Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winrscmde has stopped working


  • This topic is locked This topic is locked
11 replies to this topic

#1 davespcneedshelp

davespcneedshelp

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 18 August 2012 - 10:10 AM

Hello, I have a Vista 64bit system and its infected. I know that I'm infected as Windows keeps prompting me that "Winrscmde has stopped working" every 30 seconds. I've run MS Security Essentials as my normal antivirus / online protection Symantec apparently didnt and still doesnt detect any infection. MS Security Essentials did detect an infection, which is the pernicious little bug Trojan:DOS/Alureon.A... So MS Security Essentials was unable to remove it, it quarantined it, however the windows prompt keeps coming up every 30 seconds and its aggravating as heck. Other programs/ services will stop on occasion as well, but not very often. I've run a scan of Windows Defender Offline from a USB flashdrive, and the quick scan found nothing, but the full system scan found this bug, and was able to remove it. Then I boot up and my joy is short lived as the bug is back. I see that its related to the svchost file in the Windows folder. I delete this but it just comes right back. Any assistance you can provide would be greatly appreciated. Thanks for your time.

Dave

Edited by davespcneedshelp, 18 August 2012 - 10:21 AM.


BC AdBot (Login to Remove)

 


#2 davespcneedshelp

davespcneedshelp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 18 August 2012 - 10:11 AM

MS Essentials has the following info on this:

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items:
rootkit:Alureon->Mbr::Alureon

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:24 PM

Posted 23 August 2012 - 09:36 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#4 davespcneedshelp

davespcneedshelp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 23 August 2012 - 04:07 PM

Hello nasdaq, thank you very much for your help and your post. I downloaded TDSSKiller and ran the scan and it did detect an infected file and it did the cure, and then prompted that a reboot was needed, so I did the reboot.

Here is the TDSSKiller log:


15:22:42.0021 3960 TDSS rootkit removing tool 2.8.7.0 Aug 20 2012 17:30:03
15:22:42.0474 3960 ============================================================
15:22:42.0474 3960 Current date / time: 2012/08/23 15:22:42.0474
15:22:42.0474 3960 SystemInfo:
15:22:42.0474 3960
15:22:42.0474 3960 OS Version: 6.0.6002 ServicePack: 2.0
15:22:42.0474 3960 Product type: Workstation
15:22:42.0474 3960 ComputerName: DAVE-PC
15:22:42.0474 3960 UserName: Dave
15:22:42.0474 3960 Windows directory: C:\Windows
15:22:42.0474 3960 System windows directory: C:\Windows
15:22:42.0474 3960 Running under WOW64
15:22:42.0474 3960 Processor architecture: Intel x64
15:22:42.0474 3960 Number of processors: 8
15:22:42.0474 3960 Page size: 0x1000
15:22:42.0474 3960 Boot type: Normal boot
15:22:42.0474 3960 ============================================================
15:22:48.0058 3960 BG loaded
15:22:48.0386 3960 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
15:22:48.0402 3960 Drive \Device\Harddisk1\DR1 - Size: 0x2BA9F400000 (2794.49 Gb), SectorSize: 0x1000, Cylinders: 0xB21F, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
15:22:48.0402 3960 ============================================================
15:22:48.0402 3960 \Device\Harddisk0\DR0:
15:22:48.0417 3960 MBR partitions:
15:22:48.0417 3960 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x74705C5F
15:22:48.0417 3960 \Device\Harddisk1\DR1:
15:22:48.0417 3960 MBR partitions:
15:22:48.0417 3960 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x100, BlocksNum 0x2BA9F300
15:22:48.0417 3960 ============================================================
15:22:48.0448 3960 C: <-> \Device\Harddisk0\DR0\Partition1
15:22:48.0464 3960 P: <-> \Device\Harddisk1\DR1\Partition1
15:22:48.0464 3960 ============================================================
15:22:48.0464 3960 Initialize success
15:22:48.0464 3960 ============================================================



After the reboot I then ran the Avast scan and I did not select any fixes as advised. Here is the Avast scan log:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-23 15:25:41
-----------------------------
15:25:41.187 OS Version: Windows x64 6.0.6002 Service Pack 2
15:25:41.187 Number of processors: 8 586 0x1A05
15:25:41.187 ComputerName: DAVE-PC UserName: Dave
15:26:05.645 Initialize success
15:27:59.279 AVAST engine defs: 12082300
15:28:09.996 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
15:28:09.996 Disk 0 Vendor: Hitachi_HDT721010SLA360 ST6OA31B Size: 953869MB BusType: 3
15:28:10.012 Disk 0 MBR read successfully
15:28:10.012 Disk 0 MBR scan
15:28:10.012 Disk 0 Windows VISTA default MBR code
15:28:10.027 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 953867 MB offset 2048
15:28:10.043 Disk 0 scanning C:\Windows\system32\drivers
15:28:22.398 Service scanning
15:28:45.221 Modules scanning
15:28:45.221 Disk 0 trace - called modules:
15:28:45.237 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
15:28:45.237 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80069813e0]
15:28:45.237 3 CLASSPNP.SYS[fffffa60011cfc33] -> nt!IofCallDriver -> [0xfffffa80065b9520]
15:28:45.751 5 acpi.sys[fffffa60008f6fde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80065b14b0]
15:28:47.545 AVAST engine scan C:\Windows
15:28:55.377 AVAST engine scan C:\Windows\system32
15:32:55.732 AVAST engine scan C:\Windows\system32\drivers
15:34:28.479 AVAST engine scan C:\Users\Dave
15:43:55.919 AVAST engine scan C:\ProgramData
15:47:23.290 Scan finished successfully
15:47:39.789 Disk 0 MBR has been saved successfully to "C:\Users\Dave\Desktop\MBR.dat"
15:47:39.789 The log file has been saved successfully to "C:\Users\Dave\Desktop\aswMBR.txt"

I've attached the zipped MBR.dat file as advised.

I've noticed I'm no longer getting the winrscmde has stopped messages, which is a very nice change of pace. Thanks again for helping me Nasdaq, much appreciated! I'll await further instructions.

Attached Files

  • Attached File  MBR.zip   544bytes   0 downloads

Edited by davespcneedshelp, 23 August 2012 - 04:13 PM.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:24 PM

Posted 25 August 2012 - 06:08 AM

Lets continue.

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

Please post the logs for my review.

#6 davespcneedshelp

davespcneedshelp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 25 August 2012 - 10:20 AM

Hello Nasdaq, below are the logs you requested:

Combofix log:


ComboFix 12-08-25.04 - Dave 08/25/2012 9:26.2.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.6134.3406 [GMT -5:00]
Running from: c:\users\Dave\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton 360 *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Norton 360 *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Dave\AppData\Local\Temp\_MEI10522\_ctypes.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\_elementtree.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\_hashlib.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\_socket.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\_ssl.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\pyexpat.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\pysqlite2._sqlite.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\python26.dll
c:\users\Dave\AppData\Local\Temp\_MEI10522\pythoncom26.dll
c:\users\Dave\AppData\Local\Temp\_MEI10522\PyWinTypes26.dll
c:\users\Dave\AppData\Local\Temp\_MEI10522\select.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\unicodedata.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\win32api.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\win32com.shell.shell.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\win32crypt.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\win32event.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\win32file.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\win32inet.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\win32pdh.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\win32process.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\windows._cacheinvalidation.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\wx._controls_.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\wx._core_.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\wx._gdi_.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\wx._html2.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\wx._misc_.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\wx._windows_.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\wx._wizard.pyd
c:\users\Dave\AppData\Local\Temp\_MEI10522\wxbase293u_net_vc.dll
c:\users\Dave\AppData\Local\Temp\_MEI10522\wxbase293u_vc.dll
c:\users\Dave\AppData\Local\Temp\_MEI10522\wxmsw293u_adv_vc.dll
c:\users\Dave\AppData\Local\Temp\_MEI10522\wxmsw293u_core_vc.dll
c:\users\Dave\AppData\Local\Temp\_MEI10522\wxmsw293u_html_vc.dll
c:\users\Dave\AppData\Local\Temp\_MEI10522\wxmsw293u_webview_vc.dll
c:\users\Public\AlexaNSISPlugin.5208.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-25 to 2012-08-25 )))))))))))))))))))))))))))))))
.
.
2012-08-25 14:41 . 2012-08-25 14:46 -------- d-----w- c:\users\Dave\AppData\Local\temp
2012-08-25 14:41 . 2012-08-25 14:41 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-08-25 14:41 . 2012-08-25 14:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-25 07:01 . 2012-08-25 07:01 -------- d-----w- c:\users\Dave\AppData\Local\twitter
2012-08-25 06:59 . 2012-08-25 06:59 788536 ----a-r- c:\users\Dave\AppData\Roaming\Microsoft\Installer\{B2F34D92-C5CF-4801-90CB-D04A5634B334}\TweetDeck.exe
2012-08-25 06:59 . 2012-08-25 06:59 -------- d-----w- c:\program files (x86)\Twitter
2012-08-23 21:08 . 2012-08-01 22:58 9309624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{718C9A7C-4583-447C-83B5-6C0CB4FE1282}\mpengine.dll
2012-08-23 20:19 . 2012-08-23 20:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-22 01:53 . 2012-08-01 22:58 9309624 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-18 20:24 . 2012-08-18 20:24 -------- d-----w- c:\users\Dave\AppData\Local\VS Revo Group
2012-08-18 20:24 . 2009-12-30 16:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-08-18 20:24 . 2012-08-18 20:24 -------- d-----w- c:\program files\VS Revo Group
2012-08-18 20:22 . 2012-08-18 20:22 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-08-18 16:30 . 2012-08-18 19:37 -------- d-s---r- c:\users\Dave\Google Drive
2012-08-18 13:31 . 2012-08-18 13:31 -------- d-----w- c:\users\Dave\AppData\Roaming\Malwarebytes
2012-08-18 13:30 . 2012-08-18 13:30 -------- d-----w- c:\programdata\Malwarebytes
2012-08-18 13:30 . 2012-08-18 13:31 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-18 13:30 . 2012-07-03 18:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-16 22:24 . 2012-07-04 14:33 2769408 ----a-w- c:\windows\system32\win32k.sys
2012-08-16 09:00 . 2012-08-18 16:54 -------- d-----w- c:\windows\Microsoft Antimalware
2012-08-16 04:37 . 2012-02-09 19:17 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8C717018-B829-4354-BDD9-25C752B956DF}\gapaengine.dll
2012-08-16 04:36 . 2012-08-16 04:37 -------- d-----w- C:\3cb9e0b524c27b33be2b1591ec
2012-08-16 04:23 . 2012-08-16 04:23 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-08-16 04:23 . 2012-08-16 04:24 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-16 04:22 . 2010-04-06 08:34 345984 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-15 11:15 . 2012-05-11 16:34 788480 ----a-w- c:\windows\system32\localspl.dll
2012-08-15 11:15 . 2012-05-11 15:57 623616 ----a-w- c:\windows\SysWow64\localspl.dll
2012-08-15 11:15 . 2012-06-29 16:20 648192 ----a-w- c:\windows\system32\netapi32.dll
2012-08-15 00:22 . 2012-08-16 04:26 -------- d-----w- c:\windows\system32\drivers\N360x64\0603000.00E
2012-08-11 03:12 . 2012-08-11 03:12 677136 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-08-10 20:23 . 2012-08-10 20:24 -------- d-----w- c:\programdata\CenturyLink
2012-08-10 20:22 . 2012-08-25 00:12 -------- d-----w- c:\program files (x86)\Qwest
2012-08-10 20:21 . 2012-08-10 20:21 -------- d-----w- c:\program files (x86)\CenturyLink
2012-07-30 21:52 . 2012-07-30 21:52 103904 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-16 22:14 . 2006-11-02 12:35 62134624 ----a-w- c:\windows\system32\mrt.exe
2012-07-16 07:40 . 2012-08-17 21:02 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AC000610-A90D-4916-BAB7-68281F719ACC}\mpengine.dll
2012-06-08 17:59 . 2012-07-10 20:55 12899840 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 13:49 . 2012-06-06 13:49 1070152 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-06-05 16:47 . 2012-07-10 20:35 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-05 16:47 . 2012-07-10 20:35 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-05 16:22 . 2012-07-10 20:35 1797120 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:22 . 2012-07-10 20:35 1869824 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:29 . 2012-07-10 20:17 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-22 01:09 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-22 01:10 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-22 01:10 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-22 01:10 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-22 01:09 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-22 01:09 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-22 01:09 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-22 01:10 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-22 01:09 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-22 01:09 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 20:19 . 2012-06-22 01:09 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:19 . 2012-06-22 01:09 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 20:15 . 2012-06-22 01:09 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 20:12 . 2012-06-22 01:09 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-02 00:22 . 2012-07-10 20:17 347136 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:22 . 2012-07-10 20:17 254464 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 00:05 . 2012-07-10 20:17 77312 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 00:04 . 2012-07-10 20:17 278528 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 00:03 . 2012-07-10 20:17 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-05-31 17:25 . 2009-10-02 21:35 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-28 16:22 176936 ----a-w- c:\program files (x86)\ConduitEngine\prxConduitEngin.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files (x86)\ConduitEngine\prxConduitEngin.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2012-07-20 12218904]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"TurboV"="c:\program files\ASUS\TurboV\TurboV.exe" [2008-10-22 4040192]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"CenturyLinkTouchPointAgent"="c:\program files (x86)\CenturyLink\Desktop\CenturyLinkTouchPointAgent.exe" [2012-05-16 46760]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-11 919008]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files (x86)\WinZip\WZQKPICK.EXE [2010-4-5 494920]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-18 16:16]
.
2012-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-08-18 16:16]
.
2012-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3530666769-31344507-419582560-1000Core.job
- c:\users\Dave\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-18 04:24]
.
2012-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3530666769-31344507-419582560-1000UA.job
- c:\users\Dave\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-18 04:24]
.
2012-08-25 c:\windows\Tasks\User_Feed_Synchronization-{8D262291-284F-4FA5-A3DF-3F188BEA939F}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 02:50]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-07-20 20:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-07-20 20:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-07-20 20:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-07-20 20:17 755544 ----a-w- c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2008-11-12 6931488]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2008-11-12 1833504]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.com/
mLocal Page = %SystemRoot%\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
Trusted Zone: sharethefiles.com
TCP: DhcpNameServer = 192.168.0.1 205.171.2.25
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - (no file)
URLSearchHooks-{48405d3d-2674-4cd8-b1ef-9a719443bd3f} - (no file)
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
Wow6432Node-HKCU-Run-WMPNSCFG - c:\program files (x86)\Windows Media Player\WMPNSCFG.exe
Wow6432Node-HKLM-Run-Turbine Download Manager Tray Icon - c:\program files (x86)\Turbine\Turbine Download Manager\TurbineDownloadManagerIcon.exe
SafeBoot-93888271.sys
WebBrowser-{48405D3D-2674-4CD8-B1EF-9A719443BD3F} - (no file)
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~1\UNWISE.EXE
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\6.3.0.14\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\6.3.0.14\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3530666769-31344507-419582560-1000\Software\SecuROM\License information*]
"datasecu"=hex:dd,b1,07,7a,26,d6,72,27,92,6d,ae,7d,9f,d4,10,ad,0f,13,7b,70,b4,
0d,41,4d,5d,fb,47,69,88,2c,78,12,3f,ab,b6,29,62,2b,2f,15,e7,32,a6,39,0a,97,\
"rkeysecu"=hex:0b,d5,04,7e,e9,4e,a0,dc,80,bb,07,dd,1d,40,a0,dc
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10q_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10q.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\ASUS\AsSysCtrlService\1.00.00\AsSysCtrlService.exe
c:\asus.sys\config\DVMExportService.exe
c:\program files (x86)\Norton 360\Engine\6.3.0.14\ccSvcHst.exe
c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe
c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
c:\program files (x86)\Google\Update\1.3.21.115\GoogleCrashHandler.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
c:\program files (x86)\Norton 360\Engine\6.3.0.14\ccSvcHst.exe
c:\program files\ASUS\Six Engine\SixEngine.exe
.
**************************************************************************
.
Completion time: 2012-08-25 09:53:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-25 14:53
.
Pre-Run: 228,218,785,792 bytes free
Post-Run: 228,101,894,144 bytes free
.
- - End Of File - - 508DB1E1400217A8288BC6F4AFA5D62D





Heres the Security Check log:


Results of screen317's Security Check version 0.99.46
Windows Vista Service Pack 2 x64 (UAC is enabled)
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Norton 360
Microsoft Security Essentials
(On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 6 Update 26
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.1.82.76 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Google Chrome 21.0.1180.79
Google Chrome 21.0.1180.83
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````






And lastly heres the log of the AdwCleaner scan:


# AdwCleaner v1.801 - Logfile created 08/25/2012 at 10:06:46
# Updated 14/08/2012 by Xplode
# Operating system : Windows ™ Vista Home Premium Service Pack 2 (64 bits)
# User : Dave - DAVE-PC
# Boot Mode : Normal
# Running from : C:\Users\Dave\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****

Found : Viewpoint Manager Service

***** [Files / Folders] *****

Folder Found : C:\Users\Dave\AppData\Local\Conduit
Folder Found : C:\Users\Dave\AppData\LocalLow\Conduit
Folder Found : C:\Users\Dave\AppData\LocalLow\ConduitEngine
Folder Found : C:\ProgramData\Viewpoint
Folder Found : C:\Program Files (x86)\ConduitEngine
Folder Found : C:\Program Files (x86)\Common Files\Software Update Utility

***** [Registry] *****

[*] Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2304564
[*] Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Found : HKCU\Software\AppDataLow\Software\conduitEngine
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Toolbar
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\pricegong
Key Found : HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Found : HKLM\SOFTWARE\Classes\dnUpdate
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Found : HKLM\SOFTWARE\Conduit
Key Found : HKLM\SOFTWARE\conduitEngine
Key Found : HKLM\SOFTWARE\conduitEngine
Key Found : HKLM\SOFTWARE\Freeze.com
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Conduit Engine
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Manager
Key Found : HKLM\SOFTWARE\Viewpoint
[x64] Key Found : HKCU\Software\AppDataLow\Software\conduitEngine
[x64] Key Found : HKCU\Software\AppDataLow\Software\PriceGong
[x64] Key Found : HKCU\Software\AppDataLow\Toolbar
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\pricegong
[x64] Key Found : HKCU\Software\Softonic
[x64] Key Found : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
[x64] Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
[x64] Key Found : HKLM\SOFTWARE\Classes\dnUpdate
[x64] Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
[x64] Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
[x64] Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
[x64] Key Found : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E1164984-B567-47BD-A7FF-240C2594404A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Found : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C4834A2-2ACA-4128-880B-B64537539E4D}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE7E0A3-AE64-4DC8-84D1-F5D7BAF2DB0C}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE7E0A3-AE64-4DC8-84D1-F5D7BAF2DB0C}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EA582743-9076-4178-9AA6-7393FDF4D5CE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25CEE8EC-5730-41BC-8B58-22DDC8AB8C20}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{57BCA5FA-5DBB-45A2-B558-1755C3F6253B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA582743-9076-4178-9AA6-7393FDF4D5CE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{30F9B915-B755-4826-820B-08FBA6BD249D}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{30F9B915-B755-4826-820B-08FBA6BD249D}]
[x64] Key Found : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
[x64] Key Found : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
[x64] Key Found : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
[x64] Key Found : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
[x64] Key Found : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
[x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
[x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE7E0A3-AE64-4DC8-84D1-F5D7BAF2DB0C}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EA582743-9076-4178-9AA6-7393FDF4D5CE}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F9B915-B755-4826-820B-08FBA6BD249D}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25CEE8EC-5730-41BC-8B58-22DDC8AB8C20}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{57BCA5FA-5DBB-45A2-B558-1755C3F6253B}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA582743-9076-4178-9AA6-7393FDF4D5CE}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}
[x64] Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}
[x64] Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{30F9B915-B755-4826-820B-08FBA6BD249D}]

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6002.18005

[OK] Registry is clean.

-\\ Google Chrome v21.0.1180.83

File : C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found : "icon_url": "hxxp://search.conduit.com/fav.ico",
Found : "keyword": "search.conduit.com",
Found : "name": "Conduit",
Found : "search_url": "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&hl=en&SelfSearch=1&Searc[...]
Found : "suggest_url": "hxxp://search.conduit.com/"
Found : "path": "C:\\Program Files (x86)\\Mozilla Firefox\\plugins\\npViewpoint.dll",

-\\ Opera v12.1.1532.0

File : C:\Users\Dave\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [8320 octets] - [25/08/2012 10:06:46]

########## EOF - C:\AdwCleaner[R1].txt - [8448 octets] ##########




By the way the windows prompt that I was getting every 30 seconds which stated "winrscmde has stopped working" has not reappeared at all, which is so great!! :) I'll await further instructions.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:24 PM

Posted 25 August 2012 - 12:47 PM

Looking good.

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26


===

Critical vulnerabilities have been identified in Adobe Flash Player v11.3.300.264 and earlier versions... being exploited in the wild in active targeted attacks...

Get the latest Flash Player

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of Flash and the Adob e Reader using the Add/Remove Programs applet if present.
===

Remove the AdWare.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.


#8 davespcneedshelp

davespcneedshelp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 25 August 2012 - 01:26 PM

Okay, thanks Nasdaq, I'll be sure to update my 3rd party programs as advised. You've been soooo great!!! Thank you so much for your time and assistance!!!!! You've really saved me, that constant pop up about winrscmde stopping was driving me nuts, its so nice not having that aggravation anymore!!!

Thanks again Nasdaq, you're the best!!!! :)

Take care,

Dave

#9 davespcneedshelp

davespcneedshelp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 25 August 2012 - 02:09 PM

Okay nasdaq I did the updates as advised and heres the log of adwcleaner.exe:


# AdwCleaner v1.801 - Logfile created 08/25/2012 at 13:58:47
# Updated 14/08/2012 by Xplode
# Operating system : Windows ™ Vista Home Premium Service Pack 2 (64 bits)
# User : Dave - DAVE-PC
# Boot Mode : Normal
# Running from : C:\Users\Dave\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : Viewpoint Manager Service

***** [Files / Folders] *****

Deleted on reboot : C:\Users\Dave\AppData\Local\Conduit
Deleted on reboot : C:\Users\Dave\AppData\LocalLow\Conduit
Deleted on reboot : C:\Users\Dave\AppData\LocalLow\ConduitEngine
Deleted on reboot : C:\ProgramData\Viewpoint
Deleted on reboot : C:\Program Files (x86)\ConduitEngine
Deleted on reboot : C:\Program Files (x86)\Common Files\Software Update Utility

***** [Registry] *****

[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2304564
[*] Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Deleted : HKCU\Software\AppDataLow\Software\conduitEngine
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\pricegong
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\conduitEngine
Key Deleted : HKLM\SOFTWARE\Freeze.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Conduit Engine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Viewpoint Manager
Key Deleted : HKLM\SOFTWARE\Viewpoint

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E1164984-B567-47BD-A7FF-240C2594404A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C4834A2-2ACA-4128-880B-B64537539E4D}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE7E0A3-AE64-4DC8-84D1-F5D7BAF2DB0C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EEE7E0A3-AE64-4DC8-84D1-F5D7BAF2DB0C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EA582743-9076-4178-9AA6-7393FDF4D5CE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25CEE8EC-5730-41BC-8B58-22DDC8AB8C20}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{57BCA5FA-5DBB-45A2-B558-1755C3F6253B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA582743-9076-4178-9AA6-7393FDF4D5CE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{30F9B915-B755-4826-820B-08FBA6BD249D}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{30F9B915-B755-4826-820B-08FBA6BD249D}]

***** [Internet Browsers] *****

-\\ Internet Explorer v7.0.6002.18005

[OK] Registry is clean.

-\\ Google Chrome v21.0.1180.83

File : C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted : "icon_url": "hxxp://search.conduit.com/fav.ico",
Deleted : "keyword": "search.conduit.com",
Deleted : "name": "Conduit",
Deleted : "search_url": "hxxp://search.conduit.com/Results.aspx?q={searchTerms}&hl=en&SelfSearch=1&Searc[...]
Deleted : "suggest_url": "hxxp://search.conduit.com/"
Deleted : "path": "C:\\Program Files (x86)\\Mozilla Firefox\\plugins\\npViewpoint.dll",

-\\ Opera v12.1.1532.0

File : C:\Users\Dave\AppData\Roaming\Opera\Opera\operaprefs.ini

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [8391 octets] - [25/08/2012 10:06:46]
AdwCleaner[S1].txt - [5870 octets] - [25/08/2012 13:58:47]

########## EOF - C:\AdwCleaner[S1].txt - [5998 octets] ##########

Edited by davespcneedshelp, 25 August 2012 - 02:10 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:24 PM

Posted 26 August 2012 - 06:26 AM

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

#11 davespcneedshelp

davespcneedshelp
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 27 August 2012 - 08:52 PM

Okay nasdaq I've uninstalled comboxfix and adwcleaner.exe and I've deleted the other programs we used. Let me know if theres anything else I should be doing, or if we're all set. I want to thank you again for your time and excellent assistance! Everythings running good, no more pop-ups of winrscmde not running, or anything else not running! PCs runnin' great!! :)

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:24 PM

Posted 28 August 2012 - 08:12 AM

Happy surfing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users