conduit infection?

fobsternd · December 22, 2013

Not sure what it is but it's like an extra toolbar on my IE...

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/14/2013 10:20:16 AM
System Uptime: 12/22/2013 9:55:42 AM (4 hours ago)
.
Motherboard: FUJITSU | | FJNB25E
Processor: Intel® Core i5-3320M CPU @ 2.60GHz | Onboard | 2601/100mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 297 GiB total, 217.343 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP68: 12/7/2013 6:18:00 PM - Installed DirectX
RP69: 12/9/2013 6:50:06 PM - Installed Razer Synapse 2.0.
.
==== Installed Programs ======================
.
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.02)
Adobe Shockwave Player 12.0
Afaria Client
Altiris Inventory Agent
Anytime USB Charge Utility
AuthenTec Fingerprint Software
Auto Rotation Utility
Battery Utility
Battle.net
eDocPrinter PDF Pro 6.82 MSI
FJ Camera
Fujitsu Display Manager
Fujitsu Hotkey Utility
Fujitsu MobilityCenter Extension Utility
Fujitsu System Extension Utility
Fujitsu System Manager
Gobi GPS Control and Data Logger
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Hearthstone
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946040)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946308)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB946344)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947540)
Hotfix for Microsoft Visual Studio 2007 Tools for Applications - ENU (KB947789)
Intel PROSet Wireless
Intel® Network Connections Drivers
Intel® OpenCL CPU Runtime
Intel® Processor Graphics
Intel® Rapid Storage Technology
Intel® USB 3.0 eXtensible Host Controller Driver
Intel® PROSet/Wireless WiFi Software
ISD Tablet
LiveUpdate 3.3 (Symantec Corporation)
LogMeIn Rescue Technician Console
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Report Viewer Redistributable 2008 (KB971119)
Microsoft Report Viewer Redistributable 2008 SP1
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2008 R2 Native Client
Microsoft SQL Server 2008 R2 Policies
Microsoft SQL Server 2008 R2 RsFx Driver
Microsoft SQL Server 2008 R2 Setup (English)
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server Browser
Microsoft SQL Server Compact 3.5 SP2 ENU
Microsoft SQL Server Compact 3.5 SP2 Query Tools ENU
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual Studio Tools for Applications 2.0 - ENU
Mozilla Firefox 26.0 (x86 en-US)
Mozilla Maintenance Service
O2Micro OZ776 SCR Driver
OpenVPN Connect
Patch Management Agent
PATH IMS CR
PATH IMS CR 2
PATH IMS CR 2 (c:\wescapi\PATH\IMS\BFOS\APP\)
Pointing Device Utility
Power Saving Utility
Project Helpdesk
Razer Synapse 2.0
Realtek High Definition Audio Driver
Realtek PCIE Card Reader
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Service Pack 2 for SQL Server 2008 R2 (KB2630458)
Shock Sensor Driver
Shock Sensor Utility
Sierra Wireless AirCard Watcher
Sierra Wireless QMI Driver Package
Sierra Wireless QMI Fujitsu Driver Package
Skype Click to Call
Skype™ 6.11
Software Management Solution Agent
Sonic & All-Stars Racing Transformed
SQL Server 2008 R2 Database Engine Services
SQL Server 2008 R2 Management Studio
SQL Server 2008 R2 SP2 Common Files
SQL Server 2008 R2 SP2 Database Engine Services
SQL Server 2008 R2 SP2 Database Engine Shared
Sql Server Customer Experience Improvement Program
Steam
swMSM
Symantec Encryption Desktop
Symantec Endpoint Protection
Synaptics Pointing Device Driver
Touch Launcher
VLC media player 2.0.1
VT-Kate-M16-SAPI5
VT-Violeta-M16-SAPI5
Wessecc
Windows Driver Package - Fujitsu America, Inc. (FjBtnDrv) HIDClass (08/27/2009 4.2.0827.2009)
WinZip 12.1
.
==== Event Viewer Messages From Past Week ========
.
12/22/2013 9:57:04 AM, Error: Microsoft-Windows-GroupPolicy [1129] - The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.
12/22/2013 9:56:21 AM, Error: NETLOGON [5719] - This computer was not able to set up a secure session with a domain controller in domain FOS due to the following: There are currently no logon servers available to service the logon request. This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain.
12/22/2013 1:14:44 PM, Error: Schannel [36871] - A fatal error occurred while creating an SSL client credential. The internal error state is 10013.
12/22/2013 1:12:41 PM, Error: Service Control Manager [7031] - The Update SecretSauce service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
12/21/2013 8:11:31 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the eventlog service.
12/20/2013 10:23:46 PM, Error: Microsoft-Windows-GroupPolicy [1006] - The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.
.
==== End Of File ===========================

Here is the DDS..................

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16490
Run by PATH9371 at 13:32:11 on 2013-12-22
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3455.1688 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Fingerprint Sensor\AtService.exe
C:\Program Files\Tablet\ISD\ISD_TouchService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\AClient\Bin\XeService.exe
C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv32.exe
C:\Program Files\AClient\Bin\XcDiffCache.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Westat - GeoStats Services\Gobi GPS Control and Data Logger\GobiLogger.exe
C:\Program Files\Sierra Wireless Inc\Gobi\QDLService\GobiQDLService.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
C:\Program Files\OpenVPN Technologies\OpenVPN Client\core\capiws.exe
C:\Program Files\PGP Corporation\PGP Desktop\RDDService.exe
C:\Program Files\Fujitsu\PSUtility\PSUService.exe
C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Sierra Wireless Inc\Common\SwiCardDetect.exe
C:\Program Files\Sierra Wireless Inc\Utils\SWIService.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Tablet\ISD\ISD_Tablet.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Tablet\ISD\ISD_TabletUser.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Tablet\ISD\ISD_TouchUser.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVBg.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Tablet\ISD\ISD_Tablet.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Fujitsu\FDM8\FdmDaemon.exe
C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
C:\Program Files\Fujitsu\AutoRotation\AutoRotation.exe
C:\Program Files\Fujitsu\PointingDeviceUtility\FJPDAutoSet.exe
C:\Program Files\Fujitsu\PSUtility\TrayManager.exe
C:\Program Files\Fujitsu\SSUtility\FJSSDMN.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Razer\Synapse\RzSynapse.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\ProgramData\Battle.net\Agent\Agent.beta.2514\Agent.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Battle.net\Battle.net.4047\Battle.net.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\OpenVPN Technologies\OpenVPN Client\core\ovpntray.exe
C:\Program Files\OpenVPN Technologies\OpenVPN Client\etc\..\core\openvpn.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.

uURLSearchHooks: WhiteSmoke New 1.2 Toolbar: {8f02605d-be4e-41ba-bd00-c39a59c46919} - c:\program files\whitesmoke_new_1.2\prxtbWhit.dll
mURLSearchHooks: WhiteSmoke New 1.2 Toolbar: {8f02605d-be4e-41ba-bd00-c39a59c46919} - c:\program files\whitesmoke_new_1.2\prxtbWhit.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: WhiteSmoke New 1.2 Toolbar: {8f02605d-be4e-41ba-bd00-c39a59c46919} - c:\program files\whitesmoke_new_1.2\prxtbWhit.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
TB: WhiteSmoke New 1.2 Toolbar: {8F02605D-BE4E-41BA-BD00-C39A59C46919} - c:\program files\whitesmoke_new_1.2\prxtbWhit.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: WhiteSmoke New 1.2 Toolbar: {8f02605d-be4e-41ba-bd00-c39a59c46919} - c:\program files\whitesmoke_new_1.2\prxtbWhit.dll
uRun: [skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [ConduitFloatingPlugin_kepfgejmidkmoiimkfdjocdjhbcpmlmg] "c:\windows\system32\rundll32.exe" "c:\program files\conduit\ct3316751\plugins\TBVerifier.dll",RunConduitFloatingPlugin kepfgejmidkmoiimkfdjocdjhbcpmlmg
mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [RtHDVBg_DTS] c:\program files\realtek\audio\hda\RtHDVBg.exe /DTSU2P
mRun: [ATSwpNav] "c:\program files\fingerprint sensor\ATSwpNav" -run
mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [uSB3MON] "c:\program files\intel\intel® usb 3.0 extensible host controller driver\application\iusb3mon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [indicatorUtility] "c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe"
mRun: [igfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [FDM8] c:\program files\fujitsu\fdm8\FdmDaemon.exe
mRun: [LoadFUJ02E3] "c:\program files\fujitsu\fuj02e3\fuj02e3.exe"
mRun: [FJAutoR] c:\program files\fujitsu\autorotation\AutoRotation.exe
mRun: [startFujitsuPointingDeviceUtility] "c:\program files\fujitsu\pointingdeviceutility\FJPDAutoSet.exe"
mRun: [PSUTility] c:\program files\fujitsu\psutility\TrayManager.exe
mRun: [sSUtility] c:\program files\fujitsu\ssutility\FJSSDMN.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [Razer Synapse] "c:\program files\razer\synapse\RzSynapse.exe"
mRunOnce: [spUninstallCleanUp] REG delete HKEY_CURRENT_USER\Software\SearchProtect /f
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\fosrecovery.lnk - c:\windows\system32\windowspowershell\v1.0\powershell.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: nodrivetypeautorun = dword:251
mPolicies-Explorer: NoWebServices = dword:1
mPolicies-Explorer: NoOnlinePrintsWizard = dword:1
mPolicies-Explorer: NoPublishingWizard = dword:1
mPolicies-Explorer: NoAutorun = dword:1
mPolicies-Explorer: PreXPSP2ShellProtocolBehavior = dword:0
mPolicies-Explorer: DisableLocalMachineRunOnce = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableInstallerDetection = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-System: DefaultLogonDomain = A57694
mPolicies-System: LogonType = dword:0
mPolicies-System: ReportControllerMissing = dword:1
mPolicies-System: legalnoticecaption = Legal Notice
mPolicies-System: legalnoticetext = **WARNING**WARNING**WARNING**WARNING**WARNING**WARNING**    Warning Notice! This is a U.S. Government computer system which may be accessed and used only for authorized government business by authorized personnel. Unauthorized access or use of this computer system may subject violators to criminal, civil, and/or administrative action. All information on this computer system may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes, including criminal investigations. Such information includes sensitive data encrypted to comply with confidentiality and privacy requirements. Access or use of this computer system by any person, whether authorized or unauthorized, constitutes consent to these terms. There is no right of privacy in this system. *WARNING**WARNING**WARNING**WARNING**WARNING****WARNING**
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
LSP: c:\windows\system32\PGPlsp.dll
TCP: NameServer = 10.5.1.10 10.5.1.20
TCP: Interfaces\{116127BE-A2E2-468F-A0C1-05D89BC70232} : DHCPNameServer = 10.5.1.10 10.5.1.20
TCP: Interfaces\{13D45494-D998-40BC-AF66-8D2F5CA21C01} : DHCPNameServer = 10.13.9.225 10.13.9.226
TCP: Interfaces\{9CC5EC40-9EF9-4CF1-BED9-3E12D3C5451E} : DHCPNameServer = 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= PGPmapih.dll
SSODL: WebCheck - <orphaned>
LSA: Notification Packages = scecli PGPpwflt
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\31.0.1650.63\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.94.0.1   client.openvpn.net
Hosts: 127.94.0.2   openvpn-client.as2.fos.westat.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\path9371\appdata\roaming\mozilla\firefox\profiles\p4v4umcs.default\
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.22.3\npGoogleUpdate3.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1204144.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_9_900_170.dll
FF - ExtSQL: 2013-12-07 22:02; {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}; c:\program files\mozilla firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
.
============= SERVICES / DRIVERS ===============
.
R0 FBIOSDRV;Fujitsu BIOS Driver;c:\windows\system32\drivers\FBIOSDRV.sys [2013-7-1 17008]
R0 FJGSDisk;G-Sensor Application Filter Driver;c:\windows\system32\drivers\FJGSDisk.sys [2013-2-26 13296]
R0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys [2013-2-26 15640]
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2013-2-1 149136]
R0 Pgpwdefs;Pgpwdefs;c:\windows\system32\drivers\PGPwdefs.sys [2013-2-1 15264]
R1 Teefer3;Symantec Endpoint Protection Firewall;c:\windows\system32\drivers\Teefer3.sys [2012-10-19 45472]
R2 Afaria Client Service;Afaria Client Service;c:\program files\aclient\bin\XeService.exe [2013-10-14 239104]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2010-6-2 2042688]
R2 DTSAudioSvc;DTSAudioSvc;c:\program files\realtek\audio\hda\DTSU2PAuSrv32.exe [2013-2-26 182272]
R2 FUJ02E3Service;FUJ02E3Service;c:\program files\fujitsu\fuj02e3\FUJ02E3.exe [2011-11-23 65864]
R2 GobiLogger;GobiLogger;c:\program files\westat - geostats services\gobi gps control and data logger\GobiLogger.exe [2013-6-14 48640]
R2 GobiQDLService;Sierra Wireless QDL Service;c:\program files\sierra wireless inc\gobi\qdlservice\GobiQDLService.exe [2011-11-25 312688]
R2 OpenVPNAccessClient;OpenVPN Access Client;c:\program files\openvpn technologies\openvpn client\core\capiws.exe [2012-5-3 24064]
R2 PGP RDD Service;PGP RDD Service;c:\program files\pgp corporation\pgp desktop\RDDService.exe [2013-2-1 1589528]
R2 PowerSavingUtilityService;PowerSavingUtilityService;c:\program files\fujitsu\psutility\PSUService.exe [2013-7-1 63344]
R2 Skype C2C Service;Skype C2C Service;c:\programdata\skype\toolbars\skype c2c service\c2c_service.exe [2013-10-9 3275136]
R2 SwiCardDetectSvc;Sierra Wireless Card Detection Service;c:\program files\sierra wireless inc\common\SwiCardDetect.exe [2012-9-6 247184]
R2 SwiService;Sierra Wireless Service;c:\program files\sierra wireless inc\utils\SwiService.exe [2012-9-21 193936]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2012-10-19 1860000]
R2 TabletServiceISD;TabletServiceISD;c:\program files\tablet\isd\ISD_Tablet.exe [2013-2-26 6048056]
R2 TouchServiceISD;Wacom ISD Touch Service;c:\program files\tablet\isd\ISD_TouchService.exe [2013-2-26 446264]
R3 acpials;ALS Sensor Filter;c:\windows\system32\drivers\acpials.sys [2011-4-11 7680]
R3 ATSwpWDF;AuthenTec TruePrint USB Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2010-6-2 677960]
R3 bcbtums;Bluetooth RAM Firmware Download USB Filter;c:\windows\system32\drivers\bcbtums.sys [2013-2-26 168232]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-11-21 108120]
R3 Fjbtndrv;Fujitsu Button Driver;c:\windows\system32\drivers\FjBtnDrv.sys [2013-2-26 18816]
R3 FUJ02E3;Fujitsu FUJ02E3 Device Driver;c:\windows\system32\drivers\fuj02e3.sys [2013-2-26 5632]
R3 hidkmdf;KMDF Driver;c:\windows\system32\drivers\hidkmdf.sys [2013-2-26 12088]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2013-2-26 280576]
R3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\drivers\iusb3hub.sys [2013-2-26 349976]
R3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\drivers\iusb3xhc.sys [2013-2-26 792856]
R3 MEI;Intel® Management Engine Interface ;c:\windows\system32\drivers\HECI.sys [2012-7-17 55104]
R3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\drivers\Netwsn00.sys [2012-2-20 10339840]
R3 SPUVCbv;SPUVCb Driver Service;c:\windows\system32\drivers\SPUVCBv.sys [2011-12-23 2908024]
R3 swg3kmbb03;Sierra Wireless QMI USB-NDIS 6.20 miniport for Fujitsu;c:\windows\system32\drivers\swg3kmbb03.sys [2012-9-11 404344]
R3 swg3knmea03;Sierra Wireless QMI NMEA Communication - Fujitsu;c:\windows\system32\drivers\swg3knmea03.sys [2012-9-21 225784]
R3 swg3kser03;Sierra Wireless QMI USB Device for Legacy Serial Communication - Fujitsu;c:\windows\system32\drivers\swg3kser03.sys [2012-9-21 225912]
R3 tapoas;TAP-Win32 Adapter OAS;c:\windows\system32\drivers\tapoas.sys [2011-8-19 26112]
R3 WacHidRouter;Wacom Hid Router;c:\windows\system32\drivers\wachidrouter.sys [2013-2-26 74040]
R3 wacomrouterfilter;Wacom Router Filter Driver;c:\windows\system32\drivers\wacomrouterfilter.sys [2013-2-26 13296]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S3 AltirisAgentProvider;AltirisAgentProvider;c:\program files\altiris\altiris agent\agents\wmiprovideragent\AltirisAgentProvider.exe [2013-10-14 620376]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 RSP2STOR;Realtek PCIE CardReader Driver - P2;c:\windows\system32\drivers\RtsP2Stor.sys [2013-2-26 201360]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 swg3knet03;Sierra Wireless QMI USB-NDIS miniport for Fujitsu;c:\windows\system32\drivers\swg3knet03.sys [2013-2-26 297984]
S3 swibus03;Sierra Wireless Bus Enumerator 03;c:\windows\system32\drivers\swibus03.sys [2013-2-26 61952]
S3 swibusflt03;Sierra Wireless Bus Enumerator Filter 03;c:\windows\system32\drivers\swibusflt03.sys [2013-2-26 61952]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2013-2-27 1343400]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 RsFx0153;RsFx0153 Driver;c:\windows\system32\drivers\RsFx0153.sys [2012-6-29 249288]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]
.
=============== Created Last 30 ================
.
2013-12-22 18:10:07   --------   d-----w-   c:\users\path9371\appdata\local\GCC
2013-12-22 18:09:52   --------   d-----w-   c:\users\path9371\appdata\local\SwvUpdater
2013-12-22 18:09:38   --------   d-----w-   c:\programdata\Conduit
2013-12-22 18:09:37   --------   d-----w-   c:\users\path9371\appdata\local\Conduit
2013-12-22 18:09:37   --------   d-----w-   c:\program files\WhiteSmoke_New_1.2
2013-12-22 18:09:28   --------   d-----w-   c:\program files\Conduit
2013-12-22 18:08:56   --------   d-----w-   c:\users\path9371\appdata\roaming\SearchProtect
2013-12-22 18:08:09   --------   d-----w-   c:\program files\TornTV.com
2013-12-09 23:51:04   --------   d-----w-   c:\users\path9371\appdata\local\Razer
2013-12-08 03:01:31   --------   d-----r-   c:\program files\Skype
2013-12-07 22:37:56   --------   d-----w-   c:\program files\common files\Steam
2013-12-07 22:37:55   --------   d-----w-   c:\program files\Steam
2013-11-28 19:56:20   --------   d-----w-   c:\users\path9371\appdata\local\Blizzard
2013-11-28 19:34:11   --------   d-----w-   c:\program files\Hearthstone
2013-11-28 19:32:29   --------   d-----w-   c:\users\path9371\appdata\local\Blizzard Entertainment
2013-11-28 19:32:27   --------   d-----w-   c:\users\path9371\appdata\roaming\Battle.net
2013-11-28 19:32:27   --------   d-----w-   c:\users\path9371\appdata\local\Battle.net
2013-11-28 19:32:20   --------   d-----w-   c:\programdata\Blizzard Entertainment
2013-11-28 19:32:20   --------   d-----w-   c:\program files\common files\Blizzard Entertainment
2013-11-28 19:32:20   --------   d-----w-   c:\program files\Battle.net
2013-11-28 19:30:09   --------   d-----w-   c:\programdata\Battle.net
.
==================== Find3M ====================
.
2013-12-22 18:28:59   8320   ----a-w-   c:\windows\system32\drivers\mskssrv.sys.bak
2013-12-20 15:53:38   71048   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2013-12-20 15:53:38   692616   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2013-10-22 13:58:49   50053120   ----a-w-   c:\program files\GUTB912.tmp
2013-10-22 13:56:57   1115136   ----a-w-   c:\windows\WBDIB44I.DLL
2013-10-22 13:56:43   53317   ----a-w-   c:\windows\wwreg34i.dll
2013-10-22 13:56:43   51781   ----a-w-   c:\windows\wilx44i.dll
2013-10-22 13:56:43   45125   ----a-w-   c:\windows\wsrch34i.dll
2013-10-22 13:56:43   28672   ----a-w-   c:\windows\P6Base64.dll
2013-10-22 13:56:43   16896   ----a-w-   c:\windows\witzsrch.dll
2013-10-22 13:56:43   118853   ----a-w-   c:\windows\WWLDB44I.DLL
2013-10-22 13:56:43   1162752   ----a-w-   c:\windows\WBDLA44I.DLL
2013-10-22 13:56:43   105029   ----a-w-   c:\windows\wwctl44i.dll
2013-10-14 14:34:36   303124   ----a-w-   c:\windows\system32\PGPlspRollback.reg
2013-10-14 14:30:14   126584   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2013-10-07 19:27:52   442   --sh--r-   C:\GASPID.SYS
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: TOSHIBA_ rev.MH00 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x83051000]<< >>UNKNOWN [0x8CF87000]<< >>UNKNOWN [0x8D00A000]<< >>UNKNOWN [0x840C9000]<< >>UNKNOWN [0x8301A000]<< >>UNKNOWN [0x8CA25000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x83087BBA] -> \Device\Harddisk0\DR0[0x88F3B1E0]
\Driver\Disk[0x88F3AE30] -> IRP_MJ_CREATE -> 0x8CF8B39F
3 [0x8CF8B59E] -> ntkrnlpa!IofCallDriver[0x83087BBA] -> [0x86C25958]
\Driver\ACPI[0x8633D1B8] -> IRP_MJ_CREATE -> 0x840D24CC
5 [0x840D23D4] -> ntkrnlpa!IofCallDriver[0x83087BBA] -> \Device\Ide\IAAStorageDevice-1[0x86C26028]
\Driver\iaStor[0x86235430] -> IRP_MJ_CREATE -> 0x8CA4C8FA
kernel: MBR read successfully
_asm { JMP 0x4a; }
user & kernel MBR OK
copy of MBR has been found in sector 6 !
copy of MBR has been found in sector 23 !
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 13:33:01.45 ===============

MrCharlie · December 22, 2013

Welcome to the forum.

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Which system am I using?

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes and use the default font)

General P2P/Piracy Warning:

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
2. If you have illegal/cracked software, cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.
Failure to remove such software will result in your topic being closed and no further assistance being provided.

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.

------->Your topic will be closed if you haven't replied within 3 days!<--------

(If I don't respond within 24 hours, please send me a PM)

fobsternd · December 22, 2013

Before I posted this thread, I tried running Roguekiller myself and I deleted the stuff found on this list...not sure if that will affect anything from hereon

RogueKiller V8.7.13 [Dec 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : PATH9371 [Admin rights]
Mode : Scan -- Date : 12/22/2013 13:29:33
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[sUSP PATH][DLL] rundll32.exe -- C:\Users\PATH9371\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll [7] -> rundll32.exe KILLED [TermProc]

¤¤¤ Registry Entries : 12 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : BackgroundContainer ("C:\Windows\system32\Rundll32.exe" "C:\Users\PATH9371\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun [7][7][x]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\RunOnce : SpUninstallDeleteDir (rmdir /s /q "C:\Users\PATH0001\AppData\Roaming\SearchProtect" [x]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0xc0000033] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.94.0.1 client.openvpn.net
127.94.0.2 openvpn-client.as2.fos.westat.com

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) TOSHIBA MK3261GSYN +++++
--- User ---
[MBR] 1a4cbbc983e6ed0d6cc02190a1d9e08e
[bSP] 13e291a2d72c2d5f0269534689a9024b : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 890 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1824768 | Size: 304353 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_12222013_132933.txt >>

MrCharlie · December 22, 2013

OK, we have to check for a rootkit infection first:

copy of MBR has been found in sector 6 !
copy of MBR has been found in sector 23 !
Warning: possible TDL3 rootkit infection !

Download Malwarebytes Anti-Rootkit from HERE

Unzip the contents to a folder in a convenient location.

Open the folder where the contents were unzipped and run mbar.exe

Follow the instructions in the wizard to update and allow the program to scan your computer for threats.

Click on the Cleanup button to remove any threats and reboot if prompted to do so.

Wait while the system shuts down and the cleanup process is performed.

Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.

When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt

To attach a log if needed:

Bottom right corner of this page.

New window that comes up.

~~~~~~~~~~~~~~~~~~~~~~~

Note:

If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:

Internet access

Windows Update

Windows Firewall

If there are additional problems with your system, such as any of those listed above or other system issues, then run the fixdamage tool included with Malwarebytes Anti-Rootkit and reboot. It's located in the Plugins folder which is in the MBAR folder.

Just run fixdamage.exe.

Verify that they are now functioning normally.

MrC

fobsternd · December 22, 2013

I got this popup window as I tried to run the .exe. It says that a registry value "AppInit_Dlls" was found and is asking me if I want to remove this value and restart tool>

MrCharlie · December 22, 2013

No, it's OK...MrC

fobsternd · December 22, 2013

Got an error while scanning "System volume seems inaccessible or encrypted." Could symantec endpoint protection be causing this error?

MrCharlie · December 22, 2013

Got an error while scanning "System volume seems inaccessible or encrypted." Could symantec endpoint protection be causing this error?

Yes it could, can you disable it??

MrC

fobsternd · December 22, 2013

I disabled it but still getting the same error. I am on a work laptop that was issued to me by my company so I'm guessing they did locked up the hard drive or something?

MrCharlie · December 22, 2013

Try this one:

Please read the directions carefully so you don't end up deleting something that is good!!

If in doubt about an entry....please ask or choose Skip!!!!

Don't Delete anything unless instructed to!

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

If a suspicious object is detected, the default action will be Skip, click on Continue

Please note that TDSSKiller can be run in safe mode if needed.

Please download the latest version of TDSSKiller from HERE and save it to your Desktop.

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
Put a checkmark beside loaded modules.
A reboot will be needed to apply the changes. Do it.
TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
Then click on Change parameters in TDSSKiller.
Check all boxes then click OK.
Click the Start Scan button.
The scan should take no longer than 2 minutes.
If a suspicious object is detected, the default action will be Skip, click on Continue.

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.
If in doubt about an entry....please ask or choose Skip
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here. There may be 3 logs > so post or attach all of them.
Sometimes these logs can be very large, in that case please attach it or zip it up and attach it.

Here's a summary of what to do if you would like to print it out:

If in doubt about an entry....please ask or choose Skip

Don't Delete anything unless instructed to!

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

Any entries like this: \Device\Harddisk0\DR0 ( TDSS File System ) - please choose Skip.

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

~~~~~~~~~~~~~~~~~~~~

You can attach the logs if they're too long:

Bottom right corner of this page.

New window that comes up.

MrC

fobsternd · December 22, 2013

Here are the logs

TDSSKiller.3.0.0.19_22.12.2013_15.09.25_log.txt

TDSSKiller.3.0.0.19_22.12.2013_15.11.45_log.txt

MrCharlie · December 22, 2013

Clean, run this one just to be sure:

Download aswMBR to your desktop.

http://public.avast.com/~gmerek/aswMBR.exe

Double click the aswMBR.exe to run it.

If you see this question: Would you like to download latest Avast! virus definitions?" say "NO".

Click the "Scan" button to start scan.

On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

MrC

fobsternd · December 22, 2013

I keeps freezing after hitting scan...

MrCharlie · December 22, 2013

Please download Listparts

Run the tool, click Scan and post the log (Result.txt) it makes

MrC

fobsternd · December 22, 2013

ListParts by Farbar Version: 20-10-2013
Ran by PATH9371 (administrator) on 22-12-2013 at 15:55:42
Windows 7 (X86)
Running From: C:\Users\PATH9371\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 48%
Total physical RAM: 3454.54 MB
Available physical RAM: 1768.81 MB
Total Pagefile: 6907.36 MB
Available Pagefile: 4936.29 MB
Total Virtual: 2047.88 MB
Available Virtual: 1956.06 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:297.22 GB) (Free:217.1 GB) NTFS

Disk ### Status         Size     Free     Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0    Online          298 GB      0 B

Partitions of Disk 0:
===============

Disk ID: F06CBE60

Partition ### Type              Size     Offset
------------- ---------------- ------- -------
Partition 1    Primary            890 MB 1024 KB
Partition 2    Primary            297 GB   891 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label        Fs     Type        Size     Status     Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1         System Rese NTFS   Partition    890 MB Healthy    System (partition with boot components)

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label        Fs     Type        Size     Status     Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2     C                NTFS   Partition    297 GB Healthy    Boot

======================================================================================================
============================== MBR Partition Table ==================

==============================
Partitions of Disk 0:
===============
Disk ID: F06CBE60
Partition 1: (Active) - (Size=890 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=297 GB) - (Type=07 NTFS)

****** End Of Log ******

MrCharlie · December 22, 2013

OK, that looks Good. I'm satisfied your OK.

Lets clean out any adware/spyware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

Make sure you click on download buttons that look similar to this, not "sponsored ad links":

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
When it's done you'll see: Pending: Please uncheck elements you don't want removed.
Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
Look over the log especially under Files/Folders for any program you want to save.
If there's a program you may want to save, just uncheck it from AdwCleaner.
If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
If you're ready to clean it all up.....click the Clean button.
After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
To restore an item that has been deleted:
Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

fobsternd · December 22, 2013

# AdwCleaner v3.015 - Report created 22/12/2013 at 16:08:26
# Updated 10/12/2013 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : PATH9371 - A57694
# Running from : C:\Users\PATH9371\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Conduit
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\TornTV.com
Folder Deleted : C:\Program Files\WhiteSmoke_New_1.2
Folder Deleted : C:\Users\PATH0001\AppData\Local\NativeMessaging
Folder Deleted : C:\Users\PATH0001\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\PATH9371\AppData\Local\Conduit
Folder Deleted : C:\Users\PATH9371\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\PATH9371\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\PATH9371\AppData\LocalLow\WhiteSmoke_New_1.2
Folder Deleted : C:\Users\PATH9371\AppData\Roaming\Searchprotect
Folder Deleted : C:\Users\PATH9371\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TornTV.com
File Deleted : C:\END
File Deleted : C:\Users\PATH9371\AppData\Roaming\Mozilla\Firefox\Profiles\p4v4umcs.default\user.js

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\conduit.com
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3316751
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [ConduitFloatingPlugin_kepfgejmidkmoiimkfdjocdjhbcpmlmg]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8F02605D-BE4E-41BA-BD00-C39A59C46919}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D293AA9C-1992-4CF3-9639-9759EA77B57F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8F02605D-BE4E-41BA-BD00-C39A59C46919}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F02605D-BE4E-41BA-BD00-C39A59C46919}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D293AA9C-1992-4CF3-9639-9759EA77B57F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{8F02605D-BE4E-41BA-BD00-C39A59C46919}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D293AA9C-1992-4CF3-9639-9759EA77B57F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D293AA9C-1992-4CF3-9639-9759EA77B57F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EF79487A-3695-465E-A96F-13F71D48384F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8BC2231B-7710-4F21-8E21-61FE24FBE310}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{8F02605D-BE4E-41BA-BD00-C39A59C46919}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{8F02605D-BE4E-41BA-BD00-C39A59C46919}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{8F02605D-BE4E-41BA-BD00-C39A59C46919}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{8F02605D-BE4E-41BA-BD00-C39A59C46919}]
Key Deleted : HKCU\Software\1ClickDownload
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\BackgroundContainer
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\WhiteSmoke_New_1.2
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\WhiteSmoke_New_1.2
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16490

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [start Page]

-\\ Mozilla Firefox v26.0 (en-US)

[ File : C:\Users\PATH9371\AppData\Roaming\Mozilla\Firefox\Profiles\p4v4umcs.default\prefs.js ]

*************************

AdwCleaner[R0].txt - [5212 octets] - [22/12/2013 16:06:50]
AdwCleaner[s0].txt - [5119 octets] - [22/12/2013 16:08:26]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [5179 octets] ##########

MrCharlie · December 22, 2013

Did you run Malwarebytes??? Log??

MrC

fobsternd · December 23, 2013

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.23.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
PATH9371 :: A57694 [administrator]

12/22/2013 9:02:44 PM
mbam-log-2013-12-22 (21-02-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 353101
Time elapsed: 12 minute(s), 2 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 10
C:\Users\PATH9371\AppData\Local\Temp\nsx49D2.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\PATH9371\Downloads\World_of_Warcraft_Client_3.3.exe (PUP.Optional.OneClickDownloader.A) -> Quarantined and deleted successfully.
C:\Users\PATH9371\Local Settings\Temporary Internet Files\Content.IE5\ORTBLG3R\checktbexist[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\PATH9371\Local Settings\Temporary Internet Files\Content.IE5\ORTBLG3R\Setup[1].exe (PUP.Optional.SecretSauce.A) -> Quarantined and deleted successfully.
C:\Users\PATH9371\Local Settings\Temporary Internet Files\Content.IE5\ORTBLG3R\statisticsstub[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\PATH9371\Local Settings\Temporary Internet Files\Content.IE5\ORTBLG3R\whitesmoke_new_1.2[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\PATH9371\Local Settings\Temporary Internet Files\Content.IE5\ORTBLG3R\WhiteSmoke_New_1_2[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\PATH9371\Local Settings\Temporary Internet Files\Content.IE5\U6O7R0QB\conduitinstaller[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\PATH9371\Local Settings\Temporary Internet Files\Content.IE5\U6O7R0QB\SPSetup[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\PATH9371\Local Settings\Temporary Internet Files\Content.IE5\U6O7R0QB\WhiteSmoke_New_1.2[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)

MrCharlie · December 23, 2013

OK..How is it???

MrC

fobsternd · December 23, 2013

It is working fine now, thanks for the help!

MrCharlie · December 23, 2013

OK.....

A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

Please download OTC to your desktop. (This will clean up most of the tools and logs)

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.

Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete. (right click.....Delete)

IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

Note:

If you used FRST and can't delete the quarantine folder:

Download the fixlist.txt to the same folder as FRST.exe.

Run FRST.exe and click Fix only once and wait

That will delete the quarantine folder created by FRST.

The rest you can manually delete.

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

AdvancedSetup · December 23, 2013

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

conduit infection?

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information