Help with Whitesmoke

sledhead627 · September 22, 2012

Sorry if this is the second post from me, I don't see that my first one posted.

dds.txt

attach.txt

Maniac · September 22, 2012

Hello sledhead627 and :welcome: ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
Make sure you read all of the instructions and fixes thoroughly before continuing with them.
Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Step 1

Please uninstall the following applications:

WhiteSmoke

Yontoo 1.10.02

Step 2

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older versions of Java components and upgrade the application.

Upgrading Java :

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, then click Remove Older Versions.
Run the built-in uninstallers for all copies of java listed
Click the Next button
Click the Next button again
Click the Java Manual Download link
A browser window will open with the Java download page
Click the Windows Offline (32-bit) or Windows Offline (64-bit) link to download Java (based on your system's version)
Run the installer
Close JavaRa

Step 3

Please download the latest version of TDSSKiller from here and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Put a checkmark beside loaded modules.
A reboot will be needed to apply the changes. Do it.
TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
Then click on Change parameters in TDSSKiller.
Check all boxes then click OK.
Click the Start Scan button.
The scan should take no longer than 2 minutes.
If a suspicious object is detected, the default action will be Skip, click on Continue.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 4

Launch Malwarebytes' Anti-Malware
Go to Update tab and select Check for Updates. If an update is found, it will download and install the latest version.
Go to Scanner tab and select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer,please do so immediately.

Step 5

Please download AdwCleaner from here and save it on your Desktop.

Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
Now click on the Search tab.
Please post the contents of the log-file created in your next post.

Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.

In your next reply, post the following log files:

JavaRa log
TDSSKiller log
Malwarebytes' Anti-Malware log
AdwCleaner log
a new fresh DDS log

sledhead627 · September 23, 2012

I can't get past the JavaRA link - every download button on the page wants to download anything BUT JavaRA zip. I'll find it somewhere else.

Maniac · September 23, 2012

Download the zip file.

sledhead627 · September 23, 2012

No kidding? That's why I wrote - I cannot find a link to do that - just links that want to download more trash to my computer first. One of them started doing whitesmoke again! Don't worry - I found JavaRA 2.0 somewhere else and got a straight download.

Maniac · September 23, 2012

Download it.

JavaRa-2.0.zip

sledhead627 · September 23, 2012

When I run DDS it asks to disable script blockers - I don't really know how to do that so I just have disconnedtted from the internet and disabled virus program. Also, where are the Java Log files? I've gone through all the steps, but it looks like there is a setting in JavaRA2.0 to make log files - this was unchecked so maybe I don't have a log file to share. Anyway, I am about to send everthing else per your instructions above.

sledhead627 · September 23, 2012

TDS Logs 3 were created

#1:

10:15:40.0859 4028 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24

10:15:41.0187 4028 ============================================================

10:15:41.0187 4028 Current date / time: 2012/09/23 10:15:41.0187

10:15:41.0187 4028 SystemInfo:

10:15:41.0187 4028

10:15:41.0187 4028 OS Version: 5.1.2600 ServicePack: 3.0

10:15:41.0187 4028 Product type: Workstation

10:15:41.0187 4028 ComputerName: KRB2008

10:15:41.0187 4028 UserName: Kevin Brown

10:15:41.0187 4028 Windows directory: C:\WINDOWS

10:15:41.0187 4028 System windows directory: C:\WINDOWS

10:15:41.0187 4028 Processor architecture: Intel x86

10:15:41.0187 4028 Number of processors: 2

10:15:41.0187 4028 Page size: 0x1000

10:15:41.0187 4028 Boot type: Normal boot

10:15:41.0187 4028 ============================================================

10:15:43.0000 4028 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

10:15:43.0015 4028 ============================================================

10:15:43.0015 4028 \Device\Harddisk0\DR0:

10:15:43.0015 4028 MBR partitions:

10:15:43.0015 4028 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2738A, BlocksNum 0x129ED876

10:15:43.0015 4028 ============================================================

10:15:43.0093 4028 C: <-> \Device\Harddisk0\DR0\Partition1

10:15:43.0093 4028 ============================================================

10:15:43.0093 4028 Initialize success

10:15:43.0093 4028 ============================================================

10:16:24.0250 4592 Deinitialize success

and #3

10:26:28.0640 1548 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24

10:26:28.0750 1548 ============================================================

10:26:28.0750 1548 Current date / time: 2012/09/23 10:26:28.0750

10:26:28.0750 1548 SystemInfo:

10:26:28.0750 1548

10:26:28.0750 1548 OS Version: 5.1.2600 ServicePack: 3.0

10:26:28.0750 1548 Product type: Workstation

10:26:28.0750 1548 ComputerName: KRB2008

10:26:28.0750 1548 UserName: Kevin Brown

10:26:28.0750 1548 Windows directory: C:\WINDOWS

10:26:28.0750 1548 System windows directory: C:\WINDOWS

10:26:28.0750 1548 Processor architecture: Intel x86

10:26:28.0750 1548 Number of processors: 2

10:26:28.0750 1548 Page size: 0x1000

10:26:28.0750 1548 Boot type: Normal boot

10:26:28.0750 1548 ============================================================

10:26:30.0828 1548 BG loaded

10:26:31.0703 1548 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

10:26:31.0703 1548 ============================================================

10:26:31.0703 1548 \Device\Harddisk0\DR0:

10:26:31.0703 1548 MBR partitions:

10:26:31.0703 1548 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2738A, BlocksNum 0x129ED876

10:26:31.0703 1548 ============================================================

10:26:31.0781 1548 C: <-> \Device\Harddisk0\DR0\Partition1

10:26:31.0796 1548 ============================================================

10:26:31.0796 1548 Initialize success

10:26:31.0796 1548 ============================================================

10:26:44.0578 0760 Deinitialize success

sledhead627 · September 23, 2012

Log #2 was too long to paste so I attached.

TDSSKiller.2.8.10.0_23.09.2012_10.20.33_log.txt

sledhead627 · September 23, 2012

Malwarebytes log

Malwarebytes Anti-Malware 1.65.0.1400

www.malwarebytes.org

Database version: v2012.09.23.04

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Kevin Brown :: KRB2008 [administrator]

9/23/2012 10:33:09 AM

mbam-log-2012-09-23 (10-33-09).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 245561

Time elapsed: 12 minute(s), 44 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 1

C:\Documents and Settings\Kevin Brown\Local Settings\Temporary Internet Files\Content.IE5\RO0UEIAD\Setup[1].exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.

(end)

sledhead627 · September 23, 2012

AswCleaner Log - your instructions did not say to perform the delete operation so I did not do that.

# AdwCleaner v2.002 - Logfile created 09/23/2012 at 10:54:05

# Updated 16/09/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Kevin Brown - KRB2008

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Kevin Brown\Desktop\adwcleaner.exe

# Option [search]

***** [services] *****

***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\All Users\Application Data\boost_interprocess

Folder Found : C:\Documents and Settings\All Users\Application Data\Tarma Installer

Folder Found : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Conduit

Folder Found : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kfkcangbigakljkjeglcofaomihpejif

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit

Key Found : HKCU\Software\Conduit

Key Found : HKCU\Software\DataMngr

Key Found : HKCU\Software\Google\Chrome\Extensions\kfkcangbigakljkjeglcofaomihpejif

Key Found : HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Search

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}

Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4DE90BB-150D-4B33-95FE-6BAAC97E1C21}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F2D6C718-7E52-428E-8852-365C4B1A6E36}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}

Key Found : HKCU\Software\SmartBar

Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}

Key Found : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}

Key Found : HKLM\SOFTWARE\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}

Key Found : HKLM\Software\Freeze.com

Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\kfkcangbigakljkjeglcofaomihpejif

Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}

Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}

Key Found : HKLM\Software\Tarma Installer

Key Found : HKU\S-1-5-21-2558596563-2776473477-71789554-1005\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}

Key Found : HKU\S-1-5-21-2558596563-2776473477-71789554-1005\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}

Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}]

Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[HKCU\Software\Microsoft\Internet Explorer\Main - Search Page] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms}

[HKCU\Software\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms}

[HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms}

[HKCU\Software\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms}

-\\ Google Chrome v21.0.1180.89

File : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Found [l.13] : homepage = "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48",

Found [l.17] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48" ]

Found [l.53] : icon_url = "hxxp://search.conduit.com/fav.ico",

Found [l.56] : keyword = "search.conduit.com",

Found [l.59] : search_url = "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3244149",

Found [l.1362] : homepage = "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48",

Found [l.1724] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48" ]

*************************

AdwCleaner[R1].txt - [6165 octets] - [23/09/2012 10:54:05]

########## EOF - C:\AdwCleaner[R1].txt - [6225 octets] ##########

sledhead627 · September 23, 2012

New DDS LOG.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2

Run by Kevin Brown at 11:01:44 on 2012-09-23

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.970 [GMT -5:00]

.

AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Java\jre7\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Apoint\ApMsgFwd.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe

C:\Program Files\Wave Systems Corp\SecureUpgrade.exe

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe

C:\Program Files\Motorola\MOTOPRINT Host\PrintService.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Documents and Settings\All Users\Application Data\OfficeGuardian\reminder\SacReminder.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Update\1.3.21.123\GoogleCrashHandler.exe

C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Akamai\netsession_win.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uSearch Page = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms}

uSearch Bar = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms}

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1080102

uInternet Settings,ProxyOverride = *.local;<local>

uSearchAssistant = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms}

mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

{ae07101b-46d4-4a98-af68-0333ea26e113}

TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File

TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll

EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler

uRun: [sacReminder] c:\documents and settings\all users\application data\officeguardian\reminder\SacReminder.exe

uRun: [Google Update] "c:\documents and settings\kevin brown\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Akamai NetSession Interface] "c:\documents and settings\kevin brown\local settings\application data\akamai\netsession_win.exe"

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /installquiet

mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe

mRun: [secureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe

mRun: [KADxMain] c:\windows\system32\KADxMain.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [EPSON PictureMate] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume

mRun: [AmazonGSDownloaderTray] c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderTray.exe

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized

mRun: [MOTOPRINTUPnPPrintService] c:\program files\motorola\motoprint host\PrintService.exe shell.icon

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"

mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"

mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe

mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: &Search

IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB

DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/oneclickfix/tgctlsr.cab

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1346521139078

DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab

TCP: Interfaces\{1E547456-45EE-4063-B72F-1D695550CAD3} : DhcpNameServer = 68.87.72.130 68.87.77.130 68.87.66.196

TCP: Interfaces\{E2A90F7B-0AAC-4C0D-B6BF-A0EADAE01FA8} : DhcpNameServer = 68.87.72.130 68.87.77.130 68.87.66.196

Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

LSA: Authentication Packages = msv1_0 wvauth relog_ap

.

============= SERVICES / DRIVERS ===============

.

R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [2009-10-21 20352]

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-12-20 1814720]

R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]

R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-31 106656]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120921.002\naveng.sys [2012-9-21 92704]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120921.002\navex15.sys [2012-9-21 1601184]

R3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb19 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [2008-5-15 10112]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-16 136176]

S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-12 250568]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\amazon\amazon games & software downloader\AmazonGSDownloaderService.exe [2009-11-7 297472]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-16 136176]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-12-20 116928]

S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2009-10-21 25704]

S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2009-10-21 25704]

S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2009-10-21 25704]

S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2009-10-21 25704]

S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2009-10-21 25704]

.

=============== Created Last 30 ================

.

2012-09-23 15:34:57 -------- d-----w- c:\documents and settings\kevin brown\local settings\application data\Sun

2012-09-23 15:22:15 -------- d-----w- C:\TDSSKiller_Quarantine

2012-09-23 15:08:01 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-09-23 15:07:53 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-09-23 13:50:32 -------- d-----w- c:\documents and settings\kevin brown\local settings\application data\Conduit

2012-09-23 12:42:41 -------- d-----w- c:\documents and settings\kevin brown\application data\No Company Name

2012-09-23 01:28:08 -------- d-----w- c:\documents and settings\kevin brown\local settings\application data\CRE

2012-09-22 15:59:57 -------- d-----w- c:\program files\VS Revo Group

2012-09-22 15:55:09 821736 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-09-22 14:24:37 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-09-22 12:14:24 -------- d-----w- c:\documents and settings\kevin brown\application data\Malwarebytes

2012-09-22 12:14:08 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-09-22 12:14:07 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-22 12:14:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-09-17 02:03:38 -------- d-----w- c:\documents and settings\kevin brown\local settings\application data\FileTypeAssistant

2012-09-17 01:44:37 -------- d-----w- c:\program files\File Type Assistant

2012-09-17 01:43:48 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer

2012-09-12 13:14:17 -------- d-----w- c:\documents and settings\kevin brown\application data\WhiteSmoke

2012-09-07 23:58:08 -------- dc----w- c:\documents and settings\kevin brown\local settings\application data\MigWiz

2012-09-03 12:11:17 -------- d-----w- c:\documents and settings\kevin brown\application data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2012-09-02 16:06:30 -------- d-----w- c:\documents and settings\kevin brown\syncdb

2012-09-02 02:51:27 -------- d-----w- c:\documents and settings\all users\application data\regid.1986-12.com.adobe

2012-09-02 00:41:20 -------- d-----w- C:\spoolerlogs

2012-09-01 18:58:19 -------- d-----w- c:\documents and settings\kevin brown\local settings\application data\Akamai

.

==================== Find3M ====================

.

2012-09-23 15:07:32 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-09 15:15:14 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-09-09 15:15:14 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec

2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys

.

============= FINISH: 11:02:51.90 ===============

.

Maniac · September 23, 2012

Step 1

Please re-run AdwCleaner
Click on Delete button.
Confirm each time with OK.
Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.

Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.

Step 2

Note: Please do not run this tool without special supervision and instruction of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

In your next reply, post the following log files:

AdwCleaner log
ComboFix log

sledhead627 · September 23, 2012

AdwCleaner Log

# AdwCleaner v2.002 - Logfile created 09/23/2012 at 12:08:42

# Updated 16/09/2012 by Xplode

# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

# User : Kevin Brown - KRB2008

# Boot Mode : Normal

# Running from : C:\Documents and Settings\Kevin Brown\Desktop\adwcleaner.exe

# Option [Delete]

***** [services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\kfkcangbigakljkjeglcofaomihpejif

Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Tarma Installer

Folder Deleted : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Conduit

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit

Key Deleted : HKCU\Software\Conduit

Key Deleted : HKCU\Software\DataMngr

Key Deleted : HKCU\Software\Google\Chrome\Extensions\kfkcangbigakljkjeglcofaomihpejif

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Search

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6E41-4FD3-8538-502F5495E5FC}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4DE90BB-150D-4B33-95FE-6BAAC97E1C21}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F2D6C718-7E52-428E-8852-365C4B1A6E36}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}

Key Deleted : HKCU\Software\SmartBar

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}

Key Deleted : HKLM\Software\Freeze.com

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\kfkcangbigakljkjeglcofaomihpejif

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006EE092-9658-4FD6-BD8E-A21A348E59F5}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}

Key Deleted : HKLM\Software\Tarma Installer

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}]

Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]

***** [internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

Restored : [HKU\S-1-5-21-2558596563-2776473477-71789554-1006\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Page] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} --> hxxp://www.google.com

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} --> hxxp://www.google.com

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - Default_Search_URL] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} --> hxxp://www.google.com

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://feed.helperbar.com/?publisher=Whitesmoke&dpid=Whitesmoke&co=US&userid=e0952a42-5aa7-4849-adfb-c7d30e6e119a&isid=9864&searchtype=ds&q={searchTerms} --> hxxp://www.google.com

-\\ Google Chrome v21.0.1180.89

File : C:\Documents and Settings\Kevin Brown\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

Deleted [l.13] : homepage = "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48",

Deleted [l.17] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48" ]

Deleted [l.53] : icon_url = "hxxp://search.conduit.com/fav.ico",

Deleted [l.56] : keyword = "search.conduit.com",

Deleted [l.59] : search_url = "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3244149",

Deleted [l.1362] : homepage = "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48",

Deleted [l.1724] : urls_to_restore_on_startup = [ "hxxp://search.conduit.com/?ctid=CT3244149&SearchSource=48" ]

*************************

AdwCleaner[R1].txt - [6294 octets] - [23/09/2012 10:54:05]

AdwCleaner[R2].txt - [6354 octets] - [23/09/2012 12:08:03]

AdwCleaner[s1].txt - [6798 octets] - [23/09/2012 12:08:42]

########## EOF - C:\AdwCleaner[s1].txt - [6858 octets] ##########

sledhead627 · September 23, 2012

For the ComboFix "expert" do I call around tomorrow at local computer stores? Where can I find a qualified expert?

Maniac · September 23, 2012

Here, I am this one. This warning is for users that accidentally or not, could find this thread.

sledhead627 · September 23, 2012

OK, I am carefully running combo fix now per the bleeping computer user guide. Thanks. I'll post the log file soon.

sledhead627 · September 23, 2012

Also, I just purchased a new PC and I'm worried if some of the user files I've transferred over have issues and have now infected the new laptop. Should I start a new thread with the dds file and attach file to check out?

Maniac · September 23, 2012

Also, I just purchased a new PC and I'm worried if some of the user files I've transferred over have issues and have now infected the new laptop. Should I start a new thread with the dds file and attach file to check out?

For another PC - new thread.

sledhead627 · September 23, 2012

Combofix log

ComboFix 12-09-23.02 - Kevin Brown 09/23/2012 12:34:37.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.976 [GMT -5:00]

Running from: c:\documents and settings\Kevin Brown\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\Kevin Brown\Application Data\EFA149

c:\documents and settings\Kevin Brown\g2mdlhlpx.exe

C:\Install.exe

C:\Thumbs.db

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf

c:\windows\system32\test

c:\windows\system32\URTTemp

c:\windows\system32\URTTemp\fusion.dll

c:\windows\system32\URTTemp\mscoree.dll

c:\windows\system32\URTTemp\mscoree.dll.local

c:\windows\system32\URTTemp\mscorsn.dll

c:\windows\system32\URTTemp\mscorwks.dll

c:\windows\system32\URTTemp\msvcr71.dll

c:\windows\system32\URTTemp\regtlib.exe

.

Infected copy of c:\windows\system32\Services.exe was found and disinfected

Restored copy from - c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe

.

((((((((((((((((((((((((( Files Created from 2012-08-23 to 2012-09-23 )))))))))))))))))))))))))))))))

.

2012-09-23 15:34 . 2012-09-23 15:34 -------- d-----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\Sun

2012-09-23 15:22 . 2012-09-23 15:22 -------- d-----w- C:\TDSSKiller_Quarantine

2012-09-23 15:08 . 2012-09-23 15:07 143872 ----a-w- c:\windows\system32\javacpl.cpl

2012-09-23 15:07 . 2012-09-23 15:07 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2012-09-23 15:07 . 2012-09-23 16:00 -------- d-----w- c:\program files\Java

2012-09-23 12:42 . 2012-09-23 12:42 -------- d-----w- c:\documents and settings\Kevin Brown\Application Data\No Company Name

2012-09-23 01:28 . 2012-09-23 01:28 -------- d-----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\CRE

2012-09-22 15:59 . 2012-09-22 15:59 -------- d-----w- c:\program files\VS Revo Group

2012-09-22 15:55 . 2012-09-23 15:07 821736 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-09-22 14:24 . 2012-09-22 14:24 14080 ----a-w- c:\windows\system32\drivers\TrueSight.sys

2012-09-22 12:14 . 2012-09-22 12:14 -------- d-----w- c:\documents and settings\Kevin Brown\Application Data\Malwarebytes

2012-09-22 12:14 . 2012-09-22 12:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2012-09-22 12:14 . 2012-09-07 22:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-09-22 12:14 . 2012-09-22 12:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-09-17 02:03 . 2012-09-17 02:03 -------- d-----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\FileTypeAssistant

2012-09-17 01:44 . 2012-09-19 11:40 -------- d-----w- c:\program files\File Type Assistant

2012-09-12 13:14 . 2012-09-22 16:07 -------- d-----w- c:\documents and settings\Kevin Brown\Application Data\WhiteSmoke

2012-09-07 23:58 . 2012-09-22 11:14 -------- dc----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\MigWiz

2012-09-03 12:11 . 2012-09-03 12:11 -------- d-----w- c:\documents and settings\Kevin Brown\Application Data\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

2012-09-02 16:06 . 2012-09-09 14:14 -------- d-----w- c:\documents and settings\Kevin Brown\syncdb

2012-09-02 02:51 . 2012-09-02 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe

2012-09-02 00:41 . 2012-09-02 00:41 -------- d-----w- C:\spoolerlogs

2012-09-01 18:58 . 2012-09-01 18:58 -------- d-----w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\Akamai

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-09-23 17:45 . 2008-01-08 01:12 0 ----a-w- c:\documents and settings\Kevin Brown\Local Settings\Application Data\WavXMapDrive.bat

2012-09-23 15:07 . 2010-05-12 10:30 746984 ----a-w- c:\windows\system32\deployJava1.dll

2012-09-09 15:15 . 2012-05-12 13:51 696520 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-09-09 15:15 . 2011-06-29 03:24 73416 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-08-28 15:14 . 2004-08-11 23:00 916992 ----a-w- c:\windows\system32\wininet.dll

2012-08-28 15:14 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2012-08-28 15:14 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2012-08-28 12:07 . 2004-08-11 23:00 385024 ----a-w- c:\windows\system32\html.iec

2012-07-06 13:58 . 2004-08-11 23:00 78336 ----a-w- c:\windows\system32\browser.dll

2012-07-04 14:05 . 2004-08-11 23:11 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

2012-07-03 13:40 . 2004-08-11 23:00 1866112 ----a-w- c:\windows\system32\win32k.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

"SacReminder"="c:\documents and settings\All Users\Application Data\OfficeGuardian\reminder\SacReminder.exe" [2009-06-02 825152]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-13 17418928]

"Akamai NetSession Interface"="c:\documents and settings\Kevin Brown\Local Settings\Application Data\Akamai\netsession_win.exe" [2012-08-10 4440896]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]

"nwiz"="nwiz.exe" [2007-05-31 1626112]

"NVHotkey"="nvHotkey.dll" [2007-05-31 67584]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]

"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]

"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 52840]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-12-20 125632]

"EPSON PictureMate"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE" [2003-09-19 99840]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-10-06 59240]

"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]

"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-05-20 223744]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]

"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-12-15 1446248]

"MOTOPRINTUPnPPrintService"="c:\program files\Motorola\MOTOPRINT Host\PrintService.exe" [2011-07-04 323304]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2011-08-30 624056]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-08 140568]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-08 2595480]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-08 905056]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-9-11 984352]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]

2006-11-16 21:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 wvauth relog_ap

.

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background

"RIMDeviceManager"="c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Acrobat Speed Launch"="c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe"

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"

"Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe"

"TuneClone"=c:\program files\TuneClone\TuneClone.exe /silence

"SigmatelSysTrayApp"=stsystra.exe

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Documents and Settings\\Kevin Brown\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=

"c:\\Program Files\\File Type Assistant\\tsassist.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1158:TCP"= 1158:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

.

R0 O1394B;OW 1394b Bus Filter Service;c:\windows\system32\drivers\o1394b.sys [5/15/2008 9:12 PM 10112]

R0 tclondrv;tclondrv;c:\windows\system32\drivers\tclondrv.sys [10/21/2009 10:02 AM 20352]

R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 3:21 PM 79432]

R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [8/13/2012 1:33 PM 3064000]

R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 6:00 PM 5120]

R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 1:32 PM 97536]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/31/2012 8:30 PM 106656]

R3 QuickBooksDB19;QuickBooksDB19;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB19 [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2011 1:00 PM 136176]

S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/12/2012 8:51 AM 250568]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [11/7/2009 5:39 PM 297472]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2011 1:00 PM 136176]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [12/20/2006 1:29 PM 116928]

S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

S3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [10/21/2009 9:31 AM 25704]

S3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [10/21/2009 9:31 AM 25704]

S3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [10/21/2009 9:31 AM 25704]

S3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [10/21/2009 9:31 AM 25704]

S3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [10/21/2009 9:31 AM 25704]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

.

Contents of the 'Scheduled Tasks' folder

.

2012-09-23 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-12 15:15]

.

2012-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

.

2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 18:00]

.

2012-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-16 18:00]

.

2012-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2558596563-2776473477-71789554-1005Core.job

- c:\documents and settings\Kevin Brown\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 09:11]

.

2012-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2558596563-2776473477-71789554-1005UA.job

- c:\documents and settings\Kevin Brown\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 09:11]

.

2012-09-23 c:\windows\Tasks\ProgramUpdateCheck.job

- c:\program files\File Type Assistant\tsassist.exe [2012-09-17 19:22]

.

2012-09-23 c:\windows\Tasks\User_Feed_Synchronization-{32C2F02C-21BB-4241-BA77-B39202F6E787}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local;<local>

uSearchAssistant = hxxp://www.google.com

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.1.1

DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/mygarmin/m/GarminAxControl.CAB

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-10 - (no file)

SafeBoot-58174150.sys

SafeBoot-58806505.sys

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-09-23 12:45

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-2558596563-2776473477-71789554-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_265_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]

@Denied: (A 2) (Everyone)

@="IFlashBroker5"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(1344)

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'lsass.exe'(1640)

c:\windows\system32\wvauth.dll

c:\windows\system32\biolsp.dll

c:\windows\system32\relog_ap.dll

c:\windows\System32\BCMLogon.dll

.

- - - - - - - > 'explorer.exe'(3788)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\windows\System32\WLTRYSVC.EXE

c:\windows\System32\bcmwltry.exe

c:\windows\System32\SCardSvr.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Dell\QuickSet\NICCONFIGSVC.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe

c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe

c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

c:\windows\system32\SearchIndexer.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\msdtc.exe

c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe

c:\program files\Apoint\ApMsgFwd.exe

c:\program files\Apoint\HidFind.exe

c:\program files\Apoint\Apntex.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\RUNDLL32.EXE

c:\program files\iPod\bin\iPodService.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe

.

**************************************************************************

.

Completion time: 2012-09-23 12:53:38 - machine was rebooted

ComboFix-quarantined-files.txt 2012-09-23 17:53

.

Pre-Run: 67,284,123,648 bytes free

Post-Run: 67,912,548,352 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - F9E9473FC2E11DAF12F671DA1CEA2462

Maniac · September 23, 2012

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\Kevin Brown\Local Settings\Application Data\CRE
c:\documents and settings\Kevin Brown\Application Data\WhiteSmoke

JavaClearCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

sledhead627 · September 23, 2012

ComboFix 12-09-23.02 - Kevin Brown 09/23/2012 13:33:29.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1099 [GMT -5:00]

Running from: c:\documents and settings\Kevin Brown\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Kevin Brown\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Kevin Brown\Application Data\WhiteSmoke

c:\documents and settings\Kevin Brown\Local Settings\Application Data\CRE

c:\documents and settings\Kevin Brown\Local Settings\Application Data\CRE\kfkcangbigakljkjeglcofaomihpejif.crx