dusktilldawnll Posted August 14, 2013 ID:714960 Share Posted August 14, 2013 Hello. I routinely run Malwarebytes and I keep getting some kind of "PUP" virus... It removes the virus, but when I run malwarebytes again, it shows up again. Here is the log generated on my most recent scan: Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.org Database version: v2013.08.14.01 Windows XP Service Pack 3 x86 NTFSInternet Explorer 7.0.5730.13Heywang :: HAYWANG_LAPTOP [administrator] 8/14/2013 8:32:46 AMmbam-log-2013-08-14 (08-32-46).txt Scan type: Full scan (C:\|D:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 330334Time elapsed: 1 hour(s), 15 minute(s), 45 second(s) Memory Processes Detected: 0(No malicious items detected) Memory Modules Detected: 0(No malicious items detected) Registry Keys Detected: 5HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311321154} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.HKCR\CLSID\{11111111-1111-1111-1111-110311321154} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.HKCR\TypeLib\{44444444-4444-4444-4444-440344324454} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.HKCR\Interface\{55555555-5555-5555-5555-550355325554} (PUP.Optional.CrossRider) -> Quarantined and deleted successfully.HKCR\CrossriderApp0033254.BHO.1 (PUP.Optional.CrossRider) -> Quarantined and deleted successfully. Registry Values Detected: 0(No malicious items detected) Registry Data Items Detected: 0(No malicious items detected) Folders Detected: 0(No malicious items detected) Files Detected: 2D:\My Documents\Downloads\Setup.exe (PUP.Optional.Solimba) -> Quarantined and deleted successfully.C:\Program Files\Safe Saver\Safe Saver-bho.dll (PUP.Optional.CrossRider) -> Quarantined and deleted successfully. (end) Suggestion on how to properly remove this virus?Thanks in advance for your help. Chris. Link to post Share on other sites More sharing options...
MrCharlie Posted August 14, 2013 ID:714967 Share Posted August 14, 2013 Welcome to the forum, please start HERE Post back the 2 logs here.....DDS.txt and Attach.txt (please don't put logs in code or quotes) P2P/Piracy Warning: 1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided. 2. If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy. Failure to remove such software will result in your topic being closed and no further assistance being provided. <====><====><====><====><====><====><====><====> Next................ Please download and run RogueKiller 32 bit to your desktop. RogueKiller<---use this one for 64 bit systems Quit all running programs. For Windows XP, double-click to start. For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run. Click Scan to scan the system. When the scan completes > Close out the program > Don't Fix anything! Don't run any other options, they're not all bad!!!!!!! Post back the report which should be located on your desktop. (please don't put logs in code or quotes) MrC Note: Please read all of my instructions completely including these. Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive <+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you. <+>The removal of malware isn't instantaneous, please be patient. <+>When we are done, I'll give to instructions on how to cleanup all the tools and logs <+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. ------->Your topic will be closed if you haven't replied within 3 days!<-------- (If I don't respond within 24 hours, please send me a PM) Link to post Share on other sites More sharing options...
dusktilldawnll Posted August 15, 2013 Author ID:715421 Share Posted August 15, 2013 Good morning. See attached: DDS (Ver_2012-11-20.01) - NTFS_x86 Internet Explorer: 7.0.6000.17055 BrowserJavaVersion: 10.25.2Run by Heywang at 9:26:10 on 2013-08-15Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.1891 [GMT -4:00]..============== Running Processes ================.C:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\SUPERAntiSpyware\SASCORE.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Fitbit Connect\FitbitConnectService.exeC:\Program Files\Java\jre7\bin\jqs.exeC:\WINDOWS\system32\DRIVERS\o2flash.exec:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXEC:\WINDOWS\system32\SearchIndexer.exeC:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Synaptics\SynTP\SynToshiba.exeC:\WINDOWS\system32\WLTRAY.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Hp\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Fitbit Connect\Fitbit Connect.exeC:\WINDOWS\system32\ctfmon.exeC:\Documents and Settings\Heywang\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exeC:\Documents and Settings\Heywang\Application Data\Smilebox\SmileboxTray.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\HP\HP Officejet 6600\Bin\ScanToPCActivationApp.exeC:\Program Files\McAfee Security Scan\3.0.318\SSScheduler.exeC:\Documents and Settings\Heywang\Application Data\Dropbox\bin\Dropbox.exeC:\WINDOWS\system32\RunDll32.exeC:\Program Files\iTunesToAndroid\iTunesToAndroid\iTunesToAndroid.exeC:\Program Files\Sprint Instinct Applications\MEMonitor.exeC:\Program Files\HP\HP Officejet 6600\Bin\HPNetworkCommunicatorCom.exeC:\Program Files\HP\HP Officejet 6600\Bin\HPNetworkCommunicator.exeC:\Program Files\Microsoft Office\Office12\OUTLOOK.EXEC:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exeC:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\WINDOWS\system32\SearchProtocolHost.exeC:\WINDOWS\system32\SearchFilterHost.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\System32\svchost.exe -k HPZ12C:\WINDOWS\System32\svchost.exe -k HPZ12C:\WINDOWS\system32\svchost.exe -k imgsvc.============== Pseudo HJT Report ===============.uProxyServer = :0BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.0.318\McAfeeMSS_IE.dllBHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: Web Assistant: {336D0C35-8A85-403a-B9D2-65C292C39087} - c:\program files\web assistant\Extension32.dllBHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dllBHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dlluRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Octoshape Streaming Services] "c:\documents and settings\heywang\application data\octoshape\octoshape streaming services\OctoshapeClient.exe" -inv:bootrunuRun: [Google Update] "c:\documents and settings\heywang\local settings\application data\google\update\GoogleUpdate.exe" /cuRun: [Download] "c:\documents and settings\heywang\local settings\application data\supportsoft\ddoctorv2\heywang\ssGet.exe" 120 "http://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe"uRun: [smileboxTray] "c:\documents and settings\heywang\application data\smilebox\SmileboxTray.exe"uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exeuRun: [HP Officejet 6600 (NET)] "c:\program files\hp\hp officejet 6600\bin\ScanToPCActivationApp.exe" -deviceID "CN35E6RHRG05RN:NW" -scfn "HP Officejet 6600 (NET)" -AutoStart 1uRun: [Fitbit Connect] "c:\program files\fitbit connect\Fitbit Connect.exe" /autorunmRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exemRun: [RTHDCPL] RTHDCPL.EXEmRun: [Alcmtr] ALCMTR.EXEmRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exemRun: [igfxTray] c:\windows\system32\igfxtray.exemRun: [HotKeysCmds] c:\windows\system32\hkcmd.exemRun: [Persistence] c:\windows\system32\igfxpers.exemRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimemRun: [intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startupmRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exemRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [Fitbit Connect] "c:\program files\fitbit connect\Fitbit Connect.exe" /autorunStartupFolder: c:\docume~1\heywang\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\heywang\application data\dropbox\bin\Dropbox.exeStartupFolder: c:\docume~1\heywang\startm~1\programs\startup\monito~1.lnk - c:\windows\system32\RunDll32.exeStartupFolder: c:\docume~1\heywang\startm~1\programs\startup\shortc~1.lnk - c:\documents and settings\heywang\application data\microsoft\installer\{0b375bbc-9519-4e39-af06-26f9b4bd1653}\_AF5A0734A3D9313FE34082.exeStartupFolder: c:\docume~1\heywang\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\3.0.318\SSScheduler.exeuPolicies-Explorer: NoDriveTypeAutoRun = dword:145mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1mPolicies-Explorer: NoDriveTypeAutoRun = dword:145IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - c:\program files\hewlett-packard\smart print 2.0\smartprintsetup.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeTCP: NameServer = 208.67.222.222 208.67.220.220 75.75.75.75TCP: Interfaces\{31ACF6F0-7766-489F-BB50-00A88C6FE895} : DHCPNameServer = 208.67.222.222 208.67.220.220 75.75.75.75Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dllHandler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - Notify: igfxcui - igfxdev.dllNotify: LMIinit - LMIinit.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dllSEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL.================= FIREFOX ===================.FF - ProfilePath - c:\documents and settings\heywang\application data\mozilla\firefox\profiles\0hytz6j9.default\FF - prefs.js: browser.search.selectedEngine - FF - plugin: c:\documents and settings\heywang\application data\mozilla\plugins\npoctoshape.dllFF - plugin: c:\documents and settings\heywang\local settings\application data\google\update\1.3.21.115\npGoogleUpdate3.dllFF - plugin: c:\documents and settings\heywang\local settings\application data\unity\webplayer\loader\npUnity3D32.dllFF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dllFF - plugin: c:\program files\google\picasa3\npPicasa3.dllFF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.115\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dllFF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dllFF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dllFF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dllFF - plugin: c:\program files\mozilla firefox\plugins\NPcol500.dllFF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dllFF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dllFF - plugin: c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dllFF - plugin: c:\program files\virtools\3d life player\npvirtools.dll.---- FIREFOX POLICIES ----FF - user.js: extensions.BabylonToolbar_i.id - f42fdce3000000000000001fe1d0618fFF - user.js: extensions.BabylonToolbar_i.hardId - f42fdce3000000000000001fe1d0618fFF - user.js: extensions.BabylonToolbar_i.instlDay - 15463FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1714:38:47FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylonFF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbarFF - user.js: extensions.BabylonToolbar_i.aflt - babsstFF - user.js: extensions.BabylonToolbar_i.smplGrp - noneFF - user.js: extensions.BabylonToolbar_i.tlbrId - tb9FF - user.js: extensions.BabylonToolbar_i.newTab - falseFF - user.js: extensions.BabylonToolbar_i.babTrack - affID=109935FF - user.js: extensions.BabylonToolbar_i.babExt - FF - user.js: extensions.BabylonToolbar_i.srcExt - ssFF - user.js: extensions.BabylonToolbar_i.instlRef - sstFF - user.js: extensions.delta.tlbrSrchUrl - FF - user.js: extensions.delta.id - f42fdce3000000000000001fe1d061abFF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}FF - user.js: extensions.delta.instlDay - 15919FF - user.js: extensions.delta.vrsn - 1.8.22.0FF - user.js: extensions.delta.vrsni - 1.8.22.0FF - user.js: extensions.delta.vrsnTs - 1.8.22.023:38:33FF - user.js: extensions.delta.prtnrId - deltaFF - user.js: extensions.delta.prdct - deltaFF - user.js: extensions.delta.aflt - babsstFF - user.js: extensions.delta.smplGrp - noneFF - user.js: extensions.delta.tlbrId - baseFF - user.js: extensions.delta.instlRef - sstFF - user.js: extensions.delta.dfltLng - enFF - user.js: extensions.delta.excTlbr - falseFF - user.js: extensions.delta.ffxUnstlRst - trueFF - user.js: extensions.delta.admin - falseFF - user.js: extensions.delta_i.babTrack - affID=119360&tsp=4962FF - user.js: extensions.delta_i.babExt - FF - user.js: extensions.delta_i.srcExt - ssFF - user.js: extensions.delta.autoRvrt - falseFF - user.js: extensions.delta.rvrt - falseFF - user.js: extensions.delta.newTab - false.============= SERVICES / DRIVERS ===============.R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2010-6-29 155136]R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2010-6-29 5248]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]R2 Fitbit Connect;Fitbit Connect Service;c:\program files\fitbit connect\FitbitConnectService.exe [2013-2-25 1239584]R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-6-29 47640]R3 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2010-6-29 51288]R3 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2010-6-29 43608]S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]S2 ltixo;Manager Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]S3 DraftSight API Service;DraftSight API Service;c:\program files\dassault systemes\draftsight\bin\dsHttpApiService.exe [2012-1-24 78336]S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-12-30 24576]S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.0.318\McCHSvc.exe [2013-2-5 235216]S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]S4 LMIRfsClientNP;LMIRfsClientNP; [x].=============== Created Last 30 ================.2013-08-06 21:56:19 -------- d-----w- c:\documents and settings\heywang\local settings\application data\Identities2013-08-06 21:56:15 -------- d-----w- c:\documents and settings\heywang\application data\Windows Desktop Search2013-08-02 03:38:33 -------- d-----w- c:\program files\common files\Symantec Shared2013-08-02 03:38:28 -------- d-----w- c:\program files\Delta2013-08-02 03:38:17 -------- d-----w- c:\windows\system32\drivers\nss\0400010.0102013-08-02 03:38:17 -------- d-----w- c:\windows\system32\drivers\NSS2013-08-02 03:38:17 -------- d-----w- c:\program files\Norton Security Scan2013-08-02 03:38:16 -------- d-----w- c:\documents and settings\all users\application data\Norton2013-08-02 03:38:05 -------- d-----w- c:\program files\NortonInstaller2013-08-02 03:38:04 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller2013-08-02 03:37:59 -------- d-----w- c:\program files\Safe Saver2013-08-02 03:37:51 -------- d-----w- c:\documents and settings\all users\application data\FitbitConnect2013-08-02 03:37:50 -------- d-----w- c:\program files\Fitbit Connect2013-08-01 23:42:40 580712 ------w- c:\windows\system32\HPDiscoPM5D12.dll2013-08-01 23:42:38 496016 ----a-w- c:\windows\system32\HPWia1_OJ6600.dll2013-08-01 23:42:38 1979280 ----a-w- c:\windows\system32\HPScanTRDrv_OJ6600.dll2013-08-01 23:42:34 529296 ----a-w- c:\windows\system32\hpinksts5D12.dll2013-08-01 23:42:34 269200 ----a-w- c:\windows\system32\hpinksts5D12LM.dll2013-08-01 23:42:34 2216848 ----a-w- c:\windows\system32\hpinkins5D12.exe2013-08-01 23:42:34 221072 ----a-w- c:\windows\system32\hpinkcoi5D12.dll.==================== Find3M ====================.2013-06-23 17:28:23 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll2013-06-23 17:28:21 867240 ----a-w- c:\windows\system32\npDeployJava1.dll2013-06-23 17:28:21 789416 ----a-w- c:\windows\system32\deployJava1.dll2013-06-23 17:28:21 144896 ----a-w- c:\windows\system32\javacpl.cpl.============= FINISH: 9:26:43.46 =============== .UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.IF REQUESTED, ZIP IT UP & ATTACH IT.DDS (Ver_2012-11-20.01).Microsoft Windows XP ProfessionalBoot Device: \Device\HarddiskVolume1Install Date: 5/7/2005 11:24:05 AMSystem Uptime: 8/14/2013 10:13:09 AM (23 hours ago).Motherboard: Dell Inc. | | 0M277CProcessor: Intel® Core2 Duo CPU T5870 @ 2.00GHz | U2E1 | 1576/800mhz.==== Disk Partitions =========================.C: is FIXED (NTFS) - 60 GiB total, 20.109 GiB free.D: is FIXED (NTFS) - 89 GiB total, 40.545 GiB free.E: is CDROM ().==== Disabled Device Manager Items =============.==== System Restore Points ===================.RP1013: 5/17/2013 8:43:41 PM - System CheckpointRP1014: 5/18/2013 9:35:29 PM - System CheckpointRP1015: 5/19/2013 10:54:59 PM - System CheckpointRP1016: 5/20/2013 11:34:23 PM - System CheckpointRP1017: 5/21/2013 11:34:35 PM - System CheckpointRP1018: 5/23/2013 12:00:04 AM - System CheckpointRP1019: 5/24/2013 12:16:28 AM - System CheckpointRP1020: 5/25/2013 1:00:04 AM - System CheckpointRP1021: 5/26/2013 2:00:04 AM - System CheckpointRP1022: 5/27/2013 3:00:04 AM - System CheckpointRP1023: 5/28/2013 4:00:04 AM - System CheckpointRP1024: 5/29/2013 5:00:04 AM - System CheckpointRP1025: 5/30/2013 5:57:17 AM - System CheckpointRP1026: 5/31/2013 6:57:17 AM - System CheckpointRP1027: 6/1/2013 7:57:17 AM - System CheckpointRP1028: 6/2/2013 8:57:17 AM - System CheckpointRP1029: 6/3/2013 9:08:18 AM - System CheckpointRP1030: 6/4/2013 9:57:17 AM - System CheckpointRP1031: 6/5/2013 9:57:32 AM - System CheckpointRP1032: 6/6/2013 10:40:08 AM - System CheckpointRP1033: 6/7/2013 12:29:22 PM - System CheckpointRP1034: 6/8/2013 12:41:12 PM - System CheckpointRP1035: 6/10/2013 12:14:51 AM - System CheckpointRP1036: 6/11/2013 12:48:53 AM - System CheckpointRP1037: 6/12/2013 1:21:29 AM - System CheckpointRP1038: 6/13/2013 1:21:40 AM - System CheckpointRP1039: 6/14/2013 2:21:40 AM - System CheckpointRP1040: 6/15/2013 3:59:23 PM - System CheckpointRP1041: 6/16/2013 4:59:09 PM - System CheckpointRP1042: 6/17/2013 7:37:12 PM - System CheckpointRP1043: 6/18/2013 7:59:09 PM - System CheckpointRP1044: 6/19/2013 8:59:09 PM - System CheckpointRP1045: 6/20/2013 9:59:09 PM - System CheckpointRP1046: 6/21/2013 10:57:36 PM - System CheckpointRP1047: 6/22/2013 11:10:21 PM - System CheckpointRP1048: 6/23/2013 1:03:21 PM - Installed Catalina Savings Printer.RP1049: 6/23/2013 1:28:12 PM - Installed Java 7 Update 25RP1050: 6/24/2013 1:57:35 PM - System CheckpointRP1051: 6/25/2013 2:57:35 PM - System CheckpointRP1052: 6/26/2013 5:20:32 PM - System CheckpointRP1053: 6/27/2013 5:57:34 PM - System CheckpointRP1054: 6/28/2013 8:09:24 PM - System CheckpointRP1055: 6/29/2013 9:06:53 PM - System CheckpointRP1056: 6/30/2013 9:47:23 PM - System CheckpointRP1057: 7/1/2013 10:47:22 PM - System CheckpointRP1058: 7/2/2013 11:47:22 PM - System CheckpointRP1059: 7/4/2013 12:47:23 AM - System CheckpointRP1060: 7/5/2013 1:47:22 AM - System CheckpointRP1061: 7/6/2013 9:54:55 AM - System CheckpointRP1062: 7/7/2013 10:09:26 AM - System CheckpointRP1063: 7/8/2013 11:17:39 AM - System CheckpointRP1064: 7/9/2013 12:03:10 PM - System CheckpointRP1065: 7/10/2013 12:50:18 PM - System CheckpointRP1066: 7/11/2013 2:00:00 PM - System CheckpointRP1067: 7/12/2013 2:03:27 PM - System CheckpointRP1068: 7/13/2013 2:03:37 PM - System CheckpointRP1069: 7/14/2013 2:20:29 PM - System CheckpointRP1070: 7/15/2013 2:26:41 PM - System CheckpointRP1071: 7/16/2013 3:32:11 PM - System CheckpointRP1072: 7/17/2013 3:35:02 PM - System CheckpointRP1073: 7/18/2013 4:05:06 PM - System CheckpointRP1074: 7/19/2013 5:06:10 PM - System CheckpointRP1075: 7/20/2013 6:05:05 PM - System CheckpointRP1076: 7/21/2013 6:46:06 PM - System CheckpointRP1077: 7/22/2013 7:39:38 PM - System CheckpointRP1078: 7/23/2013 7:56:31 PM - System CheckpointRP1079: 7/24/2013 8:18:07 PM - System CheckpointRP1080: 7/25/2013 8:38:33 PM - System CheckpointRP1081: 7/26/2013 8:39:38 PM - System CheckpointRP1082: 7/27/2013 9:58:06 PM - System CheckpointRP1083: 7/28/2013 10:38:48 PM - System CheckpointRP1084: 7/29/2013 11:38:48 PM - System CheckpointRP1085: 7/31/2013 12:38:49 AM - System CheckpointRP1086: 8/1/2013 1:36:18 AM - System CheckpointRP1087: 8/1/2013 6:57:38 PM - Removed HP Update.RP1088: 8/2/2013 7:32:02 PM - System CheckpointRP1089: 8/2/2013 9:29:53 PM - Removed Desktop DoctorRP1090: 8/2/2013 9:31:26 PM - Removed FlipShareRP1091: 8/3/2013 9:39:56 PM - System CheckpointRP1092: 8/4/2013 10:08:33 PM - System CheckpointRP1093: 8/5/2013 11:08:34 PM - System CheckpointRP1094: 8/6/2013 11:48:15 PM - System CheckpointRP1095: 8/8/2013 12:44:16 AM - System CheckpointRP1096: 8/9/2013 12:58:30 AM - System CheckpointRP1097: 8/10/2013 1:35:12 AM - System CheckpointRP1098: 8/11/2013 2:35:11 AM - System CheckpointRP1099: 8/12/2013 3:35:10 AM - System CheckpointRP1100: 8/13/2013 4:13:04 AM - System CheckpointRP1101: 8/14/2013 5:13:03 AM - System CheckpointRP1102: 8/15/2013 5:17:14 AM - System Checkpoint.==== Installed Programs ======================.2007 Microsoft Office Suite Service Pack 2 (SP2)32 Bit HP CIO Components Installer3DVIA player 5.03ivx MPEG-4 5.0.3 (remove only)Adobe AIRAdobe Flash Player 11 ActiveXAdobe Flash Player 11 PluginAdobe Reader 9Apple Application SupportApple Mobile Device SupportApple Software UpdateAutodesk Inventor Plug-In 8.0Autodesk Volo View 3.0AutoDWG DWG to PDF ConverterBonjourbpd_scanCatalina Savings PrinterCCleanerDAEMON ToolsDell Wireless WLAN Card UtilityDeviceFunctionQFolderDraftSightDropboxFitbit ConnectGoogle ChromeGoogle EarthGoogle Update HelperHotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)Hotfix for Windows XP (KB915800-v4)Hotfix for Windows XP (KB952287)Hotfix for Windows XP (KB954550-v5)Hotfix for Windows XP (KB961118)Hotfix for Windows XP (KB981793)HP Officejet 6600 Basic Device SoftwareHP Officejet 6600 HelpHP Officejet 6600 Product Improvement StudyHP UpdateHPProductAssistantHTC Driver InstallerI.R.I.S. OCRInstantShareAlertIntel® Graphics Media Accelerator DriveriTunesToAndroidJava 7 Update 25Java Auto UpdaterJava 6 Update 20LogMeInMalwarebytes Anti-Malware version 1.75.0.1300McAfee Security Scan PlusMicrosoft .NET Framework 1.1Microsoft .NET Framework 2.0 Service Pack 2Microsoft .NET Framework 3.0 Service Pack 2Microsoft .NET Framework 3.5 SP1Microsoft .NET Framework 4 Client ProfileMicrosoft Base Smart Card Cryptographic Service Provider PackageMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft Kernel-Mode Driver Framework Feature Pack 1.7Microsoft National Language Support Downlevel APIsMicrosoft Office 2007 Primary Interop AssembliesMicrosoft Office Access MUI (English) 2007Microsoft Office Access Setup Metadata MUI (English) 2007Microsoft Office Enterprise 2007Microsoft Office Excel MUI (English) 2007Microsoft Office Groove MUI (English) 2007Microsoft Office Groove Setup Metadata MUI (English) 2007Microsoft Office InfoPath MUI (English) 2007Microsoft Office OneNote MUI (English) 2007Microsoft Office Outlook MUI (English) 2007Microsoft Office PowerPoint MUI (English) 2007Microsoft Office Proof (English) 2007Microsoft Office Proof (French) 2007Microsoft Office Proof (Spanish) 2007Microsoft Office Proofing (English) 2007Microsoft Office Publisher MUI (English) 2007Microsoft Office Shared MUI (English) 2007Microsoft Office Shared Setup Metadata MUI (English) 2007Microsoft Office Word MUI (English) 2007Microsoft SilverlightMicrosoft Software Update for Web Folders (English) 12Microsoft User-Mode Driver Framework Feature Pack 1.0Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053Microsoft Visual C++ 2005 RedistributableMicrosoft Visual Studio 2005 Tools for Office RuntimeMozilla Firefox (3.6.28)MSXML 4.0 SP2 (KB954430)MSXML 4.0 SP2 (KB973688)MSXML 4.0 SP2 Parser and SDKNero 7 DemoNorton Security ScanO2Micro Flash Memory Card Reader Driver (x86)Octoshape Streaming ServicesPicaboo XPicasa 3QuickBooksQuickBooks Premier: Accountant Edition 2010QuickTimeReading ReadinessREALTEK GbE & FE Ethernet PCI-E NIC DriverRealtek High Definition Audio DriverSafe SaverSecurity Update for 2007 Microsoft Office System (KB969559)Security Update for 2007 Microsoft Office System (KB976321)Security Update for 2007 Microsoft Office System (KB982312)Security Update for 2007 Microsoft Office System (KB982331)Security Update for Microsoft Office Excel 2007 (KB982308)Security Update for Microsoft Office InfoPath 2007 (KB979441)Security Update for Microsoft Office Outlook 2007 (KB972363)Security Update for Microsoft Office PowerPoint 2007 (KB982158)Security Update for Microsoft Office Publisher 2007 (KB982124)Security Update for Microsoft Office system 2007 (972581)Security Update for Microsoft Office system 2007 (KB969613)Security Update for Microsoft Office system 2007 (KB974234)Security Update for Microsoft Office Visio Viewer 2007 (KB973709)Security Update for Microsoft Office Word 2007 (KB982135)Security Update for Windows Internet Explorer 7 (KB938127-v2)Security Update for Windows Internet Explorer 7 (KB982381)Security Update for Windows Media Player (KB952069)Security Update for Windows Media Player (KB954155)Security Update for Windows Media Player (KB973540)Security Update for Windows Media Player (KB978695)Security Update for Windows Media Player (KB979402)Security Update for Windows Search 4 - KB963093Security Update for Windows XP (KB923561)Security Update for Windows XP (KB923789)Security Update for Windows XP (KB946648)Security Update for Windows XP (KB950760)Security Update for Windows XP (KB950762)Security Update for Windows XP (KB950974)Security Update for Windows XP (KB951376-v2)Security Update for Windows XP (KB951748)Security Update for Windows XP (KB952004)Security Update for Windows XP (KB952954)Security Update for Windows XP (KB954459)Security Update for Windows XP (KB955069)Security Update for Windows XP (KB956572)Security Update for Windows XP (KB956744)Security Update for Windows XP (KB956802)Security Update for Windows XP (KB956803)Security Update for Windows XP (KB956844)Security Update for Windows XP (KB958644)Security Update for Windows XP (KB958869)Security Update for Windows XP (KB959426)Security Update for Windows XP (KB960225)Security Update for Windows XP (KB960803)Security Update for Windows XP (KB960859)Security Update for Windows XP (KB961501)Security Update for Windows XP (KB969059)Security Update for Windows XP (KB970238)Security Update for Windows XP (KB970430)Security Update for Windows XP (KB971468)Security Update for Windows XP (KB971657)Security Update for Windows XP (KB971961)Security Update for Windows XP (KB972270)Security Update for Windows XP (KB973507)Security Update for Windows XP (KB973869)Security Update for Windows XP (KB973904)Security Update for Windows XP (KB974112)Security Update for Windows XP (KB974318)Security Update for Windows XP (KB974392)Security Update for Windows XP (KB974571)Security Update for Windows XP (KB975025)Security Update for Windows XP (KB975467)Security Update for Windows XP (KB975560)Security Update for Windows XP (KB975561)Security Update for Windows XP (KB975562)Security Update for Windows XP (KB975713)Security Update for Windows XP (KB977816)Security Update for Windows XP (KB977914)Security Update for Windows XP (KB978037)Security Update for Windows XP (KB978338)Security Update for Windows XP (KB978542)Security Update for Windows XP (KB978601)Security Update for Windows XP (KB978706)Security Update for Windows XP (KB979309)Security Update for Windows XP (KB979482)Security Update for Windows XP (KB979559)Security Update for Windows XP (KB979683)Security Update for Windows XP (KB980195)Security Update for Windows XP (KB980218)Security Update for Windows XP (KB980232)Security Update for Windows XP (KB981349)Security Update for Windows XP (KB982381)SmileboxSprint Desktop SyncSUPERAntiSpywareSynaptics Pointing Device DriverToolboxUnity Web PlayerUnloadUpdate for 2007 Microsoft Office System (KB967642)Update for Microsoft .NET Framework 3.5 SP1 (KB963707)Update for Microsoft Office 2007 Help for Common Features (KB963673)Update for Microsoft Office Access 2007 Help (KB963663)Update for Microsoft Office Excel 2007 Help (KB963678)Update for Microsoft Office Infopath 2007 Help (KB963662)Update for Microsoft Office OneNote 2007 (KB980729)Update for Microsoft Office OneNote 2007 Help (KB963670)Update for Microsoft Office Outlook 2007 Help (KB963677)Update for Microsoft Office Powerpoint 2007 Help (KB963669)Update for Microsoft Office Publisher 2007 Help (KB963667)Update for Microsoft Office Script Editor Help (KB963671)Update for Microsoft Office Word 2007 Help (KB963665)Update for Microsoft Windows (KB971513)Update for Outlook 2007 Junk Email Filter (kb983486)Update for Windows XP (KB898461)Update for Windows XP (KB951978)Update for Windows XP (KB955759)Update for Windows XP (KB967715)Update for Windows XP (KB968389)Update for Windows XP (KB971737)Update for Windows XP (KB973687)Update for Windows XP (KB973815)Web Assistant version 2.0.0.612WebExWebFldrs XPWindows Feature Pack for Storage (32-bit) - IMAPI update for Blu-RayWindows Genuine Advantage Validation Tool (KB892130)Windows Internet Explorer 7Windows Live ID Sign-in AssistantWindows Media Format 11 runtimeWindows Media Player 10Windows Search 4.0Windows XP Service Pack 3.==== Event Viewer Messages From Past Week ========.8/8/2013 8:27:51 AM, error: Dhcp [1002] - The IP address lease 192.168.1.108 for the Network Card with network address 001FE1D061AB has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).8/8/2013 4:54:57 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.8/8/2013 11:44:37 PM, error: WPDMTPDriver [15300] - MTP WPD Driver has failed to start. Error 0x80070005.8/8/2013 10:38:27 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip8/8/2013 10:38:27 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.8/8/2013 10:38:27 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.8/8/2013 10:38:27 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.8/8/2013 10:38:27 AM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.8/8/2013 10:38:27 AM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.8/8/2013 1:02:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}8/8/2013 1:02:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}.==== End Of File =========================== The report from Roguekiller, where would I find it on my desktop. I found a folder labeled RK_Quarintine. Opened the folder and found a .dat file, but could not open it. Is this the file you are needing? Thanks a lot. Chris Link to post Share on other sites More sharing options...
MrCharlie Posted August 15, 2013 ID:715424 Share Posted August 15, 2013 Please uninstall Web Assistant version 2.0.0.612 from your add/remove programs. Then..... Please download AdwCleaner from here and save it on your Desktop. AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs. AdwCleaner is a tool that deletes : · Adwares (software ads) · PUP/LPI (Potentially Undesirable Program) · Toolbars · Hijacker (Hijack of the browser's homepage) It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.Now click on the Search tab.Please post the contents of the log-file created in your next post.Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1. Note: Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system. If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it. Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner. You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below: /DisableAskDetection - This option disables Ask Toolbar detection. MrC Link to post Share on other sites More sharing options...
dusktilldawnll Posted August 15, 2013 Author ID:715434 Share Posted August 15, 2013 Roguekiller Report..... RogueKiller V8.6.5 [Aug 5 2013] by Tigzymail : tigzyRK<at>gmail<dot>comFeedback : http://www.adlice.com/forum/Website : http://www.adlice.com/softwares/roguekiller/Blog : http://tigzyrk.blogspot.com/ Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits versionStarted in : Normal modeUser : Heywang [Admin rights]Mode : Scan -- Date : 08/15/2013 09:51:03| ARK || FAK || MBR | ¤¤¤ Bad processes : 1 ¤¤¤[sUSP PATH] SmileboxTray.exe -- C:\Documents and Settings\Heywang\Application Data\Smilebox\SmileboxTray.exe [7] -> KILLED [TermProc] ¤¤¤ Registry Entries : 11 ¤¤¤[RUN][sUSP PATH] HKCU\[...]\Run : Google Update ("C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c [7]) -> FOUND[RUN][sUSP PATH] HKCU\[...]\Run : SmileboxTray ("C:\Documents and Settings\Heywang\Application Data\Smilebox\SmileboxTray.exe" [7]) -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1482476501-1284227242-839522115-1004\[...]\Run : Google Update ("C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c [7]) -> FOUND[RUN][sUSP PATH] HKUS\S-1-5-21-1482476501-1284227242-839522115-1004\[...]\Run : SmileboxTray ("C:\Documents and Settings\Heywang\Application Data\Smilebox\SmileboxTray.exe" [7]) -> FOUND[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (:0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 4 ¤¤¤[V1][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-1482476501-1284227242-839522115-1004UA.job : C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe - /ua /installsource scheduler [7][x] -> FOUND[V1][sUSP PATH] GoogleUpdateTaskUserS-1-5-21-1482476501-1284227242-839522115-1004Core.job : C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Update\GoogleUpdate.exe - /c [7] -> FOUND ¤¤¤ Startup Entries : 2 ¤¤¤[Heywang][sUSP PATH] Shortcut to iTunesToAndroid.exe.lnk : C:\Documents and Settings\Heywang\Start Menu\Programs\Startup\Shortcut to iTunesToAndroid.exe.lnk @C:\Documents and Settings\Heywang\Application Data\Microsoft\Installer\{0B375BBC-9519-4E39-AF06-26F9B4BD1653}\_AF5A0734A3D9313FE34082.exe [-][-] -> FOUND[Heywang][sUSP PATH] Sprint media monitor.lnk : C:\Documents and Settings\Heywang\Start Menu\Programs\Startup\Sprint media monitor.lnk @C:\WINDOWS\RM.exe -m [-][7] -> FOUND ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤--> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: FUJITSU MHZ2160BH G2 +++++--- User ---[MBR] f4fff58a289d8b3072ff95ce77e3e57d[bSP] 2459850cadfc3fbc117a6ce3be8bcf75 : Windows XP MBR CodePartition table:0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 61545 Mo1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 126045990 | Size: 91079 MoUser = LL1 ... OK!User = LL2 ... OK! Finished : << RKreport[0]_S_08152013_095103.txt >> adwcleaner report....... # AdwCleaner v2.306 - Logfile created 08/15/2013 at 10:42:35# Updated 19/07/2013 by Xplode# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)# User : Heywang - HAYWANG_LAPTOP# Boot Mode : Normal# Running from : D:\My Documents\Downloads\adwcleaner (1).exe# Option [search] ***** [services] ***** ***** [Files / Folders] ***** File Found : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\bProtector_extensions.rdfFile Found : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\searchplugins\Babylon.xmlFile Found : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\searchplugins\BrowserDefender.xmlFile Found : C:\Program Files\Mozilla Firefox\.autoregFile Found : C:\user.jsFolder Found : C:\DOCUME~1\Heywang\LOCALS~1\Temp\CT3220468Folder Found : C:\Documents and Settings\All Users\Application Data\BabylonFolder Found : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}Folder Found : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\extensions\ffxtlbr@babylon.comFolder Found : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\extensions\ffxtlbr@delta.comFolder Found : C:\Documents and Settings\Heywang\Local Settings\Application Data\ConduitFolder Found : C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfdFolder Found : C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmddaFolder Found : C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmddaFolder Found : C:\Program Files\ConduitFolder Found : C:\Program Files\delta ***** [Registry] ***** Key Found : HKCU\Software\AppDataLow\Software\ConduitKey Found : HKCU\Software\BabSolutionKey Found : HKCU\Software\ConduitKey Found : HKCU\Software\CrossriderKey Found : HKCU\Software\DataMngrKey Found : HKCU\Software\DataMngr_ToolbarKey Found : HKCU\Software\DeltaKey Found : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmddaKey Found : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmddaKey Found : HKCU\Software\IMKey Found : HKCU\Software\ImInstallerKey Found : HKCU\Software\InstallCoreKey Found : HKCU\Software\InstalledBrowserExtensionsKey Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{336D0C35-8A85-403A-B9D2-65C292C39087}Key Found : HKCU\Software\SmartBarKey Found : HKCU\Software\Web AssistantKey Found : HKCU\Software\YahooPartnerToolbarKey Found : HKLM\Software\BabylonKey Found : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}Key Found : HKLM\SOFTWARE\Classes\AppID\{39CB8175-E224-4446-8746-00566302DF8D}Key Found : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}Key Found : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}Key Found : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}Key Found : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}Key Found : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}Key Found : HKLM\SOFTWARE\Classes\AppID\escort.DLLKey Found : HKLM\SOFTWARE\Classes\AppID\escortApp.DLLKey Found : HKLM\SOFTWARE\Classes\AppID\escortEng.DLLKey Found : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLLKey Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXEKey Found : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlprKey Found : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Key Found : HKLM\SOFTWARE\Classes\CrossriderApp0033254.BHOKey Found : HKLM\SOFTWARE\Classes\CrossriderApp0033254.SandboxKey Found : HKLM\SOFTWARE\Classes\CrossriderApp0033254.Sandbox.1Key Found : HKLM\SOFTWARE\Classes\Interface\{1231839B-064E-4788-B865-465A1B5266FD}Key Found : HKLM\SOFTWARE\Classes\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}Key Found : HKLM\SOFTWARE\Classes\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}Key Found : HKLM\SOFTWARE\Classes\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}Key Found : HKLM\SOFTWARE\Classes\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}Key Found : HKLM\SOFTWARE\Classes\Interface\{57C91446-8D81-4156-A70E-624551442DE9}Key Found : HKLM\SOFTWARE\Classes\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}Key Found : HKLM\SOFTWARE\Classes\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}Key Found : HKLM\SOFTWARE\Classes\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}Key Found : HKLM\SOFTWARE\Classes\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}Key Found : HKLM\SOFTWARE\Classes\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}Key Found : HKLM\SOFTWARE\Classes\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}Key Found : HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}Key Found : HKLM\SOFTWARE\Classes\Prod.capKey Found : HKLM\SOFTWARE\Classes\Toolbar.CT3220468Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}Key Found : HKLM\Software\ConduitKey Found : HKLM\SOFTWARE\d2dc8fe06fb942Key Found : HKLM\Software\DataMngrKey Found : HKLM\Software\DeltaKey Found : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfdKey Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmddaKey Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmddaKey Found : HKLM\SOFTWARE\Google\Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmdeKey Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DeltaKey Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta Chrome ToolbarKey Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966Key Found : HKLM\Software\Tarma InstallerKey Found : HKLM\Software\Web AssistantValue Found : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}] ***** [internet Browsers] ***** -\\ Internet Explorer v7.0.6000.17055 [OK] Registry is clean. -\\ Mozilla Firefox v3.6.28 (en-US) File : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\prefs.js Found : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");Found : user_pref("browser.search.defaultenginename", "Search the web (Babylon)");Found : user_pref("browser.search.order.1", "Search the web (Babylon)");Found : user_pref("extensions.BabylonToolbar.admin", false);Found : user_pref("extensions.BabylonToolbar.aflt", "babsst");Found : user_pref("extensions.BabylonToolbar.babExt", "");Found : user_pref("extensions.BabylonToolbar.babTrack", "affID=109935");Found : user_pref("extensions.BabylonToolbar.bbDpng", 30);Found : user_pref("extensions.BabylonToolbar.dfltLng", "en");Found : user_pref("extensions.BabylonToolbar.dfltSrch", true);Found : user_pref("extensions.BabylonToolbar.hmpg", true);Found : user_pref("extensions.BabylonToolbar.id", "f42fdce3000000000000001fe1d0618f");Found : user_pref("extensions.BabylonToolbar.instlDay", "15463");Found : user_pref("extensions.BabylonToolbar.instlRef", "sst");Found : user_pref("extensions.BabylonToolbar.lastDP", 30);Found : user_pref("extensions.BabylonToolbar.lastVrsnTs", "1.5.3.1714:38:47");Found : user_pref("extensions.BabylonToolbar.mntrFFxVrsn", "3.6");Found : user_pref("extensions.BabylonToolbar.newTab", true);Found : user_pref("extensions.BabylonToolbar.noFFXTlbr", false);Found : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");Found : user_pref("extensions.BabylonToolbar.propectorlck", 85009168);Found : user_pref("extensions.BabylonToolbar.prtkDS", 1);Found : user_pref("extensions.BabylonToolbar.prtkHmpg", 1);Found : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");Found : user_pref("extensions.BabylonToolbar.ptch_0717", true);Found : user_pref("extensions.BabylonToolbar.smplGrp", "none");Found : user_pref("extensions.BabylonToolbar.srcExt", "ss");Found : user_pref("extensions.BabylonToolbar.tlbrId", "tb9");Found : user_pref("extensions.BabylonToolbar.vrsn", "1.5.3.17");Found : user_pref("extensions.BabylonToolbar.vrsnTs", "1.5.3.1714:38:47");Found : user_pref("extensions.BabylonToolbar.vrsni", "1.5.3.17");Found : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");Found : user_pref("extensions.BabylonToolbar_i.babExt", "");Found : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=109935");Found : user_pref("extensions.BabylonToolbar_i.hardId", "f42fdce3000000000000001fe1d0618f");Found : user_pref("extensions.BabylonToolbar_i.id", "f42fdce3000000000000001fe1d0618f");Found : user_pref("extensions.BabylonToolbar_i.instlDay", "15463");Found : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");Found : user_pref("extensions.BabylonToolbar_i.newTab", false);Found : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");Found : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");Found : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");Found : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");Found : user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9");Found : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");Found : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1714:38:47");Found : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");Found : user_pref("{336D0C35-8A85-403a-B9D2-65C292C39087}.ScriptData_WSG_whiteList", "{\"search.babylon.com\[...]Found : user_pref("CT3220468.autoDisableScopes", 0);Found : user_pref("CT3220468.InstallDate", "30/1/2013 13:48:13"); File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zpzlwpd7.default\prefs.js [OK] File is clean. -\\ Google Chrome v28.0.1500.95 File : C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences Found [l.46] : keyword = "babylon.com", ************************* AdwCleaner[R1].txt - [11659 octets] - [15/08/2013 10:41:41]AdwCleaner[R2].txt - [11589 octets] - [15/08/2013 10:42:35] ########## EOF - C:\AdwCleaner[R2].txt - [11650 octets] ########## Link to post Share on other sites More sharing options...
MrCharlie Posted August 15, 2013 ID:715436 Share Posted August 15, 2013 Lots of adware found....lets clear it out.....Please re-run AdwCleanerClick on Delete button.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number. Then...... Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message.Last......... Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal. Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report. Make sure that everything is checked, and click Remove Selected. Please let me know how computer is running now, MrC Link to post Share on other sites More sharing options...
dusktilldawnll Posted August 15, 2013 Author ID:715447 Share Posted August 15, 2013 # AdwCleaner v2.306 - Logfile created 08/15/2013 at 10:57:49# Updated 19/07/2013 by Xplode# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)# User : Heywang - HAYWANG_LAPTOP# Boot Mode : Normal# Running from : D:\My Documents\Downloads\adwcleaner (1).exe# Option [Delete] ***** [services] ***** ***** [Files / Folders] ***** Deleted on reboot : C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfdDeleted on reboot : C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmddaDeleted on reboot : C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmddaFile Deleted : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\bProtector_extensions.rdfFile Deleted : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\searchplugins\Babylon.xmlFile Deleted : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\searchplugins\BrowserDefender.xmlFile Deleted : C:\Program Files\Mozilla Firefox\.autoregFile Deleted : C:\user.jsFolder Deleted : C:\DOCUME~1\Heywang\LOCALS~1\Temp\CT3220468Folder Deleted : C:\Documents and Settings\All Users\Application Data\BabylonFolder Deleted : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\extensions\{7473b6bd-4691-4744-a82b-7854eb3d70b6}Folder Deleted : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\extensions\ffxtlbr@babylon.comFolder Deleted : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\extensions\ffxtlbr@delta.comFolder Deleted : C:\Documents and Settings\Heywang\Local Settings\Application Data\ConduitFolder Deleted : C:\Program Files\ConduitFolder Deleted : C:\Program Files\delta ***** [Registry] ***** Key Deleted : HKCU\Software\AppDataLow\Software\ConduitKey Deleted : HKCU\Software\BabSolutionKey Deleted : HKCU\Software\ConduitKey Deleted : HKCU\Software\CrossriderKey Deleted : HKCU\Software\DataMngrKey Deleted : HKCU\Software\DataMngr_ToolbarKey Deleted : HKCU\Software\DeltaKey Deleted : HKCU\Software\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmddaKey Deleted : HKCU\Software\IMKey Deleted : HKCU\Software\ImInstallerKey Deleted : HKCU\Software\InstallCoreKey Deleted : HKCU\Software\InstalledBrowserExtensionsKey Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{336D0C35-8A85-403A-B9D2-65C292C39087}Key Deleted : HKCU\Software\SmartBarKey Deleted : HKCU\Software\Web AssistantKey Deleted : HKCU\Software\YahooPartnerToolbarKey Deleted : HKLM\Software\BabylonKey Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}Key Deleted : HKLM\SOFTWARE\Classes\AppID\{39CB8175-E224-4446-8746-00566302DF8D}Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLLKey Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLLKey Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLLKey Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLLKey Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXEKey Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlprKey Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0033254.BHOKey Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0033254.SandboxKey Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0033254.Sandbox.1Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1231839B-064E-4788-B865-465A1B5266FD}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2DAC2231-CC35-482B-97C5-CED1D4185080}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F1CD84C-04A3-4EA0-9EA1-7D134FD66C82}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F83A9CA-B5F0-44EC-9357-35BB3E84B07F}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{47E520EA-CAD2-4F51-8F30-613B3A1C33EB}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{57C91446-8D81-4156-A70E-624551442DE9}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{70AFB7B2-9FB5-4A70-905B-0E9576142E1D}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{7AD65FD1-79E0-406D-B03C-DD7C14726D69}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{97DD820D-2E20-40AD-B01E-6730B2FCE630}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B177446D-54A4-4869-BABC-8566110B4BE0}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D9D1DFC5-502D-43E4-B1BB-4D0B7841489A}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E0B07188-A528-4F9E-B2F7-C7FDE8680AE4}Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F05B12E1-ADE8-4485-B45B-898748B53C37}Key Deleted : HKLM\SOFTWARE\Classes\Prod.capKey Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3220468Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4599D05A-D545-4069-BB42-5895B4EAE05B}Key Deleted : HKLM\Software\ConduitKey Deleted : HKLM\SOFTWARE\d2dc8fe06fb942Key Deleted : HKLM\Software\DataMngrKey Deleted : HKLM\Software\DeltaKey Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfdKey Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ejpbbhjlbipncjklfjjaedaieimbmddaKey Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eooncjejnppfjjklapaamhcdmjbilmdeKey Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{348C2DF3-1191-4C3E-92A6-B3A89A9D9C85}Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\DeltaKey Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Delta Chrome ToolbarKey Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966Key Deleted : HKLM\Software\Tarma InstallerKey Deleted : HKLM\Software\Web AssistantValue Deleted : HKLM\SOFTWARE\Mozilla\Firefox\extensions [{336D0C35-8A85-403a-B9D2-65C292C39087}] ***** [internet Browsers] ***** -\\ Internet Explorer v7.0.6000.17055 [OK] Registry is clean. -\\ Mozilla Firefox v3.6.28 (en-US) File : C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\prefs.js C:\Documents and Settings\Heywang\Application Data\Mozilla\Firefox\Profiles\0hytz6j9.default\user.js ... Deleted ! Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");Deleted : user_pref("browser.search.defaultenginename", "Search the web (Babylon)");Deleted : user_pref("browser.search.order.1", "Search the web (Babylon)");Deleted : user_pref("extensions.BabylonToolbar.admin", false);Deleted : user_pref("extensions.BabylonToolbar.aflt", "babsst");Deleted : user_pref("extensions.BabylonToolbar.babExt", "");Deleted : user_pref("extensions.BabylonToolbar.babTrack", "affID=109935");Deleted : user_pref("extensions.BabylonToolbar.bbDpng", 30);Deleted : user_pref("extensions.BabylonToolbar.dfltLng", "en");Deleted : user_pref("extensions.BabylonToolbar.dfltSrch", true);Deleted : user_pref("extensions.BabylonToolbar.hmpg", true);Deleted : user_pref("extensions.BabylonToolbar.id", "f42fdce3000000000000001fe1d0618f");Deleted : user_pref("extensions.BabylonToolbar.instlDay", "15463");Deleted : user_pref("extensions.BabylonToolbar.instlRef", "sst");Deleted : user_pref("extensions.BabylonToolbar.lastDP", 30);Deleted : user_pref("extensions.BabylonToolbar.lastVrsnTs", "1.5.3.1714:38:47");Deleted : user_pref("extensions.BabylonToolbar.mntrFFxVrsn", "3.6");Deleted : user_pref("extensions.BabylonToolbar.newTab", true);Deleted : user_pref("extensions.BabylonToolbar.noFFXTlbr", false);Deleted : user_pref("extensions.BabylonToolbar.prdct", "BabylonToolbar");Deleted : user_pref("extensions.BabylonToolbar.propectorlck", 85009168);Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 1);Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 1);Deleted : user_pref("extensions.BabylonToolbar.prtnrId", "babylon");Deleted : user_pref("extensions.BabylonToolbar.ptch_0717", true);Deleted : user_pref("extensions.BabylonToolbar.smplGrp", "none");Deleted : user_pref("extensions.BabylonToolbar.srcExt", "ss");Deleted : user_pref("extensions.BabylonToolbar.tlbrId", "tb9");Deleted : user_pref("extensions.BabylonToolbar.vrsn", "1.5.3.17");Deleted : user_pref("extensions.BabylonToolbar.vrsnTs", "1.5.3.1714:38:47");Deleted : user_pref("extensions.BabylonToolbar.vrsni", "1.5.3.17");Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=109935");Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "f42fdce3000000000000001fe1d0618f");Deleted : user_pref("extensions.BabylonToolbar_i.id", "f42fdce3000000000000001fe1d0618f");Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15463");Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");Deleted : user_pref("extensions.BabylonToolbar_i.newTab", false);Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "tb9");Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1714:38:47");Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");Deleted : user_pref("{336D0C35-8A85-403a-B9D2-65C292C39087}.ScriptData_WSG_whiteList", "{\"search.babylon.com\[...]Deleted : user_pref("CT3220468.autoDisableScopes", 0);Deleted : user_pref("CT3220468.InstallDate", "30/1/2013 13:48:13"); File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\zpzlwpd7.default\prefs.js [OK] File is clean. -\\ Google Chrome v28.0.1500.95 File : C:\Documents and Settings\Heywang\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences Deleted [l.46] : keyword = "babylon.com", ************************* AdwCleaner[R1].txt - [11659 octets] - [15/08/2013 10:41:41]AdwCleaner[R2].txt - [11720 octets] - [15/08/2013 10:42:35]AdwCleaner[R3].txt - [11781 octets] - [15/08/2013 10:57:14]AdwCleaner[s1].txt - [11898 octets] - [15/08/2013 10:57:49] ########## EOF - C:\AdwCleaner[s1].txt - [11959 octets] ########## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Junkware Removal Tool (JRT) by ThisisuVersion: 5.4.6 (08.15.2013:1)OS: Microsoft Windows XP x86Ran by Heywang on Thu 08/15/2013 at 11:03:24.81~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayNameSuccessfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL ~~~ Registry Keys Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{22222222-2222-2222-2222-220322322254}Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{66666666-6666-6666-6666-660366326654}Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Interface\{66666666-6666-6666-6666-660366326654} ~~~ Files ~~~ Folders Successfully deleted: [Folder] "C:\Documents and Settings\Heywang\Local Settings\Application Data\cre" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Scan was completed on Thu 08/15/2013 at 11:06:14.75End of JRT log~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.org Database version: v2013.08.15.04 Windows XP Service Pack 3 x86 NTFSInternet Explorer 7.0.5730.13Heywang :: HAYWANG_LAPTOP [administrator] 8/15/2013 11:12:04 AMmbam-log-2013-08-15 (11-12-04).txt Scan type: Quick scanScan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 244398Time elapsed: 9 minute(s), 52 second(s) Memory Processes Detected: 0(No malicious items detected) Memory Modules Detected: 0(No malicious items detected) Registry Keys Detected: 0(No malicious items detected) Registry Values Detected: 0(No malicious items detected) Registry Data Items Detected: 0(No malicious items detected) Folders Detected: 0(No malicious items detected) Files Detected: 0(No malicious items detected) (end) So far, computer runs great.... Thanks a lot for your help. Link to post Share on other sites More sharing options...
MrCharlie Posted August 15, 2013 ID:715458 Share Posted August 15, 2013 Good...... Lets check your computers security before you go and we have a little cleanup to do also: Download Security Check by screen317 from HERE or HERE.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.If you get "Unsupported operating system. Aborting now", just reboot and try again.A Notepad document should open automatically called checkup.txt.Please Post the contents of that document.Do Not Attach It!!!MrC Link to post Share on other sites More sharing options...
dusktilldawnll Posted August 15, 2013 Author ID:715555 Share Posted August 15, 2013 Unfortunately, I dont think I got rid of it. When I got home a short time ago, I was on the internet and a "setup.exe" popped up in my download folder....Knowing it was nothing I did, I ran malware and this showed up.... Malwarebytes Anti-Malware 1.75.0.1300www.malwarebytes.org Database version: v2013.08.15.04 Windows XP Service Pack 3 x86 NTFSInternet Explorer 7.0.5730.13Heywang :: HAYWANG_LAPTOP [administrator] 8/15/2013 1:34:43 PMMBAM-log-2013-08-15 (15-43-46).txt Scan type: Full scan (C:\|D:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 330096Time elapsed: 1 hour(s), 6 minute(s), 30 second(s) Memory Processes Detected: 0(No malicious items detected) Memory Modules Detected: 0(No malicious items detected) Registry Keys Detected: 0(No malicious items detected) Registry Values Detected: 0(No malicious items detected) Registry Data Items Detected: 0(No malicious items detected) Folders Detected: 0(No malicious items detected) Files Detected: 1D:\My Documents\Downloads\Setup.exe (PUP.Optional.Solimba) -> No action taken. (end) Link to post Share on other sites More sharing options...
MrCharlie Posted August 15, 2013 ID:715566 Share Posted August 15, 2013 As data bases get update you're going to find left overs, what symptoms do you have?? MrC Link to post Share on other sites More sharing options...
dusktilldawnll Posted August 15, 2013 Author ID:715583 Share Posted August 15, 2013 no symptoms.. I just saw the setup.exe pop up on bottom of screen.... Computer is still running fine. Here is security check info: Results of screen317's Security Check version 0.99.72 Windows XP Service Pack 3 x86 Internet Explorer 7 Out of date! ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` SUPERAntiSpyware Malwarebytes Anti-Malware version 1.75.0.1300 CCleaner Java 6 Update 20 Java 7 Update 25 Adobe Flash Player 11.6.602.171 Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox (3.6.28) Firefox out of Date! ````````Process Check: objlist.exe by Laurent```````` `````````````````System Health check````````````````` Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)````````````````````End of Log`````````````````````` Link to post Share on other sites More sharing options...
MrCharlie Posted August 15, 2013 ID:715591 Share Posted August 15, 2013 Out dated programs on the system are vulnerable to malware.Please update or uninstall them:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Java™ 6 Update 20 <---please uninstall from your add/remove programsJava 7 Update 25 <---OK--------------------------------------------------Adobe Reader 9 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).-------------------------------------------------Mozilla Firefox (3.6.28) Firefox out of Date! <---please check for an update if available~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~A little clean up to do....Please Uninstall ComboFix: (if you used it)Press the Windows logo key + R to bring up the "run box"Copy and paste next command in the field:ComboFix /uninstallMake sure there's a space between Combofix and /Then hit enter.This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)---------------------------------If you used DeFogger to disable your CD Emulation drivers, please re-enable them.-------------------------------Please download OTC to your desktop.http://oldtimer.geekstogo.com/OTC.exeDouble-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")Click on the CleanUp! button and follow the prompts.(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)You will be asked to reboot the machine to finish the Cleanup process, choose Yes.After the reboot all the tools we used should be gone.Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.Any other programs or logs you can manually delete.IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.-------------------------------Any questions...please post back.If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.Take a look at My Preventive Maintenance to avoid being infected again. (may be down right now)Good Luck and Thanks for using the forum, MrC Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 16, 2013 ID:715944 Share Posted August 16, 2013 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts