PUP.Optional.OpenCandy

MalkieSkye · January 29, 2014

Malwarebytes freezes every time I try to remove the "Pup.Optional.OpenCandy" items that it finds after it's scan and I have to force Malwarebytes to shut down. Can someone please help me with this. I don't know what to do.

jeffce · January 29, 2014

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

The fixes are specific to your problem and should only be used for the issues on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

Having said that.... Let's get going!!
----------

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
Double click dds to run the tool.
When done, two DDS.txt's will open.
Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt

Attach.txt
----------

AdwCleaner

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool
Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
Copy and paste the contents of that logfile in your next reply.
A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

----------

Please download TDSSKiller

Double click TDSSKiller.exe
Press Start Scan but do nothing else as we are just looking for what is there.
If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
Attach the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)

----------

MalkieSkye · January 29, 2014

Okay. I did everything you said and I'm attaching all 3 files here now. Hopefully I didn't miss anything or do something wrong. TDSSKiller showed that it found nothing. Even if it found nothing, was I suppose to post it?

AdwCleanerR0.txt

attach.txt

dds.txt

jeffce · January 29, 2014

Hello fellow Tennessean!!

No...if TDSSKiller came back clean don't worry about it.

----------

ComboFix

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.

MalkieSkye · January 30, 2014

Hey there! I wasn't aware of you being from TN too. That's cool. Here's the file from the ComboFix deal.

ComboFix.txt

jeffce · January 30, 2014

Hey there! I wasn't aware of you being from TN too. That's cool. Here's the file from the ComboFix deal.

Yep.....in Cookeville.

Do these steps in order please....

ComboFix

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
ClearJavaCache::

Firefox::
FF - ProfilePath - c:\users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\
FF - user.js: extensions.delta.tlbrSrchUrl -
FF - user.js: extensions.delta.id - 2c47654d000000000000000000000000
FF - user.js: extensions.delta.appId - {C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
FF - user.js: extensions.delta.instlDay - 15780
FF - user.js: extensions.delta.vrsn - 1.8.10.0
FF - user.js: extensions.delta.vrsni - 1.8.10.0
FF - user.js: extensions.delta.vrsnTs - 1.8.10.016:11
FF - user.js: extensions.delta.prtnrId - delta
FF - user.js: extensions.delta.prdct - delta
FF - user.js: extensions.delta.aflt - babsst
FF - user.js: extensions.delta.smplGrp - none
FF - user.js: extensions.delta.tlbrId - base
FF - user.js: extensions.delta.instlRef - sst
FF - user.js: extensions.delta.dfltLng - en
FF - user.js: extensions.delta.excTlbr - false
FF - user.js: extensions.delta.admin - false
FF - user.js: extensions.delta.autoRvrt - false
FF - user.js: extensions.delta.rvrt - false
FF - user.js: extensions.delta.newTab - false

Folder::
c:\users\Bethany\AppData\Roaming\OpenCandy
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update; please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

----------

AdwCleaner

Double click on AdwCleaner.exe to run the tool again.

Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...
This time, click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.

------------

Post the new logs made and let me know how your computer is running now.

MalkieSkye · January 31, 2014

before I do this, just want to make sure that this isn't going to accidentally delete something that my computer needs or programs I use that I've added to my system, right?

jeffce · January 31, 2014

No everything will be fine. The only thing that I have targeted is the malware and potentially unwanted programs.

MalkieSkye · January 31, 2014

The AdwCleaner, after clicking Scan, a few moments later, it stops and says "Pending. Please uncheck elements you don't want to remove" - What am I supposed to do here?

MalkieSkye · January 31, 2014

COMBOFIX TXT

ComboFix 14-01-29.01 - Bethany 01/30/2014 20:23:46.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.989 [GMT -6:00]

Running from: c:\users\Bethany\Desktop\ComboFix.exe

Command switches used :: c:\users\Bethany\Desktop\CFScript.txt

AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\users\Bethany\AppData\Roaming\OpenCandy

.

((((((((((((((((((((((((( Files Created from 2013-12-28 to 2014-01-31 )))))))))))))))))))))))))))))))

.

2014-01-31 02:40 . 2014-01-31 02:40 -------- d-----w- c:\users\TEMP\AppData\Local\temp

2014-01-31 02:40 . 2014-01-31 02:40 -------- d-----w- c:\users\TEMP.home\AppData\Local\temp

2014-01-31 02:40 . 2014-01-31 02:40 -------- d-----w- c:\users\Guest\AppData\Local\temp

2014-01-31 02:40 . 2014-01-31 02:40 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-01-30 05:45 . 2014-01-30 05:45 -------- d-----w- c:\users\Bethany\voip

2014-01-30 05:28 . 2014-01-30 05:36 -------- d-----w- c:\users\Bethany\AppData\Roaming\ICQ-Profile

2014-01-30 05:28 . 2014-01-30 05:28 -------- d-----w- c:\users\Bethany\AppData\Roaming\ICQM

2014-01-30 02:30 . 2013-12-19 03:10 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2014-01-29 22:09 . 2014-01-29 22:11 -------- d-----w- C:\AdwCleaner

2014-01-29 00:17 . 2014-01-29 00:17 -------- d-----w- c:\programdata\Yahoo! Companion

2014-01-29 00:17 . 2014-01-29 00:18 -------- d-----w- c:\users\Bethany\AppData\Roaming\Yahoo!

2014-01-28 23:59 . 2014-01-29 00:17 -------- d-----w- c:\program files\Yahoo!

2014-01-18 23:18 . 2014-01-18 23:18 -------- d-----w- c:\users\Bethany\AppData\Local\FreemakeVideoConverter

2014-01-18 22:57 . 2014-01-19 00:43 -------- d-----w- c:\programdata\Freemake

2014-01-18 22:57 . 2014-01-19 00:43 -------- d-----w- c:\program files\Freemake

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2013-12-11 01:18 . 2012-05-12 00:57 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-12-11 01:18 . 2011-07-06 03:49 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-11-19 01:20 . 2013-03-28 04:26 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys

2013-11-14 22:50 . 2013-12-12 03:22 1806848 ----a-w- c:\windows\system32\jscript9.dll

2013-11-14 22:42 . 2013-12-12 03:22 1129472 ----a-w- c:\windows\system32\wininet.dll

2013-11-14 22:42 . 2013-12-12 03:22 1427968 ----a-w- c:\windows\system32\inetcpl.cpl

2013-11-14 22:38 . 2013-12-12 03:22 142848 ----a-w- c:\windows\system32\ieUnatt.exe

2013-11-14 22:38 . 2013-12-12 03:22 420864 ----a-w- c:\windows\system32\vbscript.dll

2013-11-14 22:35 . 2013-12-12 03:22 2382848 ----a-w- c:\windows\system32\mshtml.tlb

2013-11-06 03:50 . 2013-11-06 03:50 120600 ----a-w- c:\windows\system32\drivers\avgdiskx.sys

2013-11-05 03:57 . 2013-11-05 03:57 209176 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys

2008-02-20 16:37 . 2008-02-20 16:30 14603672 ----a-w- c:\program files\jre-6u3-windows-i586-p-s.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\progra~1\Yahoo!\Companion\Installs\cpn0\yt.dll" [2013-08-07 1561880]

.

[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]

[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]

[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]

2014-01-09 03:11 3349528 ----a-w- c:\program files\AVG SafeGuard toolbar\17.3.0.49\AVG SafeGuard toolbar_toolbar.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG SafeGuard toolbar\17.3.0.49\AVG SafeGuard toolbar_toolbar.dll" [2014-01-09 3349528]

.

[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]

[HKEY_CLASSES_ROOT\AVG SafeGuard toolbar.PugiObj.1]

[HKEY_CLASSES_ROOT\AVG SafeGuard toolbar.PugiObj]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Bethany\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Bethany\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2012-11-13 23:32 129272 ----a-w- c:\users\Bethany\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"MobiLink 3"="c:\program files\Novatel Wireless\MobiLink3\MobiLink3.exe" [2010-07-29 1923920]

"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928]

"icq"="c:\users\Bethany\AppData\Roaming\ICQM\icq.exe" [2014-01-30 33664344]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]

"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]

"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]

"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 218408]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]

"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 55824]

"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2010-03-09 283792]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-24 13601312]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-24 92704]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

"AVG_UI"="c:\program files\AVG\AVG2014\avgui.exe" [2013-11-08 4956176]

"vProt"="c:\program files\AVG SafeGuard toolbar\vprot.exe" [2014-01-09 2486296]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-08-24 01:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]

2014-01-29 00:59 1211672 ----a-w- c:\program files\Google\Chrome\Application\32.0.1700.102\Installer\chrmstp.exe

.

Contents of the 'Scheduled Tasks' folder

.

2014-01-31 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-12 01:18]

.

2014-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-19 03:08]

.

2014-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-19 03:08]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: juno.com

TCP: Interfaces\{0F144C87-387F-4B84-8E5A-8C072711703E}: NameServer = 204.117.214.10 8.8.8.8

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\17.3.0\ViProtocol.dll

FF - ProfilePath - c:\users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\

FF - prefs.js: browser.search.selectedEngine - AVG Secure Search

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: browser.search.selectedEngine - SafeSearch

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2014-01-30 20:40

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(3452)

c:\users\Bethany\AppData\Roaming\Dropbox\bin\DropboxExt.17.dll

.

Completion time: 2014-01-30 20:43:18

ComboFix-quarantined-files.txt 2014-01-31 02:43

ComboFix2.txt 2014-01-30 00:44

.

Pre-Run: 115,096,129,536 bytes free

Post-Run: 116,646,641,664 bytes free

.

- - End Of File - - FEFD655F955D84480BC426C684C84170

1A1A06F62E891045814007163C1C76C3

......................................................................................................................................

ADWCLEANER RESULTS

# AdwCleaner v3.018 - Report created 30/01/2014 at 21:43:31

# Updated 28/01/2014 by Xplode

# Operating System : Windows Vista Home Premium Service Pack 2 (32 bits)

# Username : Bethany - HOME

# Running from : C:\Users\Bethany\Desktop\Tracy Stuff\bs\AdwCleaner.exe

# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Babylon

Folder Deleted : C:\ProgramData\boost_interprocess

Folder Deleted : C:\ProgramData\Viewpoint

Folder Deleted : C:\Program Files\Conduit

Folder Deleted : C:\Program Files\Viewpoint

Folder Deleted : C:\Program Files\Windows iLivid Toolbar

Folder Deleted : C:\Program Files\Common Files\AVG Secure Search

Folder Deleted : C:\Program Files\Common Files\Software Update Utility

Folder Deleted : C:\Program Files\Common Files\spigot

Folder Deleted : C:\Users\Bethany\AppData\Local\Bundled software uninstaller

Folder Deleted : C:\Users\Bethany\AppData\Local\Conduit

Folder Deleted : C:\Users\Bethany\AppData\Local\Ilivid Player

Folder Deleted : C:\Users\Bethany\AppData\Local\Lucky Savings

Folder Deleted : C:\Users\Bethany\AppData\Local\PackageAware

Folder Deleted : C:\Users\Bethany\AppData\LocalLow\Conduit

Folder Deleted : C:\Users\Bethany\AppData\LocalLow\searchquband

Folder Deleted : C:\Users\Bethany\AppData\Roaming\iWin

Folder Deleted : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\ConduitCommon

Folder Deleted : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\CT2612669

Folder Deleted : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

Folder Deleted : C:\Program Files\Mozilla Firefox\Extensions\ffxtlbr@babylon.com

Folder Deleted : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\Extensions\{90b49673-5506-483e-b92b-ca0265bd9ca8}

File Deleted : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\Extensions\wtxpcom@mybrowserbar.com

File Deleted : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\hoqwg7xb.default\Extensions\wtxpcom@mybrowserbar.com

File Deleted : C:\Program Files\Mozilla Firefox\.autoreg

File Deleted : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\bProtector_extensions.rdf

File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.dll

File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnu.xpt

File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll

File Deleted : C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.xpt

File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\Babylon.xml

File Deleted : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\searchplugins\delta.xml

File Deleted : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\searchplugins\Search_Results.xml

File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\Search_Results.xml

File Deleted : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\user.js

***** [ Shortcuts ] *****

***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof

Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE

Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE

Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL

Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController

Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1

Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap

Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol

Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi

Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1

Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE

Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]

Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin

Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@viewpoint.com/VMP

Key Deleted : HKCU\Software\5955dadeb239e815

Key Deleted : HKLM\SOFTWARE\5955dadeb239e815

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2612669

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{76C45B18-A29E-43EA-AAF8-AF55C2E1AE17}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{96EF404C-24C7-43D0-9096-4CCC8BB7CCAC}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97720195-206A-42AE-8E65-260B9BA5589F}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{986F7A5A-9676-47E1-8642-F41F8C3FCF82}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B18788A4-92BD-440E-A4D1-380C36531119}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}

Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}

Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]

Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

Key Deleted : HKCU\Software\BI

Key Deleted : HKCU\Software\YahooPartnerToolbar

Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings

Key Deleted : HKCU\Software\AppDataLow\Software\searchqutoolbar

Key Deleted : HKLM\Software\AVG Secure Search

Key Deleted : HKLM\Software\AVG Security Toolbar

Key Deleted : HKLM\Software\Babylon

Key Deleted : HKLM\Software\Conduit

Key Deleted : HKLM\Software\Freeze.com

Key Deleted : HKLM\Software\MetaStream

Key Deleted : HKLM\Software\Viewpoint

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ViewpointMediaPlayer

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21

Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16526

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\SearchUrl []

-\\ Mozilla Firefox v3.6.15 (en-US)

[ File : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\61f5rfgd.default\prefs.js ]

Line Deleted : user_pref("CT2612669..clientLogIsEnabled", false);

Line Deleted : user_pref("CT2612669.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);

Line Deleted : user_pref("CT2612669.AppTrackingLastCheckTime", "Fri Nov 23 2012 20:35:55 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.BrowserCompStateIsOpen_129482420034282070", true);

Line Deleted : user_pref("CT2612669.BrowserCompStateIsOpen_129683190780749804", true);

Line Deleted : user_pref("CT2612669.CTID", "CT2612669");

Line Deleted : user_pref("CT2612669.CurrentServerDate", "24-11-2012");

Line Deleted : user_pref("CT2612669.DSInstall", false);

Line Deleted : user_pref("CT2612669.DialogsAlignMode", "LTR");

Line Deleted : user_pref("CT2612669.DialogsGetterLastCheckTime", "Fri Nov 23 2012 20:36:22 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.DownloadReferralCookieData", "");

Line Deleted : user_pref("CT2612669.FeedLastCount129206864782289142", 20);

Line Deleted : user_pref("CT2612669.FeedPollDate129206864782914144", "Thu Feb 23 2012 15:57:57 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.FeedTTL129206864782914144", 40);

Line Deleted : user_pref("CT2612669.FirstServerDate", "24-2-2012");

Line Deleted : user_pref("CT2612669.FirstTime", true);

Line Deleted : user_pref("CT2612669.FirstTimeFF3", true);

Line Deleted : user_pref("CT2612669.FixPageNotFoundErrors", true);

Line Deleted : user_pref("CT2612669.GroupingServerCheckInterval", 1440);

Line Deleted : user_pref("CT2612669.HPInstall", false);

Line Deleted : user_pref("CT2612669.HasUserGlobalKeys", true);

Line Deleted : user_pref("CT2612669.HomePageProtectorEnabled", false);

Line Deleted : user_pref("CT2612669.Initialize", true);

Line Deleted : user_pref("CT2612669.InitializeCommonPrefs", true);

Line Deleted : user_pref("CT2612669.InstallationAndCookieDataSentCount", 3);

Line Deleted : user_pref("CT2612669.InstallationId", "ConduitNSISIntegration");

Line Deleted : user_pref("CT2612669.InstallationType", "ConduitXPEIntegration");

Line Deleted : user_pref("CT2612669.InstalledDate", "Thu Feb 23 2012 15:57:32 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.IsAlertDBUpdated", true);

Line Deleted : user_pref("CT2612669.IsGrouping", false);

Line Deleted : user_pref("CT2612669.IsInitSetupIni", true);

Line Deleted : user_pref("CT2612669.IsMulticommunity", false);

Line Deleted : user_pref("CT2612669.IsOpenThankYouPage", false);

Line Deleted : user_pref("CT2612669.IsOpenUninstallPage", true);

Line Deleted : user_pref("CT2612669.LanguagePackLastCheckTime", "Fri Nov 23 2012 20:35:52 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.LanguagePackReloadIntervalMM", 1440);

Line Deleted : user_pref("CT2612669.LastLogin_3.9.0.3", "Fri Nov 23 2012 20:35:47 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.LatestVersion", "3.16.0.3");

Line Deleted : user_pref("CT2612669.Locale", "en");

Line Deleted : user_pref("CT2612669.MCDetectTooltipHeight", "83");

Line Deleted : user_pref("CT2612669.MCDetectTooltipShow", false);

Line Deleted : user_pref("CT2612669.MCDetectTooltipWidth", "295");

Line Deleted : user_pref("CT2612669.MyStuffEnabledAtInstallation", false);

Line Deleted : user_pref("CT2612669.OriginalFirstVersion", "3.9.0.3");

Line Deleted : user_pref("CT2612669.SearchBackToDefaultEngine", false);

Line Deleted : user_pref("CT2612669.SearchCaption", "IMVU Inc Customized Web Search");

Line Deleted : user_pref("CT2612669.SearchEngineBeforeUnload", "Search Results");

Line Deleted : user_pref("CT2612669.SearchFromAddressBarIsInit", true);

Line Deleted : user_pref("CT2612669.SearchInNewTabEnabled", true);

Line Deleted : user_pref("CT2612669.SearchInNewTabIntervalMM", 1440);

Line Deleted : user_pref("CT2612669.SearchInNewTabLastCheckTime", "Fri Nov 23 2012 20:35:42 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.SearchInNewTabUserEnabled", false);

Line Deleted : user_pref("CT2612669.SearchProtectorEnabled", false);

Line Deleted : user_pref("CT2612669.SearchProtectorToolbarDisabled", false);

Line Deleted : user_pref("CT2612669.SendProtectorDataViaLogin", true);

Line Deleted : user_pref("CT2612669.ServiceMapLastCheckTime", "Fri Nov 23 2012 20:35:43 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.SettingsLastCheckTime", "Fri Nov 23 2012 20:35:41 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.SettingsLastUpdate", "1352141592");

Line Deleted : user_pref("CT2612669.ThirdPartyComponentsInterval", 504);

Line Deleted : user_pref("CT2612669.ThirdPartyComponentsLastCheck", "Fri Nov 23 2012 20:35:41 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.ThirdPartyComponentsLastUpdate", "1331805997");

Line Deleted : user_pref("CT2612669.ToolbarShrinkedFromSetup", false);

Line Deleted : user_pref("CT2612669.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]

Line Deleted : user_pref("CT2612669.UserID", "UN15089125649118096");

Line Deleted : user_pref("CT2612669.alertChannelId", "1005466");

Line Deleted : user_pref("CT2612669.approveUntrustedApps", true);

Line Deleted : user_pref("CT2612669.backendstorage.2612669a129684723478947121000000paramsgk3", "7B2275706461746552657154696D65223A313333303033343236333532322C227570646174655265737054696D65223A31333330303334323638323[...]

Line Deleted : user_pref("CT2612669.backendstorage.cbcountry_000", "5553");

Line Deleted : user_pref("CT2612669.backendstorage.cbfirsttime", "5468752046656220323320323031322031353A35383A313220474D542D30363030202843656E7472616C205374616E646172642054696D6529");

Line Deleted : user_pref("CT2612669.backendstorage.shoppingapp.gk.exipres", "576564204D617920323320323031322030383A35353A333920474D542D30353030202843656E7472616C204461796C696768742054696D6529");

Line Deleted : user_pref("CT2612669.backendstorage.shoppingapp.gk.geolocation", "756E6974656420737461746573");

Line Deleted : user_pref("CT2612669.backendstorage.url_history0001", "687474703A2F2F7777772E66616365626F6F6B2E636F6D2F6C2E7068703F753D687474702533412532462532466162632E736F617073696E64657074682E636F6D253246323031322[...]

Line Deleted : user_pref("CT2612669.components.129174085518698803", false);

Line Deleted : user_pref("CT2612669.components.129185927686343262", false);

Line Deleted : user_pref("CT2612669.components.129206864782289142", false);

Line Deleted : user_pref("CT2612669.components.129296598392950474", false);

Line Deleted : user_pref("CT2612669.components.129482420034282070", false);

Line Deleted : user_pref("CT2612669.components.129683190780749804", false);

Line Deleted : user_pref("CT2612669.components.129684723478947121", false);

Line Deleted : user_pref("CT2612669.globalFirstTimeInfoLastCheckTime", "Fri Nov 23 2012 20:35:47 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.homepageProtectorEnableByLogin", true);

Line Deleted : user_pref("CT2612669.initDone", true);

Line Deleted : user_pref("CT2612669.isAppTrackingManagerOn", true);

Line Deleted : user_pref("CT2612669.myStuffEnabled", true);

Line Deleted : user_pref("CT2612669.myStuffPublihserMinWidth", 400);

Line Deleted : user_pref("CT2612669.myStuffServiceIntervalMM", 1440);

Line Deleted : user_pref("CT2612669.oldAppsList", "129170380618247103,129170380618247104,111,129174085518698803,129185927686343262,129684723478947121,129206864782289142,129482420034282070,129683190780749804,1000034,[...]

Line Deleted : user_pref("CT2612669.revertSettingsEnabled", false);

Line Deleted : user_pref("CT2612669.searchProtectorDialogDelayInSec", 10);

Line Deleted : user_pref("CT2612669.searchProtectorEnableByLogin", true);

Line Deleted : user_pref("CT2612669.testingCtid", "");

Line Deleted : user_pref("CT2612669.toolbarAppMetaDataLastCheckTime", "Fri Nov 23 2012 20:35:45 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.toolbarContextMenuLastCheckTime", "Fri Nov 23 2012 20:35:45 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CT2612669.usagesFlag", 2);

Line Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.9.0.3");

Line Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2612669");

Line Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2612669");

Line Deleted : user_pref("CommunityToolbar.ToolbarsList4", "CT2612669");

Line Deleted : user_pref("CommunityToolbar.globalUserId", "934492a0-6cd2-444a-97e5-83d5237c2925");

Line Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);

Line Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);

Line Deleted : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Fri Nov 23 2012 20:36:15 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoInterval", 60);

Line Deleted : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Fri Nov 23 2012 20:35:52 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CommunityToolbar.notifications.locale", "en");

Line Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);

Line Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Fri Nov 23 2012 20:35:43 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");

Line Deleted : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);

Line Deleted : user_pref("CommunityToolbar.notifications.showTrayIcon", false);

Line Deleted : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);

Line Deleted : user_pref("CommunityToolbar.notifications.userId", "90f0c544-6deb-4783-8fbd-ba5d0ad4bdd4");

Line Deleted : user_pref("CommunityToolbar.originalSearchEngine", "Search Results");

Line Deleted : user_pref("CommunityToolbar.twitter.user_20566976.LastCheckTime", "Thu Feb 23 2012 15:57:36 GMT-0600 (Central Standard Time)");

Line Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");

Line Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");

[ File : C:\Users\Bethany\AppData\Roaming\Mozilla\Firefox\Profiles\hoqwg7xb.default\prefs.js ]

Line Deleted : user_pref("browser.search.defaultenginename", "AVG Secure Search");

Line Deleted : user_pref("browser.search.selectedEngine", "AVG Secure Search");

-\\ Google Chrome v32.0.1700.102

[ File : C:\Users\Bethany\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [28980 octets] - [29/01/2014 16:09:51]

AdwCleaner[R1].txt - [28145 octets] - [30/01/2014 20:44:58]

AdwCleaner[s0].txt - [28663 octets] - [30/01/2014 21:43:31]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [28724 octets] ##########

jeffce · January 31, 2014

The AdwCleaner, after clicking Scan, a few moments later, it stops and says "Pending. Please uncheck elements you don't want to remove" - What am I supposed to do here?

I see you got that sorted. Well done.

How is your system running now?

MalkieSkye · February 1, 2014

It seems to bw doing okay. I haven't tried running the Malwarebytes scanner since I did that. So, did that remove all of the "opencandy" stuff?

jeffce · February 1, 2014

Hi,

Let's take a look.

Open Malwarebytes, update it and then run a Quick Scan. Post the log that is created.

-----------------------------

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
Close the ESET online scan, and let me know how things are now.

----------

MalkieSkye · February 1, 2014

Just a heads up I'm still working on the ESET Scanner. It's taking forever! I'll post everything once this is finished.

MalkieSkye · February 1, 2014

MBAM LOG

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2014.02.01.01

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Bethany :: HOME [administrator]

1/31/2014 10:41:40 PM

mbam-log-2014-01-31 (22-41-40).txt

Scan type: Quick scan

Scan options disabled: P2P

Objects scanned: 279302

Time elapsed: 15 minute(s), 51 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

ESET LOG TXT

C:\AdwCleaner\Quarantine\C\Program Files\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll.vir Win32/Toolbar.SearchSuite application

C:\AdwCleaner\Quarantine\C\Program Files\Windows iLivid Toolbar\Datamngr\datamngr.dll.vir Win32/Toolbar.SearchSuite application

C:\AdwCleaner\Quarantine\C\Program Files\Windows iLivid Toolbar\Datamngr\datamngrUI.exe.vir Win32/Toolbar.SearchSuite application

C:\AdwCleaner\Quarantine\C\Program Files\Windows iLivid Toolbar\Datamngr\DnsBHO.dll.vir Win32/Toolbar.SearchSuite application

C:\AdwCleaner\Quarantine\C\Program Files\Windows iLivid Toolbar\Datamngr\IEBHO.dll.vir Win32/Toolbar.SearchSuite application

C:\AdwCleaner\Quarantine\C\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe.vir probably a variant of Win32/Toolbar.Visicom.C application

C:\AdwCleaner\Quarantine\C\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchquband.dll.vir a variant of Win32/Toolbar.Visicom.A application

C:\AdwCleaner\Quarantine\C\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll.vir a variant of Win32/Toolbar.Visicom.B application

C:\Users\Bethany\Desktop\Tracy Stuff\bs\AVGSecureSearchInstaller.exe a variant of Win32/OpenInstall application

C:\Users\Bethany\Desktop\Tracy Stuff\bs\YTDSetup.exe multiple threats

C:\Users\Bethany\Desktop\Tracy Stuff\Vid Stuff\RPG.exe a variant of Win32/Toolbar.Widgi.B application

C:\Users\Bethany\Desktop\Tracy Stuff\Vid Stuff\S.exe a variant of Win32/Toolbar.Widgi application

C:\Users\Bethany\Downloads\GameSetup-dm.exe a variant of Win32/Adware.Trymedia.A application

jeffce · February 1, 2014

Hi,

Great job!!

ComboFix

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
ClearJavaCache::

File::
C:\Users\Bethany\Desktop\Tracy Stuff\bs\YTDSetup.exe
C:\Users\Bethany\Desktop\Tracy Stuff\Vid Stuff\RPG.exe
C:\Users\Bethany\Desktop\Tracy Stuff\Vid Stuff\S.exe
C:\Users\Bethany\Downloads\GameSetup-dm.exe
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix may request an update; please allow it.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

Post the new ComboFix log and let me know what remaining malware related problems you are having.

MalkieSkye · February 1, 2014

I know what YTD is. Do I need to get rid of that too? I downloaded it myself.

jeffce · February 2, 2014

No you don't have to? Just remove that line from the fix that I provided and continue with the instructions.

Your choice but let's remember what the scan showed

C:\Users\Bethany\Desktop\Tracy Stuff\bs\YTDSetup.exe multiple threats

MalkieSkye · February 2, 2014

So if I leave it in, it will remove the program entirely?

MalkieSkye · February 2, 2014

Txt Log

ComboFix 14-02-01.01 - Bethany 02/01/2014 19:59:48.3.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.947 [GMT -6:00]

Running from: c:\users\Bethany\Desktop\ComboFix.exe

Command switches used :: c:\users\Bethany\Desktop\CFScript.txt

AV: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: AVG AntiVirus Free Edition 2014 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\users\Bethany\Desktop\Tracy Stuff\bs\YTDSetup.exe"

"c:\users\Bethany\Desktop\Tracy Stuff\Vid Stuff\RPG.exe"

"c:\users\Bethany\Desktop\Tracy Stuff\Vid Stuff\S.exe"

"c:\users\Bethany\Downloads\GameSetup-dm.exe"

.

((((((((((((((((((((((((( Files Created from 2014-01-02 to 2014-02-02 )))))))))))))))))))))))))))))))

.

2014-02-02 02:15 . 2014-02-02 02:15 -------- d-----w- c:\users\TEMP\AppData\Local\temp

2014-02-02 02:15 . 2014-02-02 02:15 -------- d-----w- c:\users\TEMP.home\AppData\Local\temp

2014-02-02 02:15 . 2014-02-02 02:15 -------- d-----w- c:\users\Guest\AppData\Local\temp

2014-02-02 02:15 . 2014-02-02 02:15 -------- d-----w- c:\users\Default\AppData\Local\temp

2014-02-01 05:03 . 2014-02-01 05:03 -------- d-----w- c:\program files\ESET

2014-01-31 06:00 . 2014-02-01 00:24 -------- d-----w- c:\programdata\AVG Security Toolbar

2014-01-30 05:45 . 2014-01-30 05:45 -------- d-----w- c:\users\Bethany\voip

2014-01-30 05:28 . 2014-01-30 05:36 -------- d-----w- c:\users\Bethany\AppData\Roaming\ICQ-Profile

2014-01-30 05:28 . 2014-01-30 05:28 -------- d-----w- c:\users\Bethany\AppData\Roaming\ICQM

2014-01-30 02:30 . 2013-12-19 03:10 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2014-01-29 22:09 . 2014-01-31 03:44 -------- d-----w- C:\AdwCleaner