Jump to content

Desktop Icons & Start Button Disappeared, Trojan.Agent Found


Recommended Posts

Hello. My entire desktop disappeared, including Start button.  Since I cannot bring up the login screen using my own account, I am accessing the internet through another user name and account I previously set up (as Administrator) in the same computer. MBAM scan showed Trojan.Agent.RDN in the registry key and Trojan.Agent.TPL in files. Cleaned and rebooted but no changes.   

 

Can I unhide and recover my desktop?  Below is the log. 

 

Thank you,

moonshadow.

==================================== 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.14.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Kazuyo :: DFB69GJ1 [limited]

Protection: Enabled

2013/10/14 9:39:07
MBAM-log-2013-10-14 (09-56-56) SAVE SS 131014-0955AM.txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 255714
Time elapsed: 16 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCR\CLSID\{28949824-6737-0594-0930-223283753445} (Trojan.Agent.RDN) -> No action taken.
HKCR\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F} (Trojan.Agent.RDN) -> No action taken.
HKCR\FDEIconOverlay.EnabledUnlockedFDEIconOverlay (Trojan.Agent.RDN) -> No action taken.
HKCR\*\shellex\ContextMenuHandlers\{28949824-6737-0594-0930-223283753445} (Trojan.Agent.RDN) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
c:\documents and settings\sshiigi\local settings\temporary internet files\content.ie5\2r6ce5nz\soskapiska[1].dll (Trojan.Agent.RDN) -> No action taken.
c:\documents and settings\sshiigi\templates\2433f433 (Trojan.Agent.TPL) -> No action taken.
C:\Documents and Settings\All Users\Application Data\2433f433 (Trojan.Agent.TPL) -> No action taken.

(end)

   

Link to post
Share on other sites

As previously stated, since my Desktop icons & Start are hidden because of this bug, I cannot log on through my username.  Through another user account, I've accessed the internet to reach the MBAM forrm.  The logs show the file path under docs & settings of "sshiigi" (Administrator's user name) and I hope it will be helpful.  Afer rerunning MBAM again, the Trojan.Agent RDN and TPL reappeared.  I do not know what to do but I suppose the first step is enable proper login by recovering the desktop.  For what it's worth, here's the 2nd log.

 

moonshadow

==================================== 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.14.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Kazuyo :: DFB69GJ1 [limited]

Protection: Enabled

2013/10/14 14:28:27
mbam-log-2013-10-14 (14-28-27).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 313649
Time elapsed: 53 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCR\CLSID\{28949824-6737-0594-0930-223283753445} (Trojan.Agent.RDN) -> Delete on reboot.
HKCR\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F} (Trojan.Agent.RDN) -> Delete on reboot.
HKCR\FDEIconOverlay.EnabledUnlockedFDEIconOverlay (Trojan.Agent.RDN) -> Delete on reboot.
HKCR\*\shellex\ContextMenuHandlers\{28949824-6737-0594-0930-223283753445} (Trojan.Agent.RDN) -> Delete on reboot.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
c:\documents and settings\sshiigi\local settings\temporary internet files\content.ie5\2r6ce5nz\soskapiska[1].dll (Trojan.Agent.RDN) -> Delete on reboot.
c:\documents and settings\sshiigi\templates\2433f433 (Trojan.Agent.TPL) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\2433f433 (Trojan.Agent.TPL) -> Delete on reboot.

(end)

Link to post
Share on other sites

Installed Unhide in the accessible but separate user account.  To clarify, the hidden desktop is my account, "sshiigi" (administrator).  Tried to restart sshiigi username but stopped at DOS black screen showing:  "c:\Documents & Settings\sshiigi\Local settings\Temporary Internet Files\Content.IE5\2R6CE5NZ\SOSKAPISKA[1].exe" 'is not recognized as an internal or external command, operable program or batch file.

 

c:Documents & Settings\sshiigi>_  

 

Startup stopped here with cursor blinking.  Should Unhide be installed in sshiigi?  How if it desktop & Start is not visible? MBAM found Trojan.Agent.RDN in the registry key and Trojan.Agent.TPL in files. 

Link to post
Share on other sites

See if you can do this:

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

MrC

Link to post
Share on other sites

Ran RogueKiller in alternate "Kazuyo" username since sshiigi desktop is inaccessible. 

 

 

RogueKiller V8.7.3 [Oct 15 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Kazuyo [Restricted rights]
Mode : Scan -- Date : 10/15/2013 09:30:27
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[sUSP PATH] SearchProtection.exe -- C:\Documents and Settings\All Users\Application Data\Search Protection\SearchProtection.exe [7] -> KILLED [TermProc]
[sUSP PATH] cltmng.exe -- C:\Documents and Settings\Kazuyo\Application Data\SearchProtect\bin\cltmng.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Kazuyo\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND
[RUN][sUSP PATH] HKLM\[...]\Run : SearchProtection (C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat [-]) -> FOUND
[RUN][sUSP PATH] HKLM\[...]\Run : ShopAtHomeWatcher (C:\Documents and Settings\sshiigi\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeWatcher.exe [x]) -> FOUND
[RUN][sUSP PATH] HKLM\[...]\Run : ShopAtHomeUpdater (C:\Documents and Settings\sshiigi\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeUpdater.exe [x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-988371609-370694437-2419706928-1007\[...]\Run : SearchProtect (C:\Documents and Settings\Kazuyo\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[bROK VAL] HKCR\[...]\command :  () -> MISSING

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x2] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

Finished : << RKreport[0]_S_10152013_093027.txt >>

Link to post
Share on other sites

Please download Farbar Recovery Scan Tool and save it to a folder. (use correct version for your system)

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
MrC
Link to post
Share on other sites

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 03-10-2013
Ran by Kazuyo at 2013-10-15 11:29:56
Running from C:\Documents and Settings\Kazuyo\My Documents\2Scott\Computer\Farbar Recovery
Boot Mode: Normal
==========================================================

 

==================== Security Center ========================

AV: Lavasoft Ad-Aware (Disabled - Up to date) {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Lavasoft Ad-Aware (Disabled) {FF1CD5B7-1553-4625-A258-1775385CED33}

==================== Installed Programs ======================

7300 (Version: 47.0.1.000)
7300_Help (Version: 47.0.1.000)
7300Trb (Version: 47.0.1.000)
Acrobat.com (Version: 0.0.0)
Acrobat.com (Version: 1.1.377)
Ad-Aware Antivirus (Version: 10.5.2.4379)
Ad-Aware Security Add-on (Version: 2.5.0.6)
Adobe AIR (Version: 1.0.4990)
Adobe AIR (Version: 1.0.8.4990)
Adobe Flash Player 11 ActiveX (Version: 11.9.900.117)
Adobe Flash Player 11 Plugin (Version: 11.6.602.180)
Adobe Reader XI (11.0.05) (Version: 11.0.05)
Adobe Shockwave Player 11 (Version: 11)
AiO_Scan (Version: 47.0.1.000)
AiOSoftware (Version: 47.0.1.000)
All Day Battery Life Configuration (Version: 1.1.0)
AnswerWorks 4.0 Runtime - English (Version: 4.0.101)
AnswerWorks 5.0 English Runtime (Version: 008.000.0003)
AnswerWorks 5.0 English Runtime (Version: 5.0.7)
BioAPI Framework (Version: 1.0.1)
biolsp patch (Version: 01.00.02.0005)
Broadcom USH Host Components (Version: 1.6.8.12)
Brother MFL-Pro Suite MFC-9970CDW (Version: 1.0.2.0)
BufferChm (Version: 45.4.157.000)
CCleaner (Version: 4.00)
Compatibility Pack for the 2007 Office system (Version: 12.0.6612.1000)
Copy (Version: 45.4.157.000)
Coupon Printer for Windows (Version: 5.0.0.1)
CP_AtenaShokunin1Config (Version: 45.4.131.000)
cp_dwShrek2Albums1 (Version: 45.4.157.000)
cp_dwShrek2Cards1 (Version: 45.4.157.000)
CreativeProjects (Version: 45.4.157.000)
CreativeProjectsTemplates (Version: 45.4.157.000)
CueTour (Version: 45.4.157.000)
CutePDF Writer 2.8
Dell Control Point (Version: 1.2.4)
Dell ControlPoint Connection Manager (Version: 1.1.1)
Dell ControlPoint Security Manager (Version: 1.2.4)
Dell ControlPoint System Manager (Version: 1.1.00000)
Dell Embassy Trust Suite by Wave Systems (Version: 03.00.01.003)
Dell Security Device Driver Pack (Version: 1.01.30)
Dell Touchpad (Version: 7.2.101.215)
Dell Webcam Central (Version: 1.01.04)
Destinations (Version: 45.4.157.000)
Director (Version: 45.4.157.000)
DocProc (Version: 4.5.0.0)
Document Manager Lite (Version: 06.07.00.104)
DocumentViewer (Version: 45.4.157.000)
EMBASSY Security Center (Version: 03.07.00.074)
EMBASSY Security Setup (Version: 03.07.00.057)
eReg (Version: 1.20.138.34)
ERUNT 1.1j
ESC Home Page Plugin (Version: 03.02.00.028)
Fax (Version: 47.0.1.000)
Gemalto (Version: 01.00.00.0010)
GIMP 2.6.11 (Version: 2.6.11)
Google Chrome (Version: 30.0.1599.69)
Google Chrome Frame (Version: 30.0.1599.69)
Google Earth (Version: 7.1.1.1888)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.5.4601.54)
Google Update Helper (Version: 1.3.21.165)
Google Updater (Version: 2.4.2432.1652)
HP Image Zone 4.7 (Version: 4.7)
HP Product Assistant (Version: 2.0.0.0)
HP PSC & OfficeJet 4.7
HP Software Update (Version: 3.0.2.991)
HPSystemDiagnostics (Version: 1.6.0.0)
InstantShare (Version: 45.4.157.000)
Integrated Webcam Driver (1.08.01.0129)   (Version: 1.08.01.0129)
Intel PROSet Wireless
Intel® Network Connections 13.0.42.0 (Version: 13.0.42.0)
Intel® PRO Alerting Agent (Version: 12.0.3)
Intel® PROSet/Wireless WiFi Software (Version: 12.00.4000)
Intel® Matrix Storage Manager
Japanese Fonts Support For Adobe Reader 9 (Version: 9.0.0)
Java 7 Update 25 (Version: 7.0.250)
Java Auto Updater (Version: 2.1.9.5)
Junk Mail filter update (Version: 14.0.8089.726)
KeyBar 1.22 Toolbar for IE (Version: 6.17.0.33)
K-Lite Codec Pack 7.0.0 (Standard) (Version: 7.0.0)
Logitech SetPoint 6.32 (Version: 6.32.20)
Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
Memeo Instant Backup (Version: 4.60.0.7876)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2698023)
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Choice Guard (Version: 2.0.48.0)
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office File Validation Add-In (Version: 14.0.5130.5003)
Microsoft Office Live Add-in 1.5 (Version: 2.0.4024.1)
Microsoft Office Outlook Connector (Version: 12.0.6423.1000)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Silverlight (Version: 5.1.20125.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Sync Framework Runtime Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Sync Framework Services Native v1.0 (x86) (Version: 1.0.1215.0)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Works 6-9 Converter (Version: 9.7.0621)
Mozilla Firefox 20.0.1 (x86 en-US) (Version: 20.0.1)
Mozilla Maintenance Service (Version: 20.0.1)
MSVCRT (Version: 14.0.1468.721)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 4.0 SP3 Parser (KB2721691) (Version: 4.30.2114.0)
MSXML 4.0 SP3 Parser (KB2758694) (Version: 4.30.2117.0)
MSXML 4.0 SP3 Parser (KB973685) (Version: 4.30.2107.0)
MSXML 4.0 SP3 Parser (Version: 4.30.2100.0)
MSXML 6.0 Parser (KB933579) (Version: 6.10.1200.0)
NTRU TCG Software Stack (Version: 2.1.27)
Nuance PaperPort 12 (Version: 12.1.0000)
Nuance PDF Viewer Plus (Version: 5.30.3290)
NVIDIA Drivers
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0)
Open Freely (Version: 1.0)
PanoStandAlone (Version: 45.4.157.000)
PaperPort Image Printer (Version: 1.00.0001)
PhotoGallery (Version: 45.4.157.000)
PowerDVD (Version: 8.1)
Preboot Manager (Version: 2.4.0.244)
Private Information Manager (Version: 06.02.00.053)
ProductContext (Version: 47.0.1.000)
QFolder (Version: 1.00.0000)
Quicken 2008 (Version: 17.1.4.11)
QuickTime
Readme (Version: 47.0.1.000)
Roxio Activation Module (Version: 1.0)
Roxio Creator Audio (Version: 3.5.0)
Roxio Creator BDAV Plugin (Version: 3.5.0)
Roxio Creator Copy (Version: 3.5.0)
Roxio Creator Data (Version: 3.5.0)
Roxio Creator DE (Version: 3.5.0)
Roxio Creator Tools (Version: 3.5.0)
Roxio Drag-to-Disc (Version: 9.1)
Roxio Express Labeler 3 (Version: 3.2.1)
Roxio Update Manager (Version: 6.0.0)
Scan (Version: 4.5.0.0)
ScannerCopy (Version: 4.5.0.0)
Scansoft PDF Professional
Seagate Dashboard (Version: 1.1.0.1548)
Search Protect by conduit (Version: 1.7.0.72)
Secure Update (Version: 05.05.00.015)
Security Wizards (Version: 01.05.00.039)
Segoe UI (Version: 14.0.4327.805)
SkinsHP1 (Version: 45.4.157.000)
Skype Click to Call (Version: 6.9.12585)
Skype™ 6.6 (Version: 6.6.106)
Sonic CinePlayer Decoder Pack (Version: 4.2.0)
SUPERAntiSpyware Free Edition (Version: 4.26.0.1004)
TrayApp (Version: 45.4.157.000)
Trusted Drive Manager (Version: 2.4.0.276)
tsp patch (Version: 01.00.00.0000)
TurboTax 2008
TurboTax 2008 whiiper (Version: 008.000.0121)
TurboTax 2008 WinPerFedFormset (Version: 008.000.0341)
TurboTax 2008 WinPerProgramHelp (Version: 008.000.0219)
TurboTax 2008 WinPerReleaseEngine (Version: 008.000.0197)
TurboTax 2008 WinPerTaxSupport (Version: 008.000.1007)
TurboTax 2008 WinPerUserEducation (Version: 008.000.0433)
TurboTax 2008 wrapper (Version: 008.000.0065)
TurboTax 2009
TurboTax 2009 whiiper (Version: 009.000.0748)
TurboTax 2009 WinPerFedFormset (Version: 009.000.2881)
TurboTax 2009 WinPerReleaseEngine (Version: 009.000.0328)
TurboTax 2009 WinPerTaxSupport (Version: 009.000.0245)
TurboTax 2009 wrapper (Version: 009.000.0145)
TurboTax Home & Business 2007
Type to Learn 4
U3Launcher (Version: 1.0.0)
Unload (Version: 4.5.0)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 8 (KB971930) (Version: 1)
Update for Windows Internet Explorer 8 (KB976662) (Version: 1)
Update for Windows Internet Explorer 8 (KB976749) (Version: 1)
Update for Windows Internet Explorer 8 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2616676-v2) (Version: 2)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2661254-v2) (Version: 2)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB2736233) (Version: 1)
Update for Windows XP (KB2749655) (Version: 1)
Update for Windows XP (KB898461) (Version: 1)
Update for Windows XP (KB951618-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB961503) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (Version: 9.0.30729.01)
Wave Infrastructure Installer (Version: 06.00.34.0000)
Wave Support Software (Version: 05.08.00.052)
WD Diagnostics (Version: 1.09.0002)
WebFldrs XP (Version: 9.50.7523)
WebReg (Version: 45.4.157.000)
WIDCOMM Bluetooth Software (Version: 5.5.0.3208)
Windows Driver Package - Dell Inc. PBADRV System  (01/07/2008 1.0.1.5) (Version: 01/07/2008 1.0.1.5)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.8.0031.9)
Windows Internet Explorer 7 (Version: 20070813.185237)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live Call (Version: 14.0.8064.0206)
Windows Live Communications Platform (Version: 14.0.8064.206)
Windows Live Essentials (Version: 14.0.8089.0726)
Windows Live Essentials (Version: 14.0.8089.726)
Windows Live Mail (Version: 14.0.8089.0726)
Windows Live Messenger (Version: 14.0.8089.0726)
Windows Live OneCare safety scanner
Windows Live Photo Gallery (Version: 14.0.8081.709)
Windows Live Sign-in Assistant (Version: 5.000.818.5)
Windows Live Sync (Version: 14.0.8089.726)
Windows Live Toolbar (Version: 14.0.8064.206)
Windows Live Upload Tool (Version: 14.0.8014.1029)
Windows Live Writer (Version: 14.0.8089.0726)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation (Version: 3.0.6920.0)
Windows Search 4.0 (Version: 04.00.6001.503)
Windows Small Business Server 2011 Standard ClientAgent (Version: 6.1.7900.1)
Windows Small Business Server 2011 Standard WMI Provider (Version: 6.1.7900.1)
XML Paper Specification Shared Components Pack 1.0

==================== Restore Points  =========================

Could not list Restore Points.

==================== Hosts content: ==========================

2008-04-25 06:16 - 2013-03-30 06:46 - 00000027 ____A C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: C:\WINDOWS\Tasks\Ad-Aware Antivirus Scheduled Scan.job => ?
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => ?
Task: C:\WINDOWS\Tasks\Google Software Updater.job => ?
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => ?
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => ?
Task: C:\WINDOWS\Tasks\User_Feed_Synchronization-{FA4994F7-D9D9-49BE-BF8A-1123A84B76A0}.job => C:\WINDOWS\system32\msfeedssync.exe

==================== Loaded Modules (whitelisted) =============

2007-07-23 11:04 - 2007-07-23 11:04 - 00068080 ____N () C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
2008-05-14 13:40 - 2008-05-14 13:40 - 00262144 ____N () C:\WINDOWS\system32\wxvault.dll
2009-02-27 11:11 - 2008-08-27 14:07 - 00466944 ____N () C:\WINDOWS\system32\nvshell.dll
2008-08-15 04:46 - 2008-08-15 04:46 - 02854912 ____N () C:\WINDOWS\system32\btwicons.dll
2008-08-18 07:12 - 2008-08-18 07:12 - 00098304 ____N () C:\Program Files\Dell\Dell ControlPoint\SmithMicro.Common.dll
2008-08-18 07:12 - 2008-08-18 07:12 - 00016384 ____N () C:\Program Files\Dell\Dell ControlPoint\Dell.DcpPlugin.dll
2008-07-28 14:03 - 2008-07-28 14:03 - 00010752 ____N () C:\WINDOWS\system32\Wavx_ESC_Logging.dll
2008-03-10 11:51 - 2008-03-10 11:51 - 00004608 ____N () C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\TspPopup_JPN.dll
2008-10-01 00:29 - 2008-10-01 00:29 - 00098304 ____N () C:\Program Files\Dell\Dell ControlPoint\Connection Manager\UCMPlugin\SmithMicro.Common.dll
2008-10-01 00:24 - 2008-10-01 00:24 - 00098304 ____N () C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.Common.dll
2008-10-01 00:24 - 2008-10-01 00:24 - 00200704 ____N () C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.Application.dll
2008-10-01 00:26 - 2008-10-01 00:26 - 03567616 ____N () C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.SharedUI.dll
2008-10-01 00:26 - 2008-10-01 00:26 - 01724416 ____N () C:\Program Files\Dell\Dell ControlPoint\Connection Manager\ja\Dell.SharedUI.resources.dll
2008-10-01 00:24 - 2008-10-01 00:24 - 00077824 ____N () C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.Message.dll
2008-10-01 00:25 - 2008-10-01 00:25 - 00028672 ____N () C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.VpnController.dll
2008-10-01 00:25 - 2008-10-01 00:25 - 00040960 ____N () C:\Program Files\Dell\Dell ControlPoint\Connection Manager\VpnWrapper.dll
2008-10-01 00:25 - 2008-10-01 00:25 - 00028672 ____N () C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.AsyncOperations.dll
2011-10-06 23:41 - 2011-10-06 23:41 - 00879896 _____ () C:\Program Files\Logitech\SetPointP\Macros\MacroCore.dll
2008-04-25 06:16 - 2008-04-14 02:00 - 00059904 _____ () C:\WINDOWS\system32\devenum.dll
2008-04-25 06:16 - 2008-04-14 02:00 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2008-04-25 06:16 - 2013-01-01 20:49 - 01292288 _____ () C:\WINDOWS\system32\quartz.dll
2010-12-10 15:50 - 2010-12-10 15:50 - 02896608 _____ () C:\Program Files\Memeo\AutoBackup\Memeo.Client.UI.dll
2010-12-10 15:50 - 2010-12-10 15:50 - 00026848 _____ () C:\Program Files\Memeo\AutoBackup\Memeo.Client.DriveDetection.dll
2010-03-22 12:59 - 2010-03-22 12:59 - 00504293 _____ () C:\Program Files\Memeo\AutoBackup\sqlite3.dll
2013-03-17 16:02 - 2013-03-17 16:02 - 03391488 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_e97e1748\mscorlib.dll
2013-03-17 16:02 - 2013-03-17 16:02 - 03035136 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_041cb938\system.windows.forms.dll
2013-03-17 16:02 - 2013-03-17 16:02 - 01966080 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_6ece45b0\system.dll
2013-03-17 16:02 - 2013-03-17 16:02 - 00843776 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system.drawing\1.0.5000.0__b03f5f7f11d50a3a_f841a956\system.drawing.dll
2013-03-17 16:02 - 2013-03-17 16:02 - 02088960 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_8c229c00\system.xml.dll
2009-07-07 07:40 - 2011-03-27 18:59 - 00117760 _____ () C:\Documents and Settings\Kazuyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-15 00:26 - 2010-05-15 00:26 - 00052224 ____N () C:\Documents and Settings\Kazuyo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

==================== Alternate Data Streams (whitelisted) =========

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service => ""="Ad-Aware Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Ad-Aware Service => ""="Ad-Aware Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (10/15/2013 09:29:48 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/15/2013 09:29:48 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/15/2013 09:29:47 AM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/15/2013 07:32:41 AM) (Source: .NET Runtime 2.0 Error Reporting) (User: )
Description: EventType clr20r3, P1 d2m-precheck.exe, P2 1.0.0.0, P3 521df46f, P4 d2m-precheck, P5 1.0.0.0, P6 521df46f, P7 22, P8 31, P9 clr20r30, P10 clr20r31.

Error: (10/15/2013 07:19:27 AM) (Source: LoadPerf) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (10/15/2013 07:19:27 AM) (Source: LoadPerf) (User: )
Description: The performance strings in the Performance registry value is corrupted when
process Performance extension counter provider. BaseIndex value from Performance
registry is the first DWORD in Data section, LastCounter value is the second
DWORD in Data section, and LastHelp value is the third DWORD in Data section.

Error: (10/15/2013 07:06:04 AM) (Source: LoadPerf) (User: )
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The
Error code is the first DWORD in Data section.

Error: (10/15/2013 07:06:04 AM) (Source: LoadPerf) (User: )
Description: The performance strings in the Performance registry value is corrupted when
process Performance extension counter provider. BaseIndex value from Performance
registry is the first DWORD in Data section, LastCounter value is the second
DWORD in Data section, and LastHelp value is the third DWORD in Data section.

Error: (10/15/2013 07:02:19 AM) (Source: Userenv) (User: NT AUTHORITY)
Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Error: (10/15/2013 07:01:35 AM) (Source: AutoEnrollment) (User: )
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b).  The specified domain either does not exist or could not be contacted.
  Enrollment will not be performed.

System errors:
=============
Error: (10/15/2013 11:01:37 AM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain CBCI due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Error: (10/15/2013 10:55:58 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 239 minutes.
NtpClient has no source of accurate time.

Error: (10/15/2013 08:51:15 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 119 minutes.
NtpClient has no source of accurate time.

Error: (10/15/2013 07:47:18 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 60 minutes.
NtpClient has no source of accurate time.

Error: (10/15/2013 07:34:49 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{BA126AD1-2166-11D1-B1D0-00805FC1270E}
 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20).  This security permission can be modified using the Component Services administrative tool.

Error: (10/15/2013 07:16:38 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 29 minutes.
NtpClient has no source of accurate time.

Error: (10/15/2013 07:01:58 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
SBRE

Error: (10/15/2013 07:01:37 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 15 minutes.
NtpClient has no source of accurate time.

Error: (10/15/2013 07:01:37 AM) (Source: W32Time) (User: )
Description: The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 14 minutes.
NtpClient has no source of accurate time.

Error: (10/15/2013 07:01:35 AM) (Source: NETLOGON) (User: )
Description: No Domain Controller is available for domain CBCI due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Microsoft Office Sessions:
=========================
Error: (10/15/2013 09:29:48 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/15/2013 09:29:48 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/15/2013 09:29:47 AM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Error: (10/15/2013 07:32:41 AM) (Source: .NET Runtime 2.0 Error Reporting)(User: )
Description: clr20r3d2m-precheck.exe1.0.0.0521df46fd2m-precheck1.0.0.0521df46f2231system.io.fileloadexceptionNIL

Error: (10/15/2013 07:19:27 AM) (Source: LoadPerf)(User: )
Description: WmiApRplWmiApRpl

Error: (10/15/2013 07:19:27 AM) (Source: LoadPerf)(User: )
Description: Performance

Error: (10/15/2013 07:06:04 AM) (Source: LoadPerf)(User: )
Description: WmiApRplWmiApRpl

Error: (10/15/2013 07:06:04 AM) (Source: LoadPerf)(User: )
Description: Performance

Error: (10/15/2013 07:02:19 AM) (Source: Userenv)(User: NT AUTHORITY)
Description: The specified domain either does not exist or could not be contacted.

Error: (10/15/2013 07:01:35 AM) (Source: AutoEnrollment)(User: )
Description: local system0x8007054bThe specified domain either does not exist or could not be contacted.

==================== Memory info ===========================

Percentage of memory in use: 54%
Total physical RAM: 2035.83 MB
Available physical RAM: 934.37 MB
Total Pagefile: 3927.79 MB
Available Pagefile: 2377.68 MB
Total Virtual: 2047.88 MB
Available Virtual: 1900.96 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:232.75 GB) (Free:152.44 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

==================== End Of Log ============================

Link to post
Share on other sites

I tried safe mode right after initial incident but desktop was hidden.  I should have some good restore points.  Do you want me to log out of Kazuyo user and try to log back into sshiigi (administrator)?  I haven't attempted to log into sshiigi since we started this fix so I don't know its current state.  None of the bugs found by RogueKiller have been cleaned yet - I closed it as instructed.  

 

Please let me know what I should do next.   

Link to post
Share on other sites

You can have RogueKiller fix these:

Run RogueKiller again and click Scan

When the scan completes > click on the Registry tab

Put a check next to all of these and uncheck the rest: (if found)

[RUN][sUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Kazuyo\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Run : SearchProtection (C:\Documents and Settings\All Users\Application Data\Search Protection\_run.bat [-]) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Run : ShopAtHomeWatcher (C:\Documents and Settings\sshiigi\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeWatcher.exe [x]) -> FOUND

[RUN][sUSP PATH] HKLM\[...]\Run : ShopAtHomeUpdater (C:\Documents and Settings\sshiigi\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeUpdater.exe [x]) -> FOUND

[RUN][sUSP PATH] HKUS\S-1-5-21-988371609-370694437-2419706928-1007\[...]\Run : SearchProtect (C:\Documents and Settings\Kazuyo\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND

[HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[bROK VAL] HKCR\[...]\command : () -> MISSING

Now click Delete on the right hand column under Options

-------------

See if there's any difference, if not.....

Try system restore.

MrC

Link to post
Share on other sites

Ran RogueKiller and deleted items but unable to log into sshiigi at all.  Desktop still hidden and same DOS black screen that previously appeared after running Unhide showed up again with cursor blinking awaiting command.  

 

"c:\Documents & Settings\sshiigi\Local settings\Temporary Internet Files\Content.IE5\2R6CE5NZ\SOSKAPISKA[1].exe" 'is not recognized as an internal or external command, operable program or batch file.

 

c:Documents & Settings\sshiigi>_     Is there a DOS command to get past this point?  Obviously, I cannot get to system restore either. 

Link to post
Share on other sites

Please download OTL from one of the links below:




 

Save it to your desktop.

Double click on the icon on your desktop.

Click the Scan All Users checkbox.

Push the Quick Scan button.

 

The scan will take about 10 minutes...depends on your hard drive size.

 

Two reports will open, copy and paste them in a reply here: (or attach them as .txt files)

OTL.txt <-- Will be opened

Extra.txt <-- Will be minimized

 

MrC

Link to post
Share on other sites

Yes, I changed my mind and wanted you to run OTL first.

Lets run ComboFix now:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

I managed to log back into my username & domain by typing in an "exit" command at the DOS prompt on black screen.  Desktop was still hidden and Task Manager showed no applications.  However, used Task Manager's 'New Task' button and typed in "explorer."  Desktop was unhid!  I was now able to run ComboFix as administrator.  Using the alternate username & domain, ComboFix did not recognize me as administrator and unable to run it.   

=================================

 

ComboFix 13-10-15.02 - sshiigi 10/16/2013   6:24.6.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2036.1189 [GMT -10:00]
Running from: c:\documents and settings\sshiigi\Desktop\ComboFix.exe
AV: Lavasoft Ad-Aware *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Lavasoft Ad-Aware *Disabled* {FF1CD5B7-1553-4625-A258-1775385CED33}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\SearchProtect
c:\documents and settings\Administrator\Application Data\SearchProtect\bin\ChromeModule.dll
c:\documents and settings\Administrator\Application Data\SearchProtect\bin\cltmng.exe
c:\documents and settings\Administrator\Application Data\SearchProtect\bin\CltMngSvc.exe
c:\documents and settings\Administrator\Application Data\SearchProtect\bin\FirefoxModule.dll
c:\documents and settings\Administrator\Application Data\SearchProtect\bin\InternetExplorerModule.dll
c:\documents and settings\Administrator\Application Data\SearchProtect\bin\rep.dat
c:\documents and settings\Administrator\Application Data\SearchProtect\bin\SPHook32.dll
c:\documents and settings\Administrator\Application Data\SearchProtect\bin\SPHook64.dll
c:\documents and settings\Administrator\Application Data\SearchProtect\bin\SPRunner.exe
c:\documents and settings\Administrator\Application Data\SearchProtect\bin\SPTool64.exe
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\dialogsApi.js
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\lib\jquery.min.js
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\lib\json2.js
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spbd\bubble.css
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spbd\bubble.js
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spbd\images\information.png
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spbd\images\x-default-LTR.png
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spbd\images\x-default-RTL.png
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spbd\main.html
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spsd\images\ok-button.png
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spsd\images\separation-line.png
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spsd\images\warning.png
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spsd\main.html
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spsd\SearchProtector.css
c:\documents and settings\Administrator\Application Data\SearchProtect\Dialogs\spsd\settings.js
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\abstraction.js
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\application.js
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\nsprotector.js
c:\documents and settings\Administrator\Application Data\SearchProtect\ffprotect\popupTransparent.xul
c:\documents and settings\Administrator\Application Data\SearchProtect\Res\SPSetup.exe
c:\documents and settings\Kazuyo\Application Data\PriceGong
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\27472.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Kazuyo\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Kazuyo\Application Data\SearchProtect
c:\documents and settings\Kazuyo\Application Data\SearchProtect\bin\ChromeModule.dll
c:\documents and settings\Kazuyo\Application Data\SearchProtect\bin\cltmng.exe
c:\documents and settings\Kazuyo\Application Data\SearchProtect\bin\CltMngSvc.exe
c:\documents and settings\Kazuyo\Application Data\SearchProtect\bin\FirefoxModule.dll
c:\documents and settings\Kazuyo\Application Data\SearchProtect\bin\InternetExplorerModule.dll
c:\documents and settings\Kazuyo\Application Data\SearchProtect\bin\rep.dat
c:\documents and settings\Kazuyo\Application Data\SearchProtect\bin\SPHook32.dll
c:\documents and settings\Kazuyo\Application Data\SearchProtect\bin\SPHook32.dll_20131015073516.312
c:\documents and settings\Kazuyo\Application Data\SearchProtect\bin\SPHook64.dll
c:\documents and settings\Kazuyo\Application Data\SearchProtect\bin\SPRunner.exe
c:\documents and settings\Kazuyo\Application Data\SearchProtect\bin\SPTool64.exe
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\dialogsApi.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\lib\jquery.min.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\lib\json2.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spbd\bubble.css
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spbd\bubble.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spbd\images\information.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spbd\images\x-default-LTR.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spbd\images\x-default-RTL.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spbd\main.html
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spsd\images\ok-button.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spsd\images\separation-line.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spsd\images\warning.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spsd\main.html
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spsd\SearchProtector.css
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Dialogs\spsd\settings.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\abstraction.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\application.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\nsprotector.js
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\popupTransparent.xul
c:\documents and settings\Kazuyo\Application Data\SearchProtect\ffprotect\SProtectorRepository\EN
c:\documents and settings\Kazuyo\Application Data\SearchProtect\Res\SPSetup.exe
c:\documents and settings\sshiigi\Application Data\2433f433
c:\documents and settings\sshiigi\Application Data\PriceGong
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\1.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\27472.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\a.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\b.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\c.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\d.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\e.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\f.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\g.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\h.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\i.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\j.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\k.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\l.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\m.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\n.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\o.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\p.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\q.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\r.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\s.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\t.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\u.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\v.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\w.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\x.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\y.txt
c:\documents and settings\sshiigi\Application Data\PriceGong\Data\z.txt
c:\documents and settings\sshiigi\Application Data\SearchProtect
c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\ChromeModule.dll
c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\cltmng.exe
c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\CltMngSvc.exe
c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\FirefoxModule.dll
c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\InternetExplorerModule.dll
c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\rep.dat
c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\SPHook32.dll
c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\SPHook64.dll
c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\SPRunner.exe
c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\SPTool64.exe
c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\uninstall.exe
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\dialogsApi.js
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\lib\jquery.min.js
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\lib\json2.js
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spbd\bubble.css
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spbd\bubble.js
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spbd\images\information.png
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spbd\images\x-default-LTR.png
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spbd\images\x-default-RTL.png
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spbd\main.html
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spsd\images\ok-button.png
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spsd\images\separation-line.png
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spsd\images\warning.png
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spsd\main.html
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spsd\SearchProtector.css
c:\documents and settings\sshiigi\Application Data\SearchProtect\Dialogs\spsd\settings.js
c:\documents and settings\sshiigi\Application Data\SearchProtect\ffprotect\abstraction.js
c:\documents and settings\sshiigi\Application Data\SearchProtect\ffprotect\application.js
c:\documents and settings\sshiigi\Application Data\SearchProtect\ffprotect\nsprotector.js
c:\documents and settings\sshiigi\Application Data\SearchProtect\ffprotect\SProtectorRepository\EN
.
.
(((((((((((((((((((((((((   Files Created from 2013-09-16 to 2013-10-16  )))))))))))))))))))))))))))))))
.
.
2013-10-16 15:56 . 2013-10-16 15:56 -------- d-----w- c:\documents and settings\sshiigi\Local Settings\Application Data\Conduit
2013-10-16 15:55 . 2013-10-16 15:57 -------- d-----w- c:\documents and settings\sshiigi\Local Settings\Application Data\SweetPacks_A5
2013-10-16 15:27 . 2013-10-16 15:28 -------- d-----w- c:\documents and settings\Kazuyo\Local Settings\Application Data\Browsersafeguard
2013-10-16 15:27 . 2013-10-16 15:27 -------- d-----w- c:\documents and settings\Kazuyo\Local Settings\Application Data\BrowserSafeguardWebValidator
2013-10-16 15:15 . 2013-10-16 15:27 -------- d-----w- c:\documents and settings\Kazuyo\Local Settings\Application Data\SweetPacks_A5
2013-10-16 15:14 . 2013-10-16 15:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SweetPacks_A5
2013-10-16 15:14 . 2013-10-16 15:14 -------- d-----w- c:\program files\SweetPacks_A5
2013-10-16 15:14 . 2013-10-16 15:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\temp
2013-10-16 15:14 . 2013-10-16 15:15 -------- d-----w- c:\program files\Conduit
2013-10-16 15:14 . 2013-10-16 15:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Conduit
2013-10-16 15:14 . 2013-10-16 15:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\CRE
2013-10-16 15:13 . 2013-10-16 15:13 -------- d-----w- c:\program files\SearchProtect
2013-10-16 15:13 . 2013-10-16 15:13 -------- d-----w- c:\windows\system32\WNLT
2013-10-16 15:13 . 2013-10-16 15:13 -------- d-----w- c:\program files\Browsersafeguard
2013-10-15 21:28 . 2013-10-15 21:28 -------- d-----w- C:\FRST
2013-10-15 17:35 . 2013-10-15 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Conduit
2013-10-15 17:35 . 2013-10-16 15:15 -------- d-----w- c:\documents and settings\Kazuyo\Local Settings\Application Data\Conduit
2013-10-15 17:35 . 2013-10-15 17:35 -------- d-----w- c:\documents and settings\Kazuyo\Local Settings\Application Data\CRE
2013-10-15 17:34 . 2013-10-15 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\ZalmanInstaller_52332
2013-09-26 18:00 . 2013-09-26 18:00 208760 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2013-09-26 18:00 . 2013-09-26 18:00 208760 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll
2013-09-20 05:33 . 2013-09-20 05:33 -------- d-----w- c:\documents and settings\Jason\Application Data\adawaretb
2013-09-20 05:28 . 2013-09-20 05:29 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\adawarebp
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-16 15:52 . 2009-03-07 02:42 0 ----a-w- c:\documents and settings\sshiigi\Local Settings\Application Data\WavXMapDrive.bat
2013-10-15 23:17 . 2009-03-12 02:27 0 ----a-w- c:\documents and settings\Kazuyo\Local Settings\Application Data\WavXMapDrive.bat
2013-10-14 17:38 . 2009-03-12 05:51 0 ----a-w- c:\documents and settings\Jason\Local Settings\Application Data\WavXMapDrive.bat
2013-10-10 18:08 . 2012-03-31 18:50 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-10-10 18:08 . 2011-05-20 03:51 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-07-19 18:15 . 2013-07-19 18:15 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-07-19 18:15 . 2013-07-19 18:15 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-07-19 18:15 . 2012-11-13 20:03 867240 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-07-19 18:15 . 2011-01-02 12:09 789416 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-28 18:39 . 2013-04-28 18:39 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2013-08-07 1561880]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2013-02-11 10:47 87464 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{93ec97bf-fe43-4bca-a735-5c5d6a0a40c4}]
2013-10-01 14:03 226592 ----a-w- c:\program files\SweetPacks_A5\prxtbSwee.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2013-02-11 87464]
"{93ec97bf-fe43-4bca-a735-5c5d6a0a40c4}"= "c:\program files\SweetPacks_A5\prxtbSwee.dll" [2013-10-01 226592]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CLASSES_ROOT\clsid\{93ec97bf-fe43-4bca-a735-5c5d6a0a40c4}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{93EC97BF-FE43-4BCA-A735-5C5D6A0A40C4}"= "c:\program files\SweetPacks_A5\prxtbSwee.dll" [2013-10-01 226592]
.
[HKEY_CLASSES_ROOT\clsid\{93ec97bf-fe43-4bca-a735-5c5d6a0a40c4}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"
[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]
2009-11-07 11:07 297808 ------w- c:\windows\system32\mscoree.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2009-05-06 222496]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-07 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-10-28 200704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-12-01 483420]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2008-12-01 471040]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-28 13537280]
"nwiz"="nwiz.exe" [2008-08-28 1630208]
"NvMediaCenter"="NvMCTray.dll" [2008-08-28 86016]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2008-05-14 105472]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2008-06-24 243000]
"EmbassySecurityCheck"="c:\program files\Wave Systems Corp\EMBASSY Security Setup\EMBASSYSecurityCheck.exe" [2008-06-24 79160]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 598016]
"DCPstrApp"="c:\program files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe" [2008-08-04 6656]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-10-01 1454080]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2008-07-11 1351680]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2008-07-11 1191936]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" [2008-10-17 442536]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-08 98304]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2008-04-14 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PPort12reminder"="c:\program files\Nuance\PaperPort\Ereg\Ereg.exe" [2010-02-09 328992]
"PDFHook"="c:\program files\Nuance\PDF Viewer Plus\pdfpro5hook.exe" [2010-03-06 636192]
"PDF5 Registry Controller"="c:\program files\Nuance\PDF Viewer Plus\RegistryController.exe" [2010-03-06 62752]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2013-01-31 542632]
"Memeo Instant Backup"="c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe" [2010-12-11 136416]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-11-03 73728]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"SearchProtectAll"="c:\program files\SearchProtect\bin\cltmng.exe" [2013-09-22 3470624]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\sshiigi\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-8-15 604776]
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2008-11-11 950048]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe -s [2004-11-4 53248]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe  /startup [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-05 19:33 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ    msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChangeTPMAuth]
2008-05-30 15:37 180224 ------w- c:\program files\Wave Systems Corp\Common\ChangeTPMAuth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter4]
2010-08-19 07:11 135168 ----a-w- c:\program files\ControlCenter4\BrCcBoot.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-09-14 01:49 49152 ------w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2010-03-09 10:37 46368 ----a-w- c:\program files\Nuance\PaperPort\IndexSearch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2010-03-09 10:42 29984 ----a-w- c:\program files\Nuance\PaperPort\pptd40nt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2007-07-27 15:10 1133040 ------w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=
"c:\\Program Files\\adawaretb\\dtUser.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [4/30/2013 1:14 PM 13560]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 74480]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/30/2013 1:17 PM 22064]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [3/18/2013 3:25 AM 1236336]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 1:56 AM 133968]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [9/4/2008 1:28 PM 406808]
R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\SearchProtect\bin\CltMngSvc.exe [9/22/2013 1:57 AM 220960]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [11/11/2008 12:35 PM 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [11/11/2008 12:35 PM 20840]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [11/11/2008 11:00 AM 451872]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [5/9/2011 10:53 PM 12184]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [12/10/2010 3:49 PM 25824]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\Nuance\PaperPort\PDFProFiltSrvPP.exe [3/9/2010 12:40 AM 144672]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/30/2013 1:38 PM 66344]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [11/3/2011 8:10 AM 8704]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [10/1/2008 12:28 AM 90112]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2/27/2009 11:10 AM 112128]
R3 BrSerIb;Brother Serial Interface Driver(WDM);c:\windows\system32\drivers\BrSerIb.sys [2/22/2011 12:02 AM 71424]
R3 BrUsbSIb;Brother Serial USB Driver(WDM);c:\windows\system32\drivers\BrUsbSib.sys [2/22/2011 12:02 AM 11520]
R3 CCIDFILTER;Broadcom Smart Card Reader Filter Driver;c:\windows\system32\drivers\ccidflt.sys [2/27/2009 9:39 AM 12840]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2/27/2009 11:11 AM 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y5132.sys [2/27/2009 11:10 AM 244368]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [8/24/2010 7:30 AM 42648]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [8/24/2010 7:30 AM 12184]
R3 OA001Afx;Provides a software interface to control audio effects of OA001 camera.;c:\windows\system32\drivers\OA001Afx.sys [2/27/2009 11:10 AM 134144]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2/27/2009 11:10 AM 133632]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2/27/2009 11:10 AM 281472]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 gupdate1c99ecddb6280e6;Google Update Service (gupdate1c99ecddb6280e6);c:\program files\Google\Update\GoogleUpdate.exe [3/6/2009 4:38 PM 133104]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [9/11/2012 8:24 AM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/17/2011 6:39 PM 701512]
S2 SBAMSvc;Ad-Aware;c:\program files\Ad-Aware Antivirus\SBAMSvc.exe [9/20/2012 5:39 AM 3677000]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [6/21/2013 10:13 AM 162408]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [4/19/2007 1:28 AM 42832]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [2/22/2011 12:00 AM 245760]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [4/30/2013 2:50 PM 43368]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/17/2011 6:39 PM 22856]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [5/15/2012 3:57 PM 93816]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - CLTMNGSVC
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-10-04 15:14 1185744 ----a-w- c:\program files\Google\Chrome\Application\30.0.1599.69\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-10-09 c:\windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job
- c:\progra~1\AD-AWA~1\AdAwareLauncher.exe [2013-03-18 13:25]
.
2013-10-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 18:08]
.
2013-10-16 c:\windows\Tasks\BrowserSafeguard Update Task.job
- c:\program files\Browsersafeguard\uninstall.browsersafeguard.exe [2013-10-16 15:13]
.
2013-03-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-07 17:54]
.
2013-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 02:38]
.
2013-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-07 02:38]
.
2013-10-15 c:\windows\Tasks\User_Feed_Synchronization-{FA4994F7-D9D9-49BE-BF8A-1123A84B76A0}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 14:31]
.
.
------- Supplementary Scan -------
.

uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Open with PDF Viewer Plus - c:\program files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: costar.com
Trusted Zone: intuit.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\sshiigi\Application Data\Mozilla\Firefox\Profiles\fu2922xy.default\
FF - prefs.js: browser.search.selectedEngine - Bing


FF - prefs.js: browser.search.selectedEngine - SecureSearch

FF - ExtSQL: !HIDDEN! 2009-08-21 20:18; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2013-01-12 22:21; {B26FA4AF-A08A-11E1-826F-B8AC6F996F26}; c:\documents and settings\sshiigi\Local Settings\Application Data\{B26FA4AF-A08A-11E1-826F-B8AC6F996F26}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{ef1feedd-d8da-4930-96f1-0a1a598375c6} - (no file)
Toolbar-{ef1feedd-d8da-4930-96f1-0a1a598375c6} - (no file)
ShellIconOverlayIdentifiers-{022F2F51-CDDA-4873-8A29-72C66C808A3F} - c:\documents and settings\sshiigi\Local Settings\Temporary Internet Files\Content.IE5\2R6CE5NZ\SOSKAPISKA[1].dll
HKCU-Run-SearchProtect - c:\documents and settings\sshiigi\Application Data\SearchProtect\bin\cltmng.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-10-16 06:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_9_900_117_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(928)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'lsass.exe'(984)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
.
Completion time: 2013-10-16  06:38:03
ComboFix-quarantined-files.txt  2013-10-16 16:37
ComboFix2.txt  2013-03-30 16:49
.
Pre-Run: 163,271,385,088 bytes free
Post-Run: 165,019,381,760 bytes free
.
- - End Of File - - B0B9BF12D487E91C4BAAD9DB886ED049
5C616939100B85E558DA92B899A0FC36
 

Link to post
Share on other sites

Well Done !

 

Lets clean out any adware now: (this will require a reboot so save all your work)
 
Please download AdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
When it's done you'll see: Pending: Please uncheck elements you don't want removed.
Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
Look over the log especially under Files/Folders for any program you want to save.
If there's a program you may want to save, just uncheck it from AdwCleaner.
If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
If you're ready to clean it all up.....click the Clean button.
After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Items that are deleted are moved to the Quarantine Folder:  C:\AdwCleaner\Quarantine
To restore an item that has been deleted:
Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

 
Then..................
 
Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.
 
Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.
 
Make sure that everything is checked, and click Remove Selected.
 
Please let me know how computer is running now, MrC
 
 

 

 

Link to post
Share on other sites

Ran AdwCleaner.

 

# AdwCleaner v3.007 - Report created 16/10/2013 at 10:53:44
# Updated 09/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : sshiigi - DFB69GJ1
# Running from : C:\Documents and Settings\sshiigi\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

[#] Service Deleted : CltMngSvc

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\adawaretb
Folder Deleted : C:\Documents and Settings\All Users\Application Data\blekko toolbars
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\All Users\Application Data\ParetoLogic
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Search Protection
Folder Deleted : C:\Program Files\adawaretb
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Searchprotect
Folder Deleted : C:\WINDOWS\system32\WNLT
Folder Deleted : C:\Documents and Settings\sshiigi\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\sshiigi\Application Data\adawaretb
Folder Deleted : C:\Documents and Settings\sshiigi\Application Data\DriverCure
Folder Deleted : C:\Documents and Settings\sshiigi\Application Data\ParetoLogic
Folder Deleted : C:\Documents and Settings\sshiigi\Application Data\PriceGong
Folder Deleted : C:\Documents and Settings\Kazuyo\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Kazuyo\Application Data\adawaretb
Folder Deleted : C:\Documents and Settings\Jason\Application Data\adawaretb
Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Administrator\Application Data\adawaretb
Folder Deleted : C:\Documents and Settings\sshiigi\Application Data\Mozilla\Firefox\Profiles\fu2922xy.default\adawaretb
Folder Deleted : C:\Documents and Settings\administrator.CBCI\Application Data\Mozilla\Firefox\Profiles\c4kbf8cm.default\adawaretb
Folder Deleted : C:\Documents and Settings\Kazuyo\Application Data\Mozilla\Firefox\Profiles\8l204eq6.default\adawaretb
Folder Deleted : C:\Documents and Settings\Kazuyo\Application Data\Mozilla\Firefox\Profiles\8l204eq6.default\CT3309322
Folder Deleted : C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\e68jkvzq.default\adawaretb
Folder Deleted : C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\e68jkvzq.default\jetpack
Folder Deleted : C:\Documents and Settings\Kazuyo\Application Data\Mozilla\Firefox\Profiles\8l204eq6.default\Extensions\{ef1feedd-d8da-4930-96f1-0a1a598375c6}
File Deleted : C:\END
File Deleted : C:\Documents and Settings\administrator.CBCI\Application Data\Mozilla\Firefox\Profiles\c4kbf8cm.default\.autoreg
File Deleted : C:\Documents and Settings\sshiigi\Application Data\Mozilla\Firefox\Profiles\fu2922xy.default\invalidprefs.js
File Deleted : C:\Program Files\Mozilla Firefox\nsprotector.js
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\adawaretb.xml
File Deleted : C:\Documents and Settings\Kazuyo\Application Data\Mozilla\Firefox\Profiles\8l204eq6.default\searchplugins\Conduit.xml

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [searchProtectAll]
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3314312
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\adawaretb\dtUser.exe]
Key Deleted : HKCU\Software\adawaretb
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKCU\Software\PriceGong
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\adawaretb
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\Software\ParetoLogic
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\KeyBar_1.22
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adawaretb
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\adawaretb
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

-\\ Mozilla Firefox v20.0.1 (en-US)

[ File : C:\Documents and Settings\sshiigi\Application Data\Mozilla\Firefox\Profiles\fu2922xy.default\prefs.js ]

[ File : C:\Documents and Settings\administrator.CBCI\Application Data\Mozilla\Firefox\Profiles\c4kbf8cm.default\prefs.js ]

[ File : C:\Documents and Settings\Kazuyo\Application Data\Mozilla\Firefox\Profiles\8l204eq6.default\prefs.js ]

Line Deleted : user_pref("CT3309322.FF19Solved", "true");
Line Deleted : user_pref("CT3309322.UserID", "UN12910421001618191");
Line Deleted : user_pref("CT3309322.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3309322.fullUserID", "UN12910421001618191.IN.20131015073450");
Line Deleted : user_pref("CT3309322.installDate", "15/10/2013 07:34:55");
Line Deleted : user_pref("CT3309322.installSessionId", "{7ACD87E5-6185-4BF9-AB93-2BBB3FA268C2}");
Line Deleted : user_pref("CT3309322.installSp", "TRUE");
Line Deleted : user_pref("CT3309322.installerVersion", "1.7.1.7");
Line Deleted : user_pref("CT3309322.keyword", "true");

Line Deleted : user_pref("CT3309322.originalSearchAddressUrl", "");
Line Deleted : user_pref("CT3309322.originalSearchEngine", "SecureSearch");
Line Deleted : user_pref("CT3309322.originalSearchEngineName", "");
Line Deleted : user_pref("CT3309322.searchRevert", "false");
Line Deleted : user_pref("CT3309322.searchUserMode", "2");
Line Deleted : user_pref("CT3309322.smartbar.homepage", "true");
Line Deleted : user_pref("CT3309322.versionFromInstaller", "10.20.3.20");
Line Deleted : user_pref("CT3309322.xpeMode", "0");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "KeyBar 1.22 Customized Web Search");

Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3309322");


Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3309322");
Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3309322");
Line Deleted : user_pref("smartbar.machineId", "PF5/YY6QQUFXYPK2YFNYYGVABWIRLPN74P2LMFFZV6DA6N60RGW6ZP/EAA2ZYTEGF4NXYGSYA1PEL0DGFRCLSW");


Line Deleted : user_pref("browser.search.selectedEngine", "MaxWebSearch");//Browsersafeguard-ext_browsersafeguard
Line Deleted : user_pref("browser.search.defaultenginename", "MaxWebSearch");//Browsersafeguard-ext_browsersafeguard

[ File : C:\Documents and Settings\Jason\Application Data\Mozilla\Firefox\Profiles\e68jkvzq.default\prefs.js ]

-\\ Google Chrome v30.0.1599.69

[ File : C:\Documents and Settings\sshiigi\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

[ File : C:\Documents and Settings\Kazuyo\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : urls_to_restore_on_startup
Deleted : search_url
Deleted : homepage
Deleted : keyword

[ File : C:\Documents and Settings\Jason\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [12449 octets] - [16/10/2013 10:46:59]
AdwCleaner[s0].txt - [12577 octets] - [16/10/2013 10:53:44]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [12638 octets] ##########

 

========================

Ran MBAM

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.10.16.13

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
sshiigi :: DFB69GJ1 [administrator]

Protection: Enabled

10/16/2013 11:10:24 AM
mbam-log-2013-10-16 (11-10-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 367961
Time elapsed: 12 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCR\CLSID\{28949824-6737-0594-0930-223283753445} (Trojan.Agent.RDN) -> Quarantined and deleted successfully.
HKCR\*\shellex\ContextMenuHandlers\{28949824-6737-0594-0930-223283753445} (Trojan.Agent.RDN) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browsersafeguard (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\BROWSERSAFEGUARD (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Browsersafeguard|sourceid (PUP.Optional.BrowserSafeGuard.A) -> Data: google_browsersafeguard-display-us-bleeping-728x90-36639128953 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Program Files\Browsersafeguard (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.

Files Detected: 18
C:\Documents and Settings\All Users\Application Data\ZalmanInstaller_52332\otshotcomponent34.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Documents and Settings\sshiigi\Templates\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\Documents and Settings\sshiigi\Local Settings\Application Data\2433f433 (Trojan.Agent.TPL) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\ewebstorewrapper.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\BrowserSafeguard.exe (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\install.log (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\makecert.exe (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\TrustedRoot.cer (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\uninstall.browsersafeguard.exe (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\certutil.exe (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\libnspr4.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\libplc4.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\libplds4.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\nss3.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\smime3.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\Program Files\Browsersafeguard\Resources\softokn3.dll (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\BrowserSafeguard Update Task.job (PUP.Optional.BrowserSafeGuard.A) -> Quarantined and deleted successfully.

(end)

Link to post
Share on other sites

Looks Good.....

Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
MrC
Link to post
Share on other sites

Results of screen317's Security Check version 0.99.74

Windows XP Service Pack 3 x86

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Lavasoft Ad-Aware

Antivirus up to date! (On Access scanning disabled!)

`````````Anti-malware/Other Utilities Check:`````````

Ad-Aware

SUPERAntiSpyware Free Edition

Malwarebytes Anti-Malware version 1.75.0.1300

CCleaner

Java 7 Update 25

Java version out of Date!

Adobe Flash Player 11.6.602.180

Adobe Reader 9

Adobe Reader XI

Mozilla Firefox 20.0.1 Firefox out of Date!

Google Chrome 30.0.1599.66

Google Chrome 30.0.1599.69

````````Process Check: objlist.exe by Laurent````````

Ad-Aware AAWService.exe is disabled!

Ad-Aware AAWTray.exe is disabled!

Malwarebytes Anti-Malware mbamservice.exe

Malwarebytes Anti-Malware mbamgui.exe

Ad-Aware Antivirus AdAwareService.exe

Ad-Aware Antivirus SBAMSvc.exe

Malwarebytes' Anti-Malware mbamscheduler.exe

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:: 0%

````````````````````End of Log``````````````````````

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.