: - (MegaSR) -- C:\Windows\SysNative\drivers\megasr.sys (LSI Corporation, Inc.)

DRV:64bit: - (uliahci) -- C:\Windows\SysNative\drivers\uliahci.sys (ULi Electronics Inc.)

DRV:64bit: - (LSI_SAS) -- C:\Windows\SysNative\drivers\lsi_sas.sys (LSI Logic)

DRV:64bit: - (SiSRaid2) -- C:\Windows\SysNative\drivers\sisraid2.sys (Microsoft Corporation)

DRV:64bit: - (flpydisk) -- C:\Windows\SysNative\DRIVERS\flpydisk.sys (Microsoft Corporation)

DRV:64bit: - (adpahci) -- C:\Windows\SysNative\drivers\adpahci.sys (Adaptec, Inc.)

DRV:64bit: - (nvraid) -- C:\Windows\SysNative\drivers\nvraid.sys (NVIDIA Corporation)

DRV:64bit: - (adpu160m) -- C:\Windows\SysNative\drivers\adpu160m.sys (Adaptec, Inc.)

DRV:64bit: - (VST64_DPV) -- C:\Windows\SysNative\DRIVERS\VSTDPV6.SYS (Conexant Systems, Inc.)

DRV:64bit: - (adp94xx) -- C:\Windows\SysNative\drivers\adp94xx.sys (Adaptec, Inc.)

DRV:64bit: - (VST64HWBS2) -- C:\Windows\SysNative\DRIVERS\VSTBS26.SYS (Conexant Systems, Inc.)

DRV:64bit: - (ql2300) -- C:\Windows\SysNative\drivers\ql2300.sys (QLogic Corporation)

DRV:64bit: - (ulsata2) -- C:\Windows\SysNative\drivers\ulsata2.sys (Promise Technology, Inc.)

DRV:64bit: - (arc) -- C:\Windows\SysNative\drivers\arc.sys (Adaptec, Inc.)

DRV:64bit: - (rdpdr) -- C:\Windows\SysNative\drivers\rdpdr.sys (Microsoft Corporation)

DRV:64bit: - (LSI_FC) -- C:\Windows\SysNative\drivers\lsi_fc.sys (LSI Logic)

DRV:64bit: - (intelppm) -- C:\Windows\SysNative\DRIVERS\intelppm.sys (Microsoft Corporation)

DRV:64bit: - (Processor) -- C:\Windows\SysNative\drivers\processr.sys (Microsoft Corporation)

DRV:64bit: - (isapnp) -- C:\Windows\SysNative\drivers\isapnp.sys (Microsoft Corporation)

DRV:64bit: - (msahci) -- C:\Windows\SysNative\drivers\msahci.sys (Microsoft Corporation)

DRV:64bit: - (Compbatt) -- C:\Windows\SysNative\drivers\compbatt.sys (Microsoft Corporation)

DRV:64bit: - (intelide) -- C:\Windows\SysNative\drivers\intelide.sys (Microsoft Corporation)

DRV:64bit: - (viaide) -- C:\Windows\SysNative\drivers\viaide.sys (VIA Technologies, Inc.)

DRV:64bit: - (cmdide) -- C:\Windows\SysNative\drivers\cmdide.sys (CMD Technology, Inc.)

DRV:64bit: - (amdide) -- C:\Windows\SysNative\drivers\amdide.sys (Microsoft Corporation)

DRV:64bit: - (aliide) -- C:\Windows\SysNative\drivers\aliide.sys (Acer Laboratories Inc.)

DRV:64bit: - (WmiAcpi) -- C:\Windows\SysNative\drivers\wmiacpi.sys (Microsoft Corporation)

DRV:64bit: - (ErrDev) -- C:\Windows\SysNative\drivers\errdev.sys (Microsoft Corporation)

DRV:64bit: - (XAudio) -- C:\Windows\SysNative\DRIVERS\xaudio64.sys (Conexant Systems, Inc.)

DRV:64bit: - (Amfilter) -- C:\Windows\SysNative\DRIVERS\Amfltx64.sys ((Standard mouse types))

DRV:64bit: - (nfrd960) -- C:\Windows\SysNative\drivers\nfrd960.sys (IBM Corporation)

DRV:64bit: - (Symc8xx) -- C:\Windows\SysNative\drivers\symc8xx.sys (LSI Logic)

DRV:64bit: - (Sym_u3) -- C:\Windows\SysNative\drivers\sym_u3.sys (LSI Logic)

DRV:64bit: - (iirsp) -- C:\Windows\SysNative\drivers\iirsp.sys (Intel Corp./ICP vortex GmbH)

DRV:64bit: - (Sym_hi) -- C:\Windows\SysNative\drivers\sym_hi.sys (LSI Logic)

DRV:64bit: - (Mraid35x) -- C:\Windows\SysNative\drivers\mraid35x.sys (LSI Logic Corporation)

DRV:64bit: - (iteraid) -- C:\Windows\SysNative\drivers\iteraid.sys (Integrated Technology Express, Inc.)

DRV:64bit: - (iteatapi) -- C:\Windows\SysNative\drivers\iteatapi.sys (Integrated Technology Express, Inc.)

DRV:64bit: - (pcmcia) -- C:\Windows\SysNative\drivers\pcmcia.sys (Microsoft Corporation)

DRV:64bit: - (UlSata) -- C:\Windows\SysNative\drivers\ulsata.sys (Promise Technology, Inc.)

DRV:64bit: - (ql40xx) -- C:\Windows\SysNative\drivers\ql40xx.sys (QLogic Corporation)

DRV:64bit: - (sbp2port) -- C:\Windows\SysNative\drivers\sbp2port.sys (Microsoft Corporation)

DRV:64bit: - (aic78xx) -- C:\Windows\SysNative\drivers\djsvs.sys (Adaptec, Inc.)

DRV:64bit: - (BTHMODEM) -- C:\Windows\SysNative\drivers\bthmodem.sys (Microsoft Corporation)

DRV:64bit: - (HidBth) -- C:\Windows\SysNative\drivers\hidbth.sys (Microsoft Corporation)

DRV:64bit: - (usbccgp) -- C:\Windows\SysNative\DRIVERS\usbccgp.sys (Microsoft Corporation)

DRV:64bit: - (usbcir) eHome Infrared Receiver (USBCIR) -- C:\Windows\SysNative\drivers\usbcir.sys (Microsoft Corporation)

DRV:64bit: - (HidIr) -- C:\Windows\SysNative\drivers\hidir.sys (Microsoft Corporation)

DRV:64bit: - (WacomPen) -- C:\Windows\SysNative\drivers\wacompen.sys (Microsoft Corporation)

DRV:64bit: - (sfloppy) -- C:\Windows\SysNative\drivers\sfloppy.sys (Microsoft Corporation)

DRV:64bit: - (Parport) -- C:\Windows\SysNative\drivers\parport.sys (Microsoft Corporation)

DRV:64bit: - (Brserid) Brother MFC Serial Port Interface Driver (WDM) -- C:\Windows\SysNative\drivers\brserid.sys (Brother Industries Ltd.)

DRV:64bit: - (BrSerWdm) -- C:\Windows\SysNative\drivers\brserwdm.sys (Brother Industries Ltd.)

DRV:64bit: - (BrUsbMdm) -- C:\Windows\SysNative\drivers\brusbmdm.sys (Brother Industries Ltd.)

DRV:64bit: - (mdmxsdk) -- C:\Windows\SysNative\DRIVERS\mdmxsdk.sys (Conexant)

DRV - (pfc) -- C:\Windows\SysWOW64\drivers\pfc.sys (Padus, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2477298372-428459766-202237345-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT3198785

IE - HKU\S-1-5-21-2477298372-428459766-202237345-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

IE - HKU\S-1-5-21-2477298372-428459766-202237345-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F9 4D 84 0C A9 9F CB 01 [binary data]

IE - HKU\S-1-5-21-2477298372-428459766-202237345-1000\..\SearchScopes,DefaultScope = {F8B07734-2B06-42EE-97CC-8462CC07F325}

IE - HKU\S-1-5-21-2477298372-428459766-202237345-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

IE - HKU\S-1-5-21-2477298372-428459766-202237345-1000\..\SearchScopes\{0B37FBC1-F9A6-4B2D-9829-754F2C049ECE}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b2ie7

IE - HKU\S-1-5-21-2477298372-428459766-202237345-1000\..\SearchScopes\{2FD9507E-CF43-4216-9A20-F148235F8FD7}: "URL" = http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&camp=1789&creative=9325&keywords={searchTerms}

IE - HKU\S-1-5-21-2477298372-428459766-202237345-1000\..\SearchScopes\{F8B07734-2B06-42EE-97CC-8462CC07F325}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}

IE - HKU\S-1-5-21-2477298372-428459766-202237345-1000\..\SearchScopes\{FC56E86F-34BA-483F-A933-7390229974E0}: "URL" = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}

IE - HKU\S-1-5-21-2477298372-428459766-202237345-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "WhiteSmoke US Customized Web Search"

FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=3&q={searchTerms}"

FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3198785&SearchSource=13"

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24

FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q="

FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_2_202_235.dll File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll ()

FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)

FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)

FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack\ [2012/05/26 16:00:33 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/05/27 18:43:35 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/05/27 18:43:35 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Components: C:\Program Files (x86)\Mozilla Thunderbird\components [2012/05/10 09:58:35 | 000,000,000 | ---D | M]

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Thunderbird 12.0.1\extensions\\Plugins: C:\Program Files (x86)\Mozilla Thunderbird\plugins

[2010/12/18 15:48:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Susannah\AppData\Roaming\Mozilla\Extensions

[2010/12/18 15:48:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Susannah\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}

[2012/05/26 15:54:24 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions

[2010/12/18 15:40:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2012/05/26 15:54:26 | 000,000,000 | ---D | M] (WhiteSmoke US Community Toolbar) -- C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\{cce665dd-f6dd-4808-968e-eaec971f70ef}

[2010/12/18 15:40:34 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7}

[2012/05/26 15:54:21 | 000,000,000 | ---D | M] (JetMP3) -- C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\jetmp3@jetpack

[2012/04/07 09:10:56 | 000,000,000 | ---D | M] (We-Care Reminder) -- C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\wecarereminder@bryan

[2012/05/22 11:24:04 | 000,000,929 | ---- | M] () -- C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\searchplugins\conduit.xml

[2011/12/14 04:26:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2012/05/25 08:22:36 | 000,004,733 | ---- | M] () (No name found) -- C:\USERS\SUSANNAH\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3IBO47UN.DEFAULT\EXTENSIONS\SSZIVKQRDB@SSZIVKQRDB.ORG.XPI

[2012/05/04 13:03:50 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\mozilla firefox\components\browsercomps.dll

[2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll

[2012/01/22 16:35:09 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml

[2012/01/22 16:35:09 | 000,002,040 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/05/31 06:50:11 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O2:64bit: - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (PlusIEEventHelper Class) - {551A852F-39A6-44A7-9C13-AFBEC9185A9D} - C:\Program Files (x86)\Nuance\PDF Viewer Plus\bin\PlusIEContextMenu.dll (Zeon Corporation)

O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com)

O4:64bit: - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)

O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [brStsMon00] C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe (Brother Industries, Ltd.)

O4 - HKLM..\Run: [ControlCenter4] C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe (Brother Industries, Ltd.)

O4 - HKLM..\Run: [indexSearch] C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe (Nuance Communications, Inc.)

O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe (Nuance Communications, Inc.)

O4 - HKLM..\Run: [PDF5 Registry Controller] C:\Program Files (x86)\Nuance\PDF Viewer Plus\RegistryController.exe (Nuance Communications, Inc.)

O4 - HKLM..\Run: [PDFHook] C:\Program Files (x86)\Nuance\PDF Viewer Plus\pdfPro5Hook.exe (Nuance Communications, Inc.)

O4 - HKLM..\Run: [PhotoExplosionCalCheck] C:\Program Files (x86)\Nova Development\Photo Explosion Deluxe 3.0\CalCheck.exe (Ulead Systems, Inc.)

O4 - HKLM..\Run: [PPort12reminder] C:\Program Files (x86)\Nuance\PaperPort\Ereg\Ereg.exe (Nuance Communications, Inc.)

O4 - HKU\S-1-5-21-2477298372-428459766-202237345-1000..\Run: [iSUSPM] C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe (Acresso Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-2477298372-428459766-202237345-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-2477298372-428459766-202237345-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8:64bit: - Extra context menu item: Open with PDF Viewer Plus - C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll (Zeon Corporation)

O8 - Extra context menu item: Open with PDF Viewer Plus - C:\Program Files (x86)\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll (Zeon Corporation)

O9:64bit: - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll (AVG Technologies CZ, s.r.o.)

O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3428694F-CAF6-4D53-AC0A-6444815FB9E6}: DhcpNameServer = 192.168.0.1

O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{FAD664F1-E5D1-4CB3-B368-EDED782DFBDD}: DhcpNameServer = 192.168.0.1

O18:64bit: - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll (AVG Technologies CZ, s.r.o.)

O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found

O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found

O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found

O18:64bit: - Protocol\Handler\ms-help - No CLSID value found

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Users\Susannah\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O24 - Desktop BackupWallPaper: C:\Users\Susannah\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2008/03/25 09:11:02 | 000,000,050 | R--- | M] () - D:\autorun.inf -- [ CDFS ]

O34 - HKLM BootExecute: (autocheck autochk *)

O34 - HKLM BootExecute: (C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart)

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)

O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/31 06:58:09 | 000,000,000 | ---D | C] -- C:\Windows\temp

[2012/05/31 06:58:09 | 000,000,000 | ---D | C] -- C:\Users\Susannah\AppData\Local\temp

[2012/05/31 06:50:20 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN

[2012/05/30 07:13:35 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe

[2012/05/30 07:13:35 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe

[2012/05/30 07:13:35 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe

[2012/05/29 08:15:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG

[2012/05/27 19:19:32 | 000,000,000 | ---D | C] -- C:\Users\Susannah\AppData\Roaming\Malwarebytes

[2012/05/27 19:19:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware

[2012/05/27 19:19:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

[2012/05/27 19:19:21 | 000,024,904 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys

[2012/05/27 19:19:21 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2012/05/27 19:12:44 | 000,000,000 | ---D | C] -- C:\Users\Susannah\Desktop\RK_Quarantine

[2012/05/27 19:11:52 | 000,000,000 | ---D | C] -- C:\Users\Susannah\Desktop\Virus

[2012/05/27 19:06:17 | 000,000,000 | ---D | C] -- C:\ProgramData\GFI Software

[2012/05/27 19:02:31 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT

[2012/05/27 18:49:15 | 000,000,000 | ---D | C] -- C:\Qoobox

[2012/05/26 16:08:37 | 000,000,000 | ---D | C] -- C:\Users\Susannah\AppData\Roaming\AVG2012

[2012/05/26 16:01:23 | 000,000,000 | -H-D | C] -- C:\ProgramData\Common Files

[2012/05/26 16:00:58 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\drivers\AVG

[2012/05/26 16:00:23 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2012

[2012/05/26 16:00:23 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\drivers\AVG

[2012/05/26 16:00:23 | 000,000,000 | ---D | C] -- C:\$AVG

[2012/05/26 15:58:13 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG

[2012/05/26 15:54:20 | 000,000,000 | ---D | C] -- C:\Users\Susannah\AppData\Local\jetmp3

[2012/05/26 15:54:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit

[2012/05/26 15:54:19 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData

[2012/05/26 15:54:15 | 000,000,000 | ---D | C] -- C:\Users\Susannah\AppData\Local\Conduit

[2012/05/13 10:10:25 | 000,419,488 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe

[2012/05/12 09:55:08 | 000,024,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jnwmon.dll

[2012/05/12 09:55:04 | 001,556,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll

[2012/05/12 09:55:02 | 002,002,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10warp.dll

[2012/05/12 09:55:02 | 000,327,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1core.dll

[2012/05/12 09:55:01 | 000,834,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d2d1.dll

[2012/05/12 09:55:01 | 000,196,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1.dll

[2012/05/12 09:54:45 | 004,699,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe

[2012/05/05 14:30:50 | 000,000,000 | ---D | C] -- C:\Users\Susannah\Documents\MumboJumbo

[2012/05/05 14:30:49 | 000,000,000 | ---D | C] -- C:\ProgramData\MumboJumbo

[2012/05/05 14:24:42 | 000,000,000 | ---D | C] -- C:\Users\Susannah\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MumboJumbo

[2012/05/05 14:24:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MumboJumbo

[2012/05/04 13:03:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Mozilla

[2012/05/04 13:03:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Mozilla Maintenance Service

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

[1 C:\Users\Susannah\Desktop\*.tmp files -> C:\Users\Susannah\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/06/01 15:14:27 | 000,004,576 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2012/06/01 15:14:27 | 000,004,576 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2012/06/01 08:13:21 | 099,618,711 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm

[2012/05/31 17:13:14 | 000,048,223 | ---- | M] () -- C:\Windows\SysNative\drivers\AVG\iavichjg.avm

[2012/05/31 07:22:20 | 000,703,516 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2012/05/31 07:22:20 | 000,604,502 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2012/05/31 07:22:20 | 000,104,202 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2012/05/31 07:14:18 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2012/05/31 06:50:11 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts

[2012/05/30 21:46:06 | 000,002,637 | ---- | M] () -- C:\Users\Susannah\Desktop\Microsoft Word 2010.lnk

[2012/05/30 21:36:11 | 000,000,948 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/05/29 08:15:04 | 000,000,872 | ---- | M] () -- C:\Users\Public\Desktop\AVG 2012.lnk

[2012/05/27 21:33:27 | 000,414,672 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[2012/05/27 19:08:18 | 000,000,258 | ---- | M] () -- C:\Windows\ulead32.ini

[2012/05/27 17:21:52 | 000,001,460 | ---- | M] () -- C:\Users\Susannah\AppData\Local\d3d9caps64.dat

[2012/05/27 07:41:19 | 000,034,814 | ---- | M] () -- C:\Users\Susannah\AppData\Local\dt.dat

[2012/05/26 16:00:58 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\drivers\AVG\incavi.avm

[2012/05/26 16:00:58 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\drivers\AVG\iavichjw.avm

[2012/05/13 10:10:25 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe

[2012/05/13 10:10:25 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl

[2012/05/13 03:05:55 | 000,000,034 | ---- | M] () -- C:\Windows\SysWow64\BXD2140.DAT

[2012/05/10 09:58:37 | 000,001,868 | ---- | M] () -- C:\Users\Susannah\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Thunderbird.lnk

[2012/05/10 09:58:37 | 000,001,844 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Thunderbird.lnk

[2012/05/10 09:53:34 | 000,000,426 | ---- | M] () -- C:\Windows\BRWMARK.INI

[2012/05/05 14:24:54 | 000,001,110 | ---- | M] () -- C:\Users\Susannah\Desktop\LUXOR - Mah Jong.lnk

[2012/05/05 14:24:50 | 000,001,010 | ---- | M] () -- C:\Users\Susannah\Desktop\LUXOR 2.lnk

[2012/05/05 14:24:45 | 000,001,106 | ---- | M] () -- C:\Users\Susannah\Desktop\LUXOR - Amun Rising.lnk

[2012/05/05 14:24:42 | 000,000,985 | ---- | M] () -- C:\Users\Susannah\Desktop\LUXOR.lnk

[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

[1 C:\Users\Susannah\Desktop\*.tmp files -> C:\Users\Susannah\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/06/01 08:13:21 | 099,618,711 | ---- | C] () -- C:\Windows\SysNative\drivers\AVG\incavi.avm

[2012/05/31 17:13:14 | 000,048,223 | ---- | C] () -- C:\Windows\SysNative\drivers\AVG\iavichjg.avm

[2012/05/30 07:13:35 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe

[2012/05/30 07:13:35 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe

[2012/05/30 07:13:35 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe

[2012/05/30 07:13:35 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe

[2012/05/30 07:13:35 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe

[2012/05/27 19:19:23 | 000,000,948 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

[2012/05/27 07:41:19 | 000,034,814 | ---- | C] () -- C:\Users\Susannah\AppData\Local\dt.dat

[2012/05/26 16:01:02 | 000,000,872 | ---- | C] () -- C:\Users\Public\Desktop\AVG 2012.lnk

[2012/05/26 16:00:58 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\drivers\AVG\incavi.avm

[2012/05/26 16:00:58 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\drivers\AVG\iavichjw.avm

[2012/05/10 09:58:37 | 000,001,856 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Thunderbird.lnk

[2012/05/05 14:30:21 | 000,001,110 | ---- | C] () -- C:\Users\Susannah\Desktop\LUXOR - Mah Jong.lnk

[2012/05/05 14:30:02 | 000,001,106 | ---- | C] () -- C:\Users\Susannah\Desktop\LUXOR - Amun Rising.lnk

[2012/05/05 14:29:47 | 000,001,010 | ---- | C] () -- C:\Users\Susannah\Desktop\LUXOR 2.lnk

[2012/05/05 14:29:33 | 000,000,985 | ---- | C] () -- C:\Users\Susannah\Desktop\LUXOR.lnk

[2012/04/22 11:22:47 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\BRTCPCON.DLL

[2012/04/22 11:22:43 | 000,000,114 | ---- | C] () -- C:\Windows\SysWow64\BRLMW03A.INI

[2012/04/15 22:49:38 | 000,000,552 | ---- | C] () -- C:\Users\Susannah\AppData\Local\d3d8caps.dat

[2012/01/08 21:37:54 | 000,000,023 | ---- | C] () -- C:\Windows\BlendSettings.ini

[2010/12/19 12:34:39 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll

[2010/12/19 12:33:40 | 000,107,612 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin

[2010/12/19 12:32:48 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

[2010/12/19 00:58:14 | 000,000,258 | ---- | C] () -- C:\Windows\ulead32.ini

[2010/12/18 20:13:05 | 000,018,904 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchemaTrivial.bin

[2010/12/18 16:24:16 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\BXD2140.DAT

[2010/12/18 16:06:28 | 000,000,426 | ---- | C] () -- C:\Windows\BRWMARK.INI

[2010/12/18 16:06:27 | 000,000,034 | ---- | C] () -- C:\Windows\SysWow64\BD2140.DAT

[2010/12/18 15:58:25 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI

[2010/12/18 15:39:49 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat

[2010/12/18 15:38:47 | 000,019,456 | ---- | C] () -- C:\Users\Susannah\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/12/18 15:20:51 | 000,001,460 | ---- | C] () -- C:\Users\Susannah\AppData\Local\d3d9caps64.dat

< End of report >

Link to post
Share on other sites

  • Staff

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word Code

    :OTL
    FF - user.js - File not found
    FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_2_202_235.dll File not found
    O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
    O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
    O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    IE - HKU\S-1-5-21-2477298372-428459766-202237345-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [url="http://search.condui...&ctid=CT3198785"]http://search.condui...&ctid=CT3198785[/url]
    FF - prefs.js..browser.search.defaultthis.engineName: "WhiteSmoke US Customized Web Search"
    FF - prefs.js..browser.search.defaulturl: "[url="http://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=3&q={searchTerms"]http://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=3&q={searchTerms[/url]}"
    FF - prefs.js..browser.startup.homepage: "[url="http://search.conduit.com/?ctid=CT3198785&SearchSource=13"]http://search.conduit.com/?ctid=CT3198785&SearchSource=13[/url]"
    FF - prefs.js..keyword.URL: "[url="http://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q"]http://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q[/url]="
    [2012/05/26 15:54:26 | 000,000,000 | ---D | M] (WhiteSmoke US Community Toolbar) -- C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\{cce665dd-f6dd-4808-968e-eaec971f70ef}
    [2012/04/07 09:10:56 | 000,000,000 | ---D | M] (We-Care Reminder) -- C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\wecarereminder@bryan
    [2012/05/22 11:24:04 | 000,000,929 | ---- | M] () -- C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\searchplugins\conduit.xml
    [2012/05/25 08:22:36 | 000,004,733 | ---- | M] () (No name found) -- C:\USERS\SUSANNAH\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\3IBO47UN.DEFAULT\EXTENSIONS\SSZIVKQRDB@SSZIVKQRDB.ORG.XPI
    [2012/05/26 15:54:20 | 000,000,000 | ---D | C] -- C:\Users\Susannah\AppData\Local\jetmp3
    [2012/05/26 15:54:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit
    [2012/05/26 15:54:19 | 000,000,000 | ---D | C] -- C:\ProgramData\MFAData
    [2012/05/26 15:54:15 | 000,000,000 | ---D | C] -- C:\Users\Susannah\AppData\Local\Conduit

    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]


  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

Gringo,

Sorry I have not been getting back to you quickly. I do appricate the time and help you are giving me, just trying to find time to sit down and work with the computer.

The whitesmoke toobar is gone and I am getting redirected less with the computer, however I am still being redireced to an ad site every once in a while (maybe every 10-15 minutes of internet browsing).

The following is my report from OTL:

========== OTL ==========

64bit-Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@adobe.com/FlashPlayer\ deleted successfully.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully.

File Protocol\Handler\msdaipp - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\0x00000001\ not found.

File Protocol\Handler\msdaipp\0x00000001 - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\oledb\ not found.

File Protocol\Handler\msdaipp\oledb - No CLSID value found not found.

64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.

File Protocol\Handler\ms-help - No CLSID value found not found.

HKU\S-1-5-21-2477298372-428459766-202237345-1000\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!

Prefs.js: "WhiteSmoke US Customized Web Search" removed from browser.search.defaultthis.engineName

Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=3&q={searchTerms}" removed from browser.search.defaulturl

Prefs.js: "http://search.conduit.com/?ctid=CT3198785&SearchSource=13" removed from browser.startup.homepage

Prefs.js: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q=" removed from keyword.URL

Folder C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\{cce665dd-f6dd-4808-968e-eaec971f70ef}\ not found.

C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\wecarereminder@bryan\META-INF folder moved successfully.

C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\wecarereminder@bryan\defaults\preferences folder moved successfully.

C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\wecarereminder@bryan\defaults folder moved successfully.

C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\wecarereminder@bryan\components folder moved successfully.

C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\wecarereminder@bryan\chrome\logo folder moved successfully.

C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\wecarereminder@bryan\chrome folder moved successfully.

C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\wecarereminder@bryan folder moved successfully.

C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\searchplugins\conduit.xml moved successfully.

C:\Users\Susannah\AppData\Roaming\Mozilla\Firefox\Profiles\3ibo47un.default\extensions\sszivkqrdb@sszivkqrdb.org.xpi moved successfully.

C:\Users\Susannah\AppData\Local\jetmp3\ie folder moved successfully.

C:\Users\Susannah\AppData\Local\jetmp3 folder moved successfully.

C:\Program Files (x86)\Conduit\Community Alerts folder moved successfully.

C:\Program Files (x86)\Conduit folder moved successfully.

C:\ProgramData\MFAData\pack folder moved successfully.

C:\ProgramData\MFAData\logs folder moved successfully.

C:\ProgramData\MFAData folder moved successfully.

C:\Users\Susannah\AppData\Local\Conduit folder moved successfully.

========== FILES ==========

< ipconfig /flushdns /c >

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

C:\Users\Susannah\Desktop\Virus\cmd.bat deleted successfully.

C:\Users\Susannah\Desktop\Virus\cmd.txt deleted successfully.

========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: AppData

User: Default

User: Default User

User: Public

User: Susannah

->Java cache emptied: 119509 bytes

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: All Users

User: AppData

User: Default

->Flash cache emptied: 56502 bytes

User: Default User

->Flash cache emptied: 0 bytes

User: Public

User: Susannah

->Flash cache emptied: 1007 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.45.0 log created on 06032012_101002

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

  • Staff

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur

Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

  • Programs to remove
    • µTorrent
      Java™ 6 Update 26
      Malwarebytes Anti-Malware version 1.61.0.1400

  • Please download and install
Revo Uninstaller FreeDouble click Revo Uninstaller to run it.
From the list of programs double click on The Program to remove
When prompted if you want to uninstall click Yes.
Be sure the Moderate option is selected then click Next.
The program will run, If prompted again click Yes
when the built-in uninstaller is finished click on Next.
Once the program has searched for leftovers click Next.
Check/tick the bolded items only on the list then click Delete
when prompted click on Yes and then on next.
put a check on any folders that are found and select delete
when prompted select yes then on next
Once done click Finish.

.

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**

sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe

(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit

(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit

and select to run as administrator

"information and logs"

  • In your next post I need the following
  1. Log From MBAM
  2. report from Hijackthis
  3. let me know of any problems you may have had
  4. How is the computer doing now?

Gringo

Link to post
Share on other sites

  • Staff

Greetings

I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools

Gringo

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.