adrock322 Posted September 25, 2012 ID:601257 Share Posted September 25, 2012 I am 7 seconds away from smashing my girlfriends' daughter's pc that i promised would be "all fixed" when i was done with it. It's the smitfraud-c.generic one. Please help & we'll be tight friends for a long time!Here's my logs from the DDS scan:Attach.UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2011-08-26.01).Microsoft Windows 7 Home PremiumBoot Device: \Device\HarddiskVolume1Install Date: 8/15/2011 6:22:09 PMSystem Uptime: 9/25/2012 2:36:42 PM (0 hours ago).Motherboard: Hewlett-Packard | | 3674Processor: Intel® Pentium® CPU P6200 @ 2.13GHz | CPU | 1322/1066mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 284 GiB total, 239.93 GiB free.D: is FIXED (NTFS) - 14 GiB total, 1.706 GiB free.E: is CDROM (UDF).==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP36: 7/10/2012 1:18:57 PM - Removed HP Power ManagerRP37: 7/10/2012 1:19:13 PM - Installed HP Power ManagerRP38: 7/10/2012 1:19:58 PM - Removed HP Quick LaunchRP39: 7/10/2012 1:20:19 PM - Installed HP Quick LaunchRP40: 7/10/2012 1:20:39 PM - Removed HP On Screen DisplayRP41: 7/10/2012 1:20:55 PM - Installed HP On Screen DisplayRP42: 7/25/2012 5:34:19 AM - HPSF Restore PointRP43: 7/25/2012 10:51:06 AM - HPSF Restore PointRP44: 7/27/2012 7:47:08 AM - HPSF Restore PointRP45: 8/1/2012 9:55:18 PM - Installed HP Support AssistantRP46: 8/1/2012 9:57:15 PM - Windows Modules InstallerRP47: 8/1/2012 9:57:55 PM - Windows Modules InstallerRP48: 8/11/2012 4:03:18 PM - HPSF Restore PointRP49: 8/23/2012 7:34:58 AM - Scheduled CheckpointRP50: 9/11/2012 12:34:10 AM - HPSF Restore PointRP51: 9/13/2012 3:28:23 PM - Removed HP On Screen DisplayRP52: 9/13/2012 6:49:08 PM - HPSF Applying updatesRP53: 9/15/2012 10:42:31 AM - Windows UpdateRP54: 9/15/2012 9:58:04 PM - Windows UpdateRP55: 9/17/2012 1:20:55 PM - Windows UpdateRP56: 9/25/2012 11:41:37 AM - Windows UpdateRP57: 9/25/2012 11:57:22 AM - Windows Update.==== Installed Programs ======================.Adobe Flash Player 11 ActiveXAgatha Christie - Peril at End HouseArcadeCandyBejeweled 2 DeluxeBejeweled 3Blackhawk Striker 2Blasterball 3blinkx beatBounce SymphonyBuild-a-lot 2Cake ManiaChuzzle DeluxeCisco EAP-FAST ModuleCisco LEAP ModuleCisco PEAP ModuleClick to Call with SkypeCyberLink DVD SuiteCyberLink YouCamD3DX10Diner Dash 2 Restaurant RescueDora's World AdventureEnergy Star Digital LogoEvernote v. 4.2.2Facebook Video Calling 1.2.0.159Farm FrenzyFATE - The Traitor SoulGoogle ChromeGoogle Toolbar for Internet ExplorerGoogle Update HelperHewlett-Packard ACLM.NET v1.1.2.0HP Customer Experience EnhancementsHP DocumentationHP GamesHP On Screen DisplayHP Power ManagerHP Quick LaunchHP SetupHP Software FrameworkHP Support AssistantIntel® Control CenterIntel® Graphics Media Accelerator DriverIntel® Management Engine ComponentsIntel® Rapid Storage TechnologyJava Auto UpdaterJava 6 Update 29LabelPrintLightScribe System SoftwareMah Jong MedleyMalwarebytes Anti-Malware version 1.65.0.1400Microsoft Office 2010Microsoft Office Click-to-Run 2010Microsoft Office Starter 2010 - EnglishMicrosoft SilverlightMicrosoft SQL Server 2005 Compact Edition [ENU]Microsoft Visual C++ 2005 RedistributableMicrosoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161MSVCRTMystery P.I. - Stolen in San FranciscoNamco All-Stars PAC-MANNorton Internet SecurityPDF Complete Special EditionPenguins!Plants vs. Zombies - Game of the YearPoker Superstars IIIPolar BowlerPolar GolferPower2GoRealtek Ethernet Controller DriverRealtek High Definition Audio DriverRealtek PCIE Card ReaderREALTEK Wireless LAN DriverRecovery ManagerSecurity Update for Microsoft .NET Framework 4 Client Profile (KB2478663)Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)Skype™ 5.10Slingo SupremeSpybot - Search & DestroyUnity Web PlayerUpdate for Microsoft .NET Framework 4 Client Profile (KB2468871)Update for Microsoft .NET Framework 4 Client Profile (KB2533523)Update Installer for WildTangent Games AppVirtual Villagers 4 - The Tree of LifeWheel of Fortune 2WhiteSmoke Bar ToolbarWhiteSmokeTranslatorWildTangent Games App (HP Games)Windows Live Communications PlatformWindows Live EssentialsWindows Live InstallerWindows Live Movie MakerWindows Live Photo CommonWindows Live Photo GalleryWindows Live PIMT PlatformWindows Live SOXEWindows Live SOXE DefinitionsWindows Live UX PlatformWindows Live UX Platform Language PackWinZip 14.5Wizard101Zuma Deluxe.==== Event Viewer Messages From Past Week ========.9/25/2012 2:44:03 PM, Error: Microsoft-Windows-SharedAccess_NAT [31004] - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.9/25/2012 2:39:04 PM, Error: Microsoft-Windows-SharedAccess_NAT [34001] - The ICS_IPV6 failed to configure IPv6 stack.9/25/2012 2:39:04 PM, Error: Microsoft-Windows-SharedAccess_NAT [30013] - The DHCP allocator has disabled itself on IP address 10.0.0.109, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.9/25/2012 2:37:13 PM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\Rtlihvs.dll Error Code: 1269/25/2012 11:57:41 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Windows 7 for x64-based Systems (KB2676562).9/25/2012 11:57:40 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Windows 7 for x64-based Systems (KB2709715).9/25/2012 11:57:39 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Windows 7 for x64-based Systems (KB2679255).9/24/2012 10:49:50 PM, Error: Microsoft-Windows-SharedAccess_NAT [30013] - The DHCP allocator has disabled itself on IP address 192.168.0.116, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.9/24/2012 10:01:55 PM, Error: Microsoft-Windows-SharedAccess_NAT [30013] - The DHCP allocator has disabled itself on IP address 169.254.45.215, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.9/23/2012 2:19:10 PM, Error: Microsoft-Windows-SharedAccess_NAT [30013] - The DHCP allocator has disabled itself on IP address 10.0.0.101, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.9/21/2012 9:31:48 PM, Error: Service Control Manager [7034] - The Google Update Service (gupdate) service terminated unexpectedly. It has done this 1 time(s).9/21/2012 7:58:54 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} and APPID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user awsomeness\worldpeace SID (S-1-5-21-3223926061-2319795500-3865896739-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.9/21/2012 4:19:41 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SysMain service.9/21/2012 4:13:11 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the AudioEndpointBuilder service.9/21/2012 4:12:41 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SENS service.9/21/2012 4:12:11 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.9/21/2012 4:11:41 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.9/21/2012 4:11:11 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Schedule service.9/21/2012 4:10:41 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanWorkstation service.9/21/2012 4:10:11 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IKEEXT service.9/21/2012 4:09:41 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MBAMScheduler service.9/21/2012 4:09:11 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NIS service.9/21/2012 4:08:11 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the iphlpsvc service.9/21/2012 4:07:41 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the RasMan service.9/21/2012 4:07:11 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the hpqwmiex service.9/21/2012 4:06:41 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the HP Support Assistant Service service.9/21/2012 4:06:11 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UNS service.9/21/2012 4:05:41 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the wuauserv service.9/18/2012 2:46:14 PM, Error: Microsoft-Windows-SharedAccess_NAT [30013] - The DHCP allocator has disabled itself on IP address 192.168.1.220, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope.9/18/2012 2:44:44 PM, Error: Microsoft-Windows-SharedAccess_NAT [30013] - The DHCP allocator has disabled itself on IP address 172.21.197.128, since the IP address is outside the 192.168.137.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, change the scope to include the IP address, or change the IP address to fall within the scope..==== End Of File ===========================.DDS (Ver_2011-08-26.01) - NTFSAMD64Internet Explorer: 8.0.7601.17514Run by worldpeace at 14:47:12 on 2012-09-25Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.2147 [GMT -5:00].AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\Realtek\Audio\HDA\AERTSr64.exeC:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exeC:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exeC:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exeC:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exeC:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exeC:\Program Files (x86)\PDF Complete\pdfsvc.exeC:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exeC:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXEC:\Windows\System32\alg.exeC:\Windows\system32\SearchIndexer.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonationC:\Windows\system32\taskhost.exeC:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exeC:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exeC:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files (x86)\WhiteSmokeTranslator\WSTrayDictMode.exeC:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeC:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exeC:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exeC:\Windows\system32\taskeng.exeC:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exeC:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exeC:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exeC:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exeC:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exeC:\Windows\servicing\TrustedInstaller.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\system32\consent.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exeC:\Windows\SysWOW64\cmd.exeC:\Windows\system32\conhost.exeC:\Windows\SysWOW64\cscript.exe.============== Pseudo HJT Report ===============.uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3007394uURLSearchHooks: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - C:\Program Files (x86)\WhiteSmoke_Bar\prxtbWhit.dllmURLSearchHooks: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - C:\Program Files (x86)\WhiteSmoke_Bar\prxtbWhit.dllmWinlogon: Userinit=userinit.exe,BHO: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - C:\Program Files (x86)\WhiteSmoke_Bar\prxtbWhit.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dllBHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dllBHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLLBHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO: ArcadeCandy Games: {ab6bd08c-db6b-4f02-8a22-4bd343e990ff} - C:\Users\worldpeace\AppData\Local\ArcadeCandy\candyEX.dllBHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7725.1624\swg.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllTB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dllTB: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - C:\Program Files (x86)\WhiteSmoke_Bar\prxtbWhit.dllTB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllTB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No FileuRun: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hiddenuRun: [spybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exeuRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"mRun: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exemRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exemRun: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"mRun: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exemRun: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exeStartupFolder: C:\Users\WORLDP~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\LAUNCH~1.LNK - C:\Program Files (x86)\WhiteSmokeTranslator\WSTrayDictMode.exemPolicies-explorer: NoActiveDesktop = 1 (0x1)mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dllIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cabTCP: DhcpNameServer = 10.0.0.1TCP: Interfaces\{9615BAD7-42A4-426B-B7AC-9B827C69FBD9} : DhcpNameServer = 10.0.0.1TCP: Interfaces\{9615BAD7-42A4-426B-B7AC-9B827C69FBD9}\14370756E6D27657563747 : DhcpNameServer = 75.75.76.76 75.75.75.75TCP: Interfaces\{9615BAD7-42A4-426B-B7AC-9B827C69FBD9}\3496479702F66602D496E6E6561607F6C6963702055726C696360275966496 : DhcpNameServer = 206.55.176.52 206.55.176.53TCP: Interfaces\{9615BAD7-42A4-426B-B7AC-9B827C69FBD9}\445607F647 : DhcpNameServer = 192.168.11.1TCP: Interfaces\{9615BAD7-42A4-426B-B7AC-9B827C69FBD9}\4457E6E62427F637 : DhcpNameServer = 192.168.11.1TCP: Interfaces\{9615BAD7-42A4-426B-B7AC-9B827C69FBD9}\46C696E6B6 : DhcpNameServer = 192.168.0.1Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLLHandler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dllmASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"BHO-X64: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - C:\Program Files (x86)\WhiteSmoke_Bar\prxtbWhit.dllBHO-X64: WhiteSmoke Bar - No FileBHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dllBHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dllBHO-X64: Symantec NCO BHO - No FileBHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLLBHO-X64: Symantec Intrusion Prevention - No FileBHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllBHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllBHO-X64: ArcadeCandy Games: {AB6BD08C-DB6B-4F02-8A22-4BD343E990FF} - C:\Users\worldpeace\AppData\Local\ArcadeCandy\candyEX.dllBHO-X64: ArcadeCandy Games - No FileBHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dllBHO-X64: SkypeIEPluginBHO - No FileBHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7725.1624\swg.dllBHO-X64: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dllTB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dllTB-X64: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - C:\Program Files (x86)\WhiteSmoke_Bar\prxtbWhit.dllTB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dllTB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No FilemRun-x64: [iAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exemRun-x64: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exemRun-x64: [sunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"mRun-x64: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exemRun-x64: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exeIE-X64: {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll/204Hosts: 127.0.0.1 www.spywareinfo.com.============= SERVICES / DRIVERS ===============.R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1207020.003\SYMDS64.SYS [?]R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1207020.003\SYMEFA64.SYS [?]R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\BASHDefs\20110929.001\BHDrvx64.sys [2011-9-29 1152632]R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\Definitions\IPSDefs\20111014.031\IDSviA64.sys [2011-10-15 488568]R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [?]R1 SymNetS;Symantec Network Security WFP Driver;C:\Windows\system32\Drivers\NISx64\1207020.003\SYMNETS.SYS --> C:\Windows\system32\Drivers\NISx64\1207020.003\SYMNETS.SYS [?]R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-4-26 98208]R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]R2 HP Support Assistant Service;HP Support Assistant Service;C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe [2011-9-9 86072]R2 HP Wireless Assistant Service;HP Wireless Assistant Service;C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-7-21 103992]R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-9-1 227896]R2 HPWMISVC;HPWMISVC;C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2012-3-5 35200]R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-4-26 13336]R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-4-26 1817088]R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-9-15 399432]R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-9-15 676936]R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe [2012-7-8 130008]R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-3-16 1127448]R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-9-14 1153368]R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-4-26 2320920]R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\system32\DRIVERS\clwvd.sys --> C:\Windows\system32\DRIVERS\clwvd.sys [?]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-9-14 136824]R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\system32\DRIVERS\RtsPStor.sys --> C:\Windows\system32\DRIVERS\RtsPStor.sys [?]R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]R3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;C:\Windows\system32\DRIVERS\rtl8192Ce.sys --> C:\Windows\system32\DRIVERS\rtl8192Ce.sys [?]R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-20 136176]S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-7-13 160944]S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-8-5 250056]S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-20 136176]S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]S3 SrvHsfHDA;SrvHsfHDA;C:\Windows\system32\DRIVERS\VSTAZL6.SYS --> C:\Windows\system32\DRIVERS\VSTAZL6.SYS [?]S3 SrvHsfV92;SrvHsfV92;C:\Windows\system32\DRIVERS\VSTDPV6.SYS --> C:\Windows\system32\DRIVERS\VSTDPV6.SYS [?]S3 SrvHsfWinac;SrvHsfWinac;C:\Windows\system32\DRIVERS\VSTCNXT6.SYS --> C:\Windows\system32\DRIVERS\VSTCNXT6.SYS [?]S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?].=============== Created Last 30 ================.2012-09-25 19:33:14 20480 ----a-w- C:\Windows\svchost.exe2012-09-22 01:09:48 -------- d-----w- C:\Users\worldpeace\school2012-09-16 03:00:18 81408 ----a-w- C:\Windows\System32\imagehlp.dll2012-09-16 03:00:18 5120 ----a-w- C:\Windows\SysWow64\wmi.dll2012-09-16 03:00:18 5120 ----a-w- C:\Windows\System32\wmi.dll2012-09-16 03:00:18 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys2012-09-16 03:00:18 220672 ----a-w- C:\Windows\System32\wintrust.dll2012-09-16 03:00:18 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll2012-09-16 03:00:18 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll2012-09-16 02:59:35 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%2012-09-15 21:34:12 -------- d-----w- C:\Users\worldpeace\AppData\Roaming\Malwarebytes2012-09-15 21:33:25 -------- d-----w- C:\ProgramData\Malwarebytes2012-09-15 21:33:24 25928 ----a-w- C:\Windows\System32\drivers\mbam.sys2012-09-15 21:33:24 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware2012-09-15 16:17:59 209920 ----a-w- C:\Windows\System32\profsvc.dll2012-09-15 16:06:08 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll2012-09-15 16:06:08 634880 ----a-w- C:\Windows\System32\msvcrt.dll2012-09-15 16:06:07 3148800 ----a-w- C:\Windows\System32\win32k.sys2012-09-15 16:06:05 956928 ----a-w- C:\Windows\System32\localspl.dll2012-09-15 16:06:05 723456 ----a-w- C:\Windows\System32\EncDec.dll2012-09-15 16:06:05 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll2012-09-15 16:06:01 2048 ----a-w- C:\Windows\SysWow64\tzres.dll2012-09-15 16:06:01 2048 ----a-w- C:\Windows\System32\tzres.dll2012-09-15 15:46:46 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll2012-09-15 15:46:46 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys2012-09-15 15:46:46 1031680 ----a-w- C:\Windows\System32\rdpcore.dll2012-09-15 15:43:01 2622464 ----a-w- C:\Windows\System32\wucltux.dll2012-09-15 15:42:54 99840 ----a-w- C:\Windows\System32\wudriver.dll2012-09-15 15:42:45 36864 ----a-w- C:\Windows\System32\wuapp.exe2012-09-15 15:42:45 186752 ----a-w- C:\Windows\System32\wuwebv.dll2012-09-14 23:14:50 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy2012-09-14 23:14:50 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy2012-09-14 03:17:44 -------- d-----w- C:\ProgramData\VirtualizedApplications2012-09-13 23:45:08 -------- d-----w- C:\Users\worldpeace\AppData\Local\SoftGrid Client2012-09-13 23:45:00 -------- d-----w- C:\Users\worldpeace\AppData\Roaming\SoftGrid Client2012-09-13 23:43:14 -------- d-----w- C:\Program Files (x86)\Microsoft Application Virtualization Client2012-09-13 23:42:40 -------- d-----w- C:\Users\worldpeace\AppData\Roaming\TP2012-09-06 02:40:19 -------- d-----w- C:\Users\worldpeace\AppData\Local\{7238307E-2EAE-4ADC-8AF5-0A3D002BDA50}.==================== Find3M ====================.2012-08-24 18:05:06 1188864 ----a-w- C:\Windows\System32\wininet.dll2012-08-24 16:57:48 981504 ----a-w- C:\Windows\SysWow64\wininet.dll2012-08-24 15:59:30 1638912 ----a-w- C:\Windows\System32\mshtml.tlb2012-08-24 15:20:39 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb2012-08-22 18:12:50 1913200 ----a-w- C:\Windows\System32\drivers\tcpip.sys2012-08-22 18:12:40 950128 ----a-w- C:\Windows\System32\drivers\ndis.sys2012-08-22 18:12:40 376688 ----a-w- C:\Windows\System32\drivers\netio.sys2012-08-22 18:12:33 288624 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS2012-08-15 12:46:44 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl2012-08-15 12:46:44 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe2012-08-02 17:58:52 574464 ----a-w- C:\Windows\System32\d3d10level9.dll2012-08-02 16:57:20 490496 ----a-w- C:\Windows\SysWow64\d3d10level9.dll2012-07-10 18:17:08 878184 ----a-w- C:\Windows\System32\drivers\rtl8192ce.sys2012-07-04 22:13:27 59392 ----a-w- C:\Windows\System32\browcli.dll2012-07-04 22:13:27 136704 ----a-w- C:\Windows\System32\browser.dll2012-07-04 21:14:34 41984 ----a-w- C:\Windows\SysWow64\browcli.dll2012-07-04 20:26:03 41472 ----a-w- C:\Windows\System32\drivers\RNDISMP.sys.============= FINISH: 14:48:41.69 =============== Link to post Share on other sites More sharing options...
MrCharlie Posted September 25, 2012 ID:601303 Share Posted September 25, 2012 Welcome to the forumPlease uninstall these programs:WhiteSmoke Bar ToolbarWhiteSmokeTranslator~~~~~~~~~~~~~~~~~~~~~~~Next:Please Update and run a Quick Scan with MBAM, post the report.Make sure that everything is checked, and click Remove Selected.Please remove any usb or external drives from the computer before you run this scan!~~~~~~~~~~~~~~~~~~~~~~~~~Last.....Please download and run RogueKiller to your desktop.Quit all running programs.For Windows XP, double-click to start.For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.Click Scan to scan the system.When the scan completes > Close out the program > Don't Fix anything!Don't run any other options, they're not all bad!!!!!!!Post back the report which should be located on your desktop.MrC Link to post Share on other sites More sharing options...
adrock322 Posted September 26, 2012 Author ID:601324 Share Posted September 26, 2012 Hey MrCharlie thanks for your quick response! Here we go...1. uninstalled whitesmoke toolbar. couldn't uninstall whitesmoke translator. error message "Error launching CheckLockedWsDictFiles.exe"2.Malwarebytes Anti-Malware (Trial) 1.65.0.1400www.malwarebytes.orgDatabase version: v2012.09.26.01Windows 7 Service Pack 1 x64 NTFSInternet Explorer 8.0.7601.17514worldpeace :: AWSOMENESS [administrator]Protection: Enabled9/25/2012 7:11:50 PMmbam-log-2012-09-25 (19-11-50).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 199996Time elapsed: 1 minute(s), 52 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 1C:\Windows\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.(end)3.RogueKiller V8.0.5 [09/23/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : worldpeace [Admin rights]Mode : Scan -- Date : 09/25/2012 19:15:44¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 5 ¤¤¤[TASK][sUSP PATH] CandyUpdater.job : C:\Users\worldpeace\AppData\Local\ArcadeCandy\candyUpdater.exe -> FOUND[TASK][sUSP PATH] CandyUpdater : C:\Users\worldpeace\AppData\Local\ArcadeCandy\candyUpdater.exe -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[sCREENSV][sUSP PATH] HKCU\[...]\Desktop (C:\Windows\WLXPGSS.scr) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ Extern Hives: ¤¤¤¤¤¤ Infection : Root.MBR ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts127.0.0.1 www.007guard.com127.0.0.1 007guard.com127.0.0.1 008i.com127.0.0.1 www.008k.com127.0.0.1 008k.com127.0.0.1 www.00hq.com127.0.0.1 00hq.com127.0.0.1 010402.com127.0.0.1 www.032439.com127.0.0.1 032439.com127.0.0.1 www.0scan.com127.0.0.1 0scan.com127.0.0.1 www.1000gratisproben.com127.0.0.1 1000gratisproben.com127.0.0.1 1001namen.com127.0.0.1 www.1001namen.com127.0.0.1 100888290cs.com127.0.0.1 www.100888290cs.com127.0.0.1 www.100sexlinks.com127.0.0.1 100sexlinks.com[...]¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: Hitachi HTS543232A7A384 +++++--- User ---[MBR] 26953a3371e7f7a75f1928fc84653866[bSP] 9f4629260822f77fa8988586025402a2 : Windows 7 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 290918 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 596209664 | Size: 14023 Mo3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 624928768 | Size: 103 MoUser != LL1 ... KO!--- LL1 ---[MBR] 3c4170eccd1b2ffe9073060d3d4b4f85[bSP] 9f4629260822f77fa8988586025402a2 : Windows 7 MBR CodePartition table:1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 290918 Mo3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 596209664 | Size: 14023 MoUser != LL2 ... KO!--- LL2 ---[MBR] 3c4170eccd1b2ffe9073060d3d4b4f85[bSP] 9f4629260822f77fa8988586025402a2 : Windows 7 MBR CodePartition table:1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 290918 Mo3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 596209664 | Size: 14023 MoFinished : << RKreport[1].txt >>RKreport[1].txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 26, 2012 ID:601328 Share Posted September 26, 2012 ¤¤¤ Infection : Root.MBR ¤¤¤Please read the directions carefully so you don't end up deleting something that is good!!Please download the latest version of TDSSKiller from here and save it to your Desktop.Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.Put a checkmark beside loaded modules.A reboot will be needed to apply the changes. Do it.TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.Then click on Change parameters in TDSSKiller.Check all boxes then click OK.Click the Start Scan button.The scan should take no longer than 2 minutes.If a suspicious object is detected, the default action will be Skip, click on Continue.Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.Here's a summary of what to do if you would like to print it out:If a suspicious object is detected, the default action will be Skip, click on ContinueIf you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please chooseSkip and click on ContinueAny entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.If malicious objects are found, they will show in the Scan results and offer three (3) options.Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.MrC Link to post Share on other sites More sharing options...
adrock322 Posted September 26, 2012 Author ID:601357 Share Posted September 26, 2012 1st log:20:59:35.0556 4868 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:2420:59:36.0149 4868 ============================================================20:59:36.0149 4868 Current date / time: 2012/09/25 20:59:36.014920:59:36.0149 4868 SystemInfo:20:59:36.0149 4868 20:59:36.0149 4868 OS Version: 6.1.7601 ServicePack: 1.020:59:36.0149 4868 Product type: Workstation20:59:36.0149 4868 ComputerName: AWSOMENESS20:59:36.0149 4868 UserName: worldpeace20:59:36.0149 4868 Windows directory: C:\Windows20:59:36.0149 4868 System windows directory: C:\Windows20:59:36.0149 4868 Running under WOW6420:59:36.0149 4868 Processor architecture: Intel x6420:59:36.0149 4868 Number of processors: 220:59:36.0149 4868 Page size: 0x100020:59:36.0149 4868 Boot type: Normal boot20:59:36.0149 4868 ============================================================20:59:36.0929 4868 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x0000004020:59:36.0945 4868 ============================================================20:59:36.0945 4868 \Device\Harddisk0\DR0:20:59:36.0945 4868 MBR partitions:20:59:36.0945 4868 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x6380020:59:36.0945 4868 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x64000, BlocksNum 0x2383300020:59:36.0945 4868 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x23897000, BlocksNum 0x1B6380020:59:36.0945 4868 ============================================================20:59:36.0960 4868 C: <-> \Device\Harddisk0\DR0\Partition220:59:37.0023 4868 D: <-> \Device\Harddisk0\DR0\Partition320:59:37.0023 4868 ============================================================20:59:37.0023 4868 Initialize success20:59:37.0023 4868 ============================================================21:00:11.0702 6000 Deinitialize success Link to post Share on other sites More sharing options...
adrock322 Posted September 26, 2012 Author ID:601358 Share Posted September 26, 2012 2nd log is too long to post. tdss killer found 4 threats, i chose "skip" for all including the \Device\Harddisk0\DR0 item. Link to post Share on other sites More sharing options...
MrCharlie Posted September 26, 2012 ID:601360 Share Posted September 26, 2012 Attach it pleaseClick the "More Reply Options" button bottom right of this page The new window that comes up will give you the option to attach the log.MrC Link to post Share on other sites More sharing options...
adrock322 Posted September 26, 2012 Author ID:601365 Share Posted September 26, 2012 TDSSKiller.2.8.10.0_25.09.2012_21.02.39_log.txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 26, 2012 ID:601442 Share Posted September 26, 2012 Was there an option to cure this one?21:06:42.0337 4276 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - skipped by user21:06:42.0337 4276 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Skip Let me know, MrC Link to post Share on other sites More sharing options...
adrock322 Posted September 26, 2012 Author ID:601492 Share Posted September 26, 2012 Yes, there was, but the instructions said to skip it and cure it so i wasn't sure. Do it again w/ Cure? Link to post Share on other sites More sharing options...
MrCharlie Posted September 26, 2012 ID:601496 Share Posted September 26, 2012 Yes and post the log, MrC Link to post Share on other sites More sharing options...
adrock322 Posted September 26, 2012 Author ID:601500 Share Posted September 26, 2012 looks like it might've worked? last scan showed 3 threats instead of 4...TDSSKiller.2.8.10.0_26.09.2012_08.36.47_log.txtTDSSKiller.2.8.10.0_26.09.2012_08.39.13_log.txtTDSSKiller.2.8.10.0_26.09.2012_08.46.43_log.txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 26, 2012 ID:601514 Share Posted September 26, 2012 OK, lets get this one now:Run TDSSKiller again and choose Delete for this one only: (no need to post the log)08:49:14.0922 2372 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user08:49:14.0922 2372 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: SkipMrC Link to post Share on other sites More sharing options...
adrock322 Posted September 26, 2012 Author ID:601523 Share Posted September 26, 2012 and done. end screen now says "found: 3 threats, Neutralized: 1 threat" Link to post Share on other sites More sharing options...
MrCharlie Posted September 26, 2012 ID:601525 Share Posted September 26, 2012 These two are OK > that's all that should show now.08:49:14.0906 2372 IconMan_R ( UnsignedFile.Multi.Generic ) - skipped by user08:49:14.0906 2372 IconMan_R ( UnsignedFile.Multi.Generic ) - User select action: Skip08:49:14.0906 2372 LightScribeService ( UnsignedFile.Multi.Generic ) - skipped by user08:49:14.0906 2372 LightScribeService ( UnsignedFile.Multi.Generic ) - User select action: Skip~~~~~~~~~~~~~~~~~~~~~~~~~Please Update and run a Quick Scan with MBAM, post the report.Make sure that everything is checked, and click Remove Selected.Reboot and .....Scan the system with RogueKiller again and post the new log, MrC Link to post Share on other sites More sharing options...
adrock322 Posted September 26, 2012 Author ID:601588 Share Posted September 26, 2012 RogueKiller V8.0.5 [09/23/2012] by Tigzymail: tigzyRK<at>gmail<dot>comFeedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/Blog: http://tigzyrk.blogspot.comOperating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits versionStarted in : Normal modeUser : worldpeace [Admin rights]Mode : Scan -- Date : 09/26/2012 13:44:19¤¤¤ Bad processes : 0 ¤¤¤¤¤¤ Registry Entries : 5 ¤¤¤[TASK][sUSP PATH] CandyUpdater.job : C:\Users\worldpeace\AppData\Local\ArcadeCandy\candyUpdater.exe -> FOUND[TASK][sUSP PATH] CandyUpdater : C:\Users\worldpeace\AppData\Local\ArcadeCandy\candyUpdater.exe -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND[sCREENSV][sUSP PATH] HKCU\[...]\Desktop (C:\Windows\WLXPGSS.scr) -> FOUND¤¤¤ Particular Files / Folders: ¤¤¤¤¤¤ Driver : [NOT LOADED] ¤¤¤¤¤¤ Extern Hives: ¤¤¤¤¤¤ Infection : ¤¤¤¤¤¤ HOSTS File: ¤¤¤--> C:\Windows\system32\drivers\etc\hosts127.0.0.1 www.007guard.com127.0.0.1 007guard.com127.0.0.1 008i.com127.0.0.1 www.008k.com127.0.0.1 008k.com127.0.0.1 www.00hq.com127.0.0.1 00hq.com127.0.0.1 010402.com127.0.0.1 www.032439.com127.0.0.1 032439.com127.0.0.1 www.0scan.com127.0.0.1 0scan.com127.0.0.1 www.1000gratisproben.com127.0.0.1 1000gratisproben.com127.0.0.1 1001namen.com127.0.0.1 www.1001namen.com127.0.0.1 100888290cs.com127.0.0.1 www.100888290cs.com127.0.0.1 www.100sexlinks.com127.0.0.1 100sexlinks.com[...]¤¤¤ MBR Check: ¤¤¤+++++ PhysicalDrive0: Hitachi HTS543232A7A384 +++++--- User ---[MBR] 26953a3371e7f7a75f1928fc84653866[bSP] 9f4629260822f77fa8988586025402a2 : Windows 7 MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 290918 Mo2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 596209664 | Size: 14023 Mo3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 624928768 | Size: 103 MoUser = LL1 ... OK!User = LL2 ... OK!Finished : << RKreport[1].txt >>RKreport[1].txt Link to post Share on other sites More sharing options...
MrCharlie Posted September 26, 2012 ID:601597 Share Posted September 26, 2012 Did you run MB and can you post the log, MrC Link to post Share on other sites More sharing options...
adrock322 Posted September 26, 2012 Author ID:601604 Share Posted September 26, 2012 Malwarebytes Anti-Malware (Trial) 1.65.0.1400www.malwarebytes.orgDatabase version: v2012.09.26.11Windows 7 Service Pack 1 x64 NTFSInternet Explorer 8.0.7601.17514worldpeace :: AWSOMENESS [administrator]Protection: Enabled9/26/2012 2:11:45 PMmbam-log-2012-09-26 (14-11-45).txtScan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 199926Time elapsed: 1 minute(s), 14 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 0(No malicious items detected)Registry Values Detected: 0(No malicious items detected)Registry Data Items Detected: 0(No malicious items detected)Folders Detected: 0(No malicious items detected)Files Detected: 0(No malicious items detected)(end) Link to post Share on other sites More sharing options...
MrCharlie Posted September 26, 2012 ID:601636 Share Posted September 26, 2012 Looks Good!How is it??? MrC Link to post Share on other sites More sharing options...
adrock322 Posted September 26, 2012 Author ID:601677 Share Posted September 26, 2012 Fantastic! MrC is Champion of the World! Thanks a lot brother! Link to post Share on other sites More sharing options...
MrCharlie Posted September 26, 2012 ID:601678 Share Posted September 26, 2012 Great Lets check your computers security before you go and we have a little cleanup to do also:Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.MrC Link to post Share on other sites More sharing options...
MrCharlie Posted September 29, 2012 ID:602455 Share Posted September 29, 2012 How are we doing??Do you still need help or can I close this post??MrC Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 30, 2012 ID:602754 Share Posted September 30, 2012 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts