Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit detected need help fixing


  • This topic is locked This topic is locked
25 replies to this topic

#1 ImDownHere

ImDownHere

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:39 PM

Posted 27 October 2012 - 03:09 AM

Attached File  ark.txt   78.81KB   0 downloadsMY APPRECIATION :
Hi and i would like to begin with saying thank you for any help or advice that i receive here as i am not that knowledgeable to attempt anything like this on my own so I was releived to find out there were people willing to give thier time to help someone like me.

MY PLEDGE:
I will try to be as detailed and accurate as possible in explaining my problem but with that being said I should also let it be known that I do not have the greatest memory and i will not be able to provide a acurate discription of the problems and the order in which i had them like i have noticed a lot of people are doing which im sure makes your job alot easier.

MY SYMPTOMS:
I was noticing things like programs that wont open when I click on them so i have to right click and then click open to get them to open but that doesnt even work all the time. Also some of these programs i get frustrated with because of it and try to uninstall from the add/remove programs in the control panel and either I get a message about my access denied or it will just do nothing. And when tring to perform certain tasks like updating or changing a simple setting It will restrict me from making any changes, like I would log off one day and then when i logged back on my antivirus would be turned off and the firewall off and not allowed to use windows update,. programs that i had removed would be back again and other things would have disapeared. Firefox disappeared and a few games dissapeared. I also kept getting dll errors alot and of course programs that are unreponsive and will not close. The Cpu was reporting 90 to 100 % on average even with nothing noticable open or running at the time. I tried running diferent things to scan for problems and nothing is ever detected. And most of the time something will happen during the scan that would cause it to malfunction . I read your what to do to prior to requesting help and followed the instrucions and am posting the results here. If you need more information i will do my best to report whatever it is you need back to here. Thank you,

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_37
Run by Jenns PC at 21:47:40 on 2012-10-25
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2559.1415 [GMT -7:00]
.
AV: Avanquest Fix-It *Disabled/Outdated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Avanquest Fix-It *Disabled/Outdated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Microsoft\BingDesktop\BingDesktopUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\NETGEAR\WNA3100\WNA3100.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Users\Jennifer\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3247201
uURLSearchHooks: FCToolbarURLSearchHook Class: {6b556d31-eeee-de44-19f4-13e37eb9ba64} - c:\program files\bucksbee loyalty plugin - softonic\Helper.dll
uURLSearchHooks: <No Name>: - LocalServer32 - <no file>
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
uURLSearchHooks: InternetHelper1.5 Toolbar: {1930e38a-deef-4cf4-9bfb-9c4ea3689a9d} - c:\program files\internethelper1.5\prxtbInte.dll
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
mURLSearchHooks: InternetHelper1.5 Toolbar: {1930e38a-deef-4cf4-9bfb-9c4ea3689a9d} - c:\program files\internethelper1.5\prxtbInte.dll
BHO: StumbleUpon Launcher: {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - c:\program files\stumbleupon\StumbleUponIEBar.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: InternetHelper1.5 Toolbar: {1930e38a-deef-4cf4-9bfb-9c4ea3689a9d} - c:\program files\internethelper1.5\prxtbInte.dll
BHO: Soda 3D PDF Reader Helper: {2FE0F895-6D1D-4c80-A20D-18E42DE9B631} - c:\program files\soda 3d pdf reader\PDFIEHelper.dll
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: BucksBee Loyalty Plugin - Softonic: {829CBB8D-4FBC-2464-E9D7-D55180B193B4} - c:\program files\bucksbee loyalty plugin - softonic\Toolbar.dll
BHO: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - <orphaned>
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
BHO: Free Download Manager: {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Vuze Remote Toolbar: {BA14329E-9550-4989-B3F2-9732E92D17CC} - c:\program files\vuze_remote\prxtbVuze.dll
TB: StumbleUpon Toolbar: {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - c:\program files\stumbleupon\StumbleUponIEBar.dll
TB: Soda 3D PDF Reader Toolbar: {64C9D46E-8F8B-4158-9780-A6581C7439B1} - c:\program files\soda 3d pdf reader\PDFIEPlugin.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\prxtbVuze.dll
TB: InternetHelper1.5 Toolbar: {1930e38a-deef-4cf4-9bfb-9c4ea3689a9d} - c:\program files\internethelper1.5\prxtbInte.dll
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-Explorer: DisableThumbnailsOnNetworkFolders = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: HideFastUserSwitching = dword:1
mPolicies-System: DisableStartupSound = dword:1
IE: Download all with Free Download Manager - c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {829cbb8d-4fbc-2464-e9d7-d55180b193b4} - c:\program files\bucksbee loyalty plugin - softonic\ribbon.hta
IE: {a8e3281a-999a-ab24-9566-42314ed92b6e} - c:\program files\bucksbee loyalty plugin - softonic\ribbon_menu.hta
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_37-windows-i586.cab
TCP: NameServer = 192.168.1.1 4.2.2.2
TCP: Interfaces\{5967FD79-C5A0-4500-A728-25A1E5DDCD2B} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{60D3EF4D-53FD-453F-871B-8315D7A096FC} : DHCPNameServer = 192.168.42.129
TCP: Interfaces\{96309793-7FE6-4877-AAE2-7905387BBC2F} : DHCPNameServer = 192.168.1.1 4.2.2.2
TCP: Interfaces\{B2C7E82B-BB41-4BFB-88F0-687F3D99229C} : DHCPNameServer = 192.168.250.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\drivers\SCMNdisP.sys [2011-8-31 21728]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2010-5-13 98392]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2012-10-17 78936]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-7-27 63960]
R2 BingDesktopUpdate;Bing Desktop Update service;c:\program files\microsoft\bingdesktop\BingDesktopUpdater.exe [2012-3-30 151656]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-6-14 69976]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
R2 WSWNA3100;WSWNA3100;c:\program files\netgear\wna3100\WifiSvc.exe [2011-8-31 285152]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh6.sys [2011-4-19 1092160]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 .AVQWindowsMonitorService;Fix-It Utilities Process Monitor;c:\program files\avanquest\fix-it\AVQWinMonEngine.exe [2012-9-18 311032]
S2 0238461350461664mcinstcleanup;McAfee Application Installer Cleanup (0238461350461664);c:\users\jennsp~1\appdata\local\temp\023846~1.exe -cleanup -nolog --> c:\users\jennsp~1\appdata\local\temp\023846~1.EXE -cleanup -nolog [?]
S2 AQFileRestoreSrv;AQFileRestoreSrv;c:\program files\avanquest\fix-it\AQFileRestoreSrv.exe [2012-9-18 81328]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SBAMSvc;Fix-It;c:\program files\common files\antivirus\SBAMSvc.exe [2010-10-11 2763080]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-8-21 250808]
S3 AQFileRestore;AQFileRestore;c:\windows\system32\drivers\AQFileRestore.sys [2012-9-18 17272]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-30 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-10-26 25088]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-5-13 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-5-13 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-5-13 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [2011-5-13 114280]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2011-9-30 105672]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2011-4-11 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-4-11 25600]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-11 112640]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-9-2 1343400]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-30 136176]
S4 Soda 3D PDF Reader Helper Service;Soda 3D PDF Reader Helper Service;c:\program files\soda 3d pdf reader\HelperService.exe [2011-12-9 823128]
S4 Soda 3D PDF Reader Service;Soda 3D PDF Reader Service;c:\program files\soda 3d pdf reader\ConversionService.exe [2011-12-9 894296]
.
=============== File Associations ===============
.
FileExt: .txt: textfile="c:\program files\windows nt\accessories\WORDPAD.EXE" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2012-10-25 00:51:15 -------- d-----w- c:\programdata\SUPERSetup
2012-10-21 17:52:14 -------- d-----w- c:\users\jenns pc\appdata\roaming\MotoCast
2012-10-21 15:52:43 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2012-10-21 07:33:46 -------- d-----w- c:\program files\Max Uninstaller
2012-10-20 14:42:30 -------- d-----w- c:\program files\Trend Micro
2012-10-19 07:30:42 184248 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2012-10-17 09:00:58 35000 ----a-w- c:\windows\system32\mxntdfg.exe
2012-10-17 09:00:57 78936 ----a-w- c:\windows\system32\drivers\sbtis.sys
2012-10-17 08:59:52 -------- d-----w- c:\program files\common files\Antivirus
2012-10-17 07:42:21 6980552 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{599cb90d-2eff-4dbb-80b9-80f17877c739}\mpengine.dll
2012-10-17 07:19:31 -------- d-----w- c:\users\jenns pc\appdata\roaming\Free Download Manager
2012-10-17 07:19:25 -------- d-----w- c:\program files\Free Download Manager
2012-10-17 07:04:37 -------- d-----w- c:\program files\InternetHelper1.5
2012-10-16 02:34:37 -------- d-sh--r- C:\_Backup.RC
2012-10-16 00:43:00 -------- d--h--w- C:\_Backup
2012-10-16 00:12:22 -------- d-----w- c:\users\jenns pc\appdata\roaming\Avanquest
2012-10-15 12:48:58 -------- d-----w- c:\programdata\Avanquest
2012-10-15 12:47:48 -------- d-----w- c:\program files\Avanquest
2012-10-15 02:04:15 -------- d-----w- c:\program files\DsNET Corp
2012-10-13 01:22:16 -------- d-----w- c:\users\jenns pc\appdata\local\Adobe
2012-10-10 10:04:09 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-10-10 10:03:52 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 10:03:27 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-10-10 10:03:08 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 10:03:08 1159680 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 10:03:08 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-04 23:36:30 -------- d-----w- c:\windows\PCHEALTH
2012-10-04 23:32:46 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-10-01 08:59:47 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-09-30 23:43:14 -------- d-----w- c:\users\jenns pc\appdata\roaming\CheckPoint
2012-09-30 23:32:22 -------- d-----w- c:\program files\CheckPoint
2012-09-30 23:32:21 -------- d-----w- c:\programdata\CheckPoint
.
==================== Find3M ====================
.
2012-10-11 01:48:39 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-11 01:48:39 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-18 19:09:16 17272 ----a-w- c:\windows\system32\drivers\AQFileRestore.sys
2012-09-01 10:59:15 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-01 10:59:15 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-30 17:12:02 3968880 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-30 17:12:02 3914096 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-24 06:59:17 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51:27 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51:02 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47:26 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47:12 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43:58 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16:54 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16:46 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16:46 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16:36 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:01:22 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 20:01:22 106928 ----a-w- c:\windows\system32\GEARAspi.dll
2012-08-20 17:40:31 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-08-20 17:40:01 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-08-20 17:37:58 271360 ----a-w- c:\windows\system32\conhost.exe
2012-08-20 15:33:28 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-08-20 15:33:28 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-08-20 15:33:28 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-08-20 15:33:28 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-08-10 23:56:14 542208 ----a-w- c:\windows\system32\kerberos.dll
2012-08-02 16:57:20 490496 ----a-w- c:\windows\system32\d3d10level9.dll
.
============= FINISH: 21:55:54.76 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:39 PM

Posted 28 October 2012 - 07:00 AM

Please run the following

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 ImDownHere

ImDownHere
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:39 PM

Posted 30 October 2012 - 02:33 AM

Hi,
I downloaded combo fix and saved it to my desktop as asked. I then attempted to shut down any antivirus programs that i had. On the task bar i right clicked on fix it utilities professional and selected the option to shut down. I checked the control panel for any programs that were security related and found hijack this and uninstalled that. I went to my firewall and disabled it and made sure that i had no antivirus installed. Then i went to the desktop and i clicked on combo fix and followed the instructions. Everything went smoothly at first and i was at the point where it was going thru the different stages when i thought it would be safe to leave unattended for a few. A little while later i checked it and saw that the computer had went to sleep and turned itself off. (something that it does randomly) When i rebooted the combo fox screen was blinking on and off like crazy, i thought maybe this was part of the process so i let it go for a minute or two and when it didn't stop i tried to close the box and couldn't. Oh and i also noticed that the antivirus programs were up and running again because of the shut down and restart so I am not sure if that was the cause of all the flashing or not but I am thinking maybe it is?

Where to go from here?

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:39 PM

Posted 30 October 2012 - 05:18 PM

yes it sounds as though the computer rebooted, then there was AV interference

please open device manager (Ctrl + Alt + Del) and look for processes PEV.exe, sed.exe and cfxxx.3xe and end process on them

that should stop combofix from running.

Then re-run it in safe mode


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 ImDownHere

ImDownHere
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:39 PM

Posted 31 October 2012 - 03:20 AM

I tried to close out the process PEV.exe and i got the message THE OPERATION COULD NOT BE COMPLETED, THE OPERATION IS NOT VALID FOR THIS PROCESS
I did not see Cfxxx.exe or sed.exe. But i noticed some on there that i have never seen before close to it. CF5433.3xe and NirCmd.3xe and a few more that i couldn't see enough to write it down. The whole list is flashing and jumping around and they are not all on the list at the same time. I tried to end process on all of the ones that i mentioned here and got the same message.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:39 PM

Posted 31 October 2012 - 04:28 PM

yes, those would be commands that need ending as well,

if you cannot end those processes, then power off the computer and boot into safe mode


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account


if ComboFix starts up again in safe mode, see if you are now able to end the processes from task manager

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 ImDownHere

ImDownHere
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:39 PM

Posted 01 November 2012 - 09:25 AM

i wasn't able to end processes in safe mode because combo fix window was not there. should i still try to run it even thought i was not able to properly terminate them?

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:39 PM

Posted 01 November 2012 - 06:40 PM

yes, give it another try in safe mode

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 ImDownHere

ImDownHere
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:39 PM

Posted 01 November 2012 - 08:46 PM

here is the combo fix logAttached File  combofix.txt   1.27KB   6 downloads

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:39 PM

Posted 01 November 2012 - 09:04 PM

That doesn't appear to be the correct log,

see if you can find it at C:\ComboFix.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 ImDownHere

ImDownHere
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:39 PM

Posted 02 November 2012 - 01:46 AM

I found it, sorry about that. :blink: Next time i'll double check what i am sending.



here it is


ComboFix 12-10-29.01 - Jenns PC 11/01/2012 18:18:37.2.2 - x86 MINIMAL
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2559.1932 [GMT -7:00]
Running from: c:\users\Jennifer\Desktop\ComboFix.exe
AV: Avanquest Fix-It *Disabled/Outdated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\install.exe
c:\users\Jennifer\1407.flv
c:\users\Jennifer\1413.flv
c:\users\Jennifer\1451.flv
c:\users\Jennifer\Documents\~WRD2748.tmp
c:\users\Jennifer\Documents\~WRL2094.tmp
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\SET8B02.tmp
c:\windows\system32\SETA462.tmp
c:\windows\system32\SETB959.tmp
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-10-02 to 2012-11-02 )))))))))))))))))))))))))))))))
.
.
2012-11-02 01:30 . 2012-11-02 01:30 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-11-02 01:30 . 2012-11-02 01:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-11-02 01:30 . 2012-11-02 01:30 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-11-01 11:30 . 2012-11-01 11:30 -------- d-----w- c:\programdata\Sunbelt
2012-10-29 08:51 . 2012-11-02 01:30 -------- d-----w- c:\users\Jenns PC\AppData\Local\temp
2012-10-29 08:51 . 2012-11-02 01:30 -------- d-----w- c:\users\Jennifer\AppData\Local\temp
2012-10-26 03:05 . 2012-10-26 03:05 -------- d-----w- c:\program files\7-Zip
2012-10-25 00:51 . 2012-10-25 00:51 -------- d-----w- c:\programdata\SUPERSetup
2012-10-21 17:52 . 2012-10-21 17:52 -------- d-----w- c:\users\Jenns PC\AppData\Roaming\MotoCast
2012-10-21 15:52 . 2012-10-21 15:52 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2012-10-21 07:33 . 2012-10-21 09:13 -------- d-----w- c:\program files\Max Uninstaller
2012-10-20 19:45 . 2012-10-20 19:45 -------- d-----w- c:\users\Guest\AppData\Roaming\Avanquest
2012-10-17 09:00 . 2010-07-27 11:48 78936 ----a-w- c:\windows\system32\drivers\sbtis.sys
2012-10-17 08:59 . 2012-10-17 09:03 -------- d-----w- c:\program files\Common Files\Antivirus
2012-10-17 07:55 . 2012-10-17 08:07 -------- d-----w- c:\users\Jennifer\AppData\Local\antiphishing-vmninternethelper1_1dn
2012-10-17 07:42 . 2012-09-19 07:59 6980552 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{599CB90D-2EFF-4DBB-80B9-80F17877C739}\mpengine.dll
2012-10-17 07:19 . 2012-10-29 08:53 -------- d-----w- c:\users\Jennifer\AppData\Roaming\Free Download Manager
2012-10-17 07:19 . 2012-10-26 03:33 -------- d-----w- c:\users\Jenns PC\AppData\Roaming\Free Download Manager
2012-10-17 07:19 . 2012-10-21 09:10 -------- d-----w- c:\program files\Free Download Manager
2012-10-17 07:04 . 2012-10-17 07:04 -------- d-----w- c:\program files\InternetHelper1.5
2012-10-16 00:43 . 2012-10-19 05:55 -------- d-----w- C:\_Backup
2012-10-16 00:40 . 2012-10-19 02:31 -------- d-----w- c:\users\Jennifer\AppData\Roaming\Avanquest
2012-10-16 00:12 . 2012-10-16 00:24 -------- d-----w- c:\users\Jenns PC\AppData\Roaming\Avanquest
2012-10-15 12:48 . 2012-11-01 11:07 -------- d-----w- c:\programdata\Avanquest
2012-10-15 12:47 . 2012-10-16 00:23 -------- d-----w- c:\program files\Avanquest
2012-10-15 02:04 . 2012-10-15 02:04 -------- d-----w- c:\program files\DsNET Corp
2012-10-13 01:22 . 2012-10-13 01:22 -------- d-----w- c:\users\Jenns PC\AppData\Local\Adobe
2012-10-10 10:04 . 2012-08-24 16:57 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-10-10 10:03 . 2012-09-14 18:28 2048 ----a-w- c:\windows\system32\tzres.dll
2012-10-10 10:03 . 2012-08-31 17:18 1211760 ----a-w- c:\windows\system32\drivers\ntfs.sys
2012-10-10 10:03 . 2012-06-02 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-10-10 10:03 . 2012-06-02 04:36 1159680 ----a-w- c:\windows\system32\crypt32.dll
2012-10-10 10:03 . 2012-06-02 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-10-05 00:31 . 2012-10-05 00:31 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2012-10-04 23:36 . 2012-10-04 23:36 -------- d-----w- c:\windows\PCHEALTH
2012-10-04 23:32 . 2012-10-04 23:32 -------- d-----w- c:\program files\Microsoft Analysis Services
2012-10-04 23:31 . 2012-10-16 04:58 -------- d-----r- C:\MSOCache
2012-10-04 22:05 . 2012-10-04 22:05 -------- d-----w- c:\users\Jennifer\AppData\Local\MicrosoftStore
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-24 07:37 . 2011-09-20 09:58 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-10-23 07:39 . 2011-09-20 09:58 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-10-23 07:39 . 2011-09-22 09:29 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-10-23 07:38 . 2011-09-22 09:08 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-10-21 07:46 . 2011-09-22 09:40 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2012-10-21 07:45 . 2011-09-20 09:58 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2012-10-21 07:45 . 2011-09-20 09:58 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2012-10-17 07:23 . 2011-09-26 21:29 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-10-11 01:48 . 2012-08-21 23:16 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-11 01:48 . 2012-08-21 23:16 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-01 10:59 . 2012-06-16 10:55 821736 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-01 10:59 . 2011-12-12 11:23 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-24 06:59 . 2012-09-22 00:46 1800704 ----a-w- c:\windows\system32\jscript9.dll
2012-08-24 06:51 . 2012-09-22 00:46 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-24 06:51 . 2012-09-22 00:46 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-08-24 06:47 . 2012-09-22 00:46 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-08-24 06:47 . 2012-09-22 00:46 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-24 06:43 . 2012-09-22 00:46 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-08-22 17:16 . 2012-09-12 01:50 1292144 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-22 17:16 . 2012-09-12 01:51 712048 ----a-w- c:\windows\system32\drivers\ndis.sys
2012-08-22 17:16 . 2012-09-12 01:50 240496 ----a-w- c:\windows\system32\drivers\netio.sys
2012-08-22 17:16 . 2012-09-12 01:50 187760 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-21 20:12 . 2012-10-01 08:59 245760 ----a-w- c:\windows\system32\OxpsConverter.exe
2012-08-21 20:01 . 2012-09-20 22:55 26840 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2012-08-21 20:01 . 2012-08-21 20:01 106928 ----a-w- c:\windows\system32\GEARAspi.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6b556d31-eeee-de44-19f4-13e37eb9ba64}"= "c:\program files\BucksBee Loyalty Plugin - Softonic\Helper.dll" [2012-03-27 361984]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-05-09 176936]
"{1930e38a-deef-4cf4-9bfb-9c4ea3689a9d}"= "c:\program files\InternetHelper1.5\prxtbInte.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{6b556d31-eeee-de44-19f4-13e37eb9ba64}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{062DE63C-1398-9124-AD3C-2E5A12DCFE41}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{1930e38a-deef-4cf4-9bfb-9c4ea3689a9d}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1930e38a-deef-4cf4-9bfb-9c4ea3689a9d}]
2011-05-09 09:49 176936 ----a-w- c:\program files\InternetHelper1.5\prxtbInte.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FE0F895-6D1D-4c80-A20D-18E42DE9B631}]
2011-12-10 02:08 91992 ----a-w- c:\program files\Soda 3D PDF Reader\PDFIEHelper.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-05-09 09:49 176936 ----a-w- c:\program files\Vuze_Remote\prxtbVuze.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{64C9D46E-8F8B-4158-9780-A6581C7439B1}"= "c:\program files\Soda 3D PDF Reader\PDFIEPlugin.dll" [2011-12-10 750936]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-05-09 176936]
"{1930e38a-deef-4cf4-9bfb-9c4ea3689a9d}"= "c:\program files\InternetHelper1.5\prxtbInte.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{64c9d46e-8f8b-4158-9780-a6581c7439b1}]
[HKEY_CLASSES_ROOT\SodaReaderPDFIEPlugin.PDFIEConverter.1]
[HKEY_CLASSES_ROOT\TypeLib\{496FD2B4-369B-4c6b-B4F3-3D93A64D05E4}]
[HKEY_CLASSES_ROOT\SodaReaderPDFIEPlugin.PDFIEConverter]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{1930e38a-deef-4cf4-9bfb-9c4ea3689a9d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\prxtbVuze.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Jennifer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Jennifer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Jennifer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Jennifer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*WerKernelReporting"="c:\windows\SYSTEM32\WerFault.exe" [2009-07-14 360448]
.
c:\users\Jennifer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Jenns PC\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2011-8-31 4577760]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 1 (0x1)
"DisableStartupSound"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableThumbnailsOnNetworkFolders"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^Jenns PC^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\Jenns PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-07-27 20:51 919008 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-08-28 04:32 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BingDesktop]
2012-03-30 21:41 1858152 ----a-w- c:\program files\Microsoft\BingDesktop\BingDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
2012-09-24 18:49 3129184 ----a-w- c:\program files\CCleaner\CCleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
2011-12-28 20:40 6148096 ----a-w- c:\program files\Free Download Manager\fdm.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HLBackupScheduler]
2012-07-09 09:24 7057032 ----a-w- c:\program files\Backup Assistant Plus\V CAST Backup Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 06:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2009-11-12 01:04 1505144 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 03:56 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 16:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VMM Mode Selection]
2011-02-14 13:55 43520 ----a-r- c:\program files\HTC\ModeSelection\VMMModeSelection.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [x]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
R2 0238461350461664mcinstcleanup;McAfee Application Installer Cleanup (0238461350461664);c:\users\JENNSP~1\AppData\Local\Temp\023846~1.EXE [x]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
R2 BingDesktopUpdate;Bing Desktop Update service;c:\program files\Microsoft\BingDesktop\BingDesktopUpdater.exe [x]
R2 iPodDrv;iPodDrv;c:\windows\system32\drivers\iPodDrv.sys [x]
R2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [x]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [x]
R2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 AQFileRestore;AQFileRestore;c:\windows\system32\DRIVERS\AQFileRestore.sys [x]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh6.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys [x]
R3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\StumbleUpon\StumbleUponUpdateService.exe [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R4 Soda 3D PDF Reader Helper Service;Soda 3D PDF Reader Helper Service;c:\program files\Soda 3D PDF Reader\HelperService.exe [x]
R4 Soda 3D PDF Reader Service;Soda 3D PDF Reader Service;c:\program files\Soda 3D PDF Reader\ConversionService.exe [x]
S0 SCMNdisP;General NDIS Protocol Driver;c:\windows\system32\DRIVERS\scmndisp.sys [x]
S2 SBAMSvc;AntiMalware;c:\program files\Common Files\Antivirus\SBAMSvc.exe [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-11-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-21 01:48]
.
2012-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-30 22:46]
.
2012-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-30 22:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3247201
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MIF5BA~1\Office14\ONBttnIE.dll/105
IE: {{a8e3281a-999a-ab24-9566-42314ed92b6e} - c:\program files\BucksBee Loyalty Plugin - Softonic\ribbon_menu.hta
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.1.1 4.2.2.2
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
MSConfigStartUp-Google Update - c:\users\Jennifer\AppData\Local\Google\Update\GoogleUpdate.exe
MSConfigStartUp-InstallIQUpdater - c:\program files\W3i\InstallIQUpdater\InstallIQUpdater.exe
MSConfigStartUp-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
MSConfigStartUp-KGShareApp - c:\program files\Kodak\KODAK Share Button App\KGShare_App.exe
MSConfigStartUp-MobileDocuments - c:\program files\Common Files\Apple\Internet Services\ubd.exe
MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-SpybotSnD - c:\program files\Spybot - Search & Destroy\SpybotSD.exe
MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1701486222-638236263-3622458788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (S-1-5-21-1701486222-638236263-3622458788-1000)
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-1701486222-638236263-3622458788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (S-1-5-21-1701486222-638236263-3622458788-1000)
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-1701486222-638236263-3622458788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (S-1-5-21-1701486222-638236263-3622458788-1000)
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-1701486222-638236263-3622458788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\UserChoice]
@Denied: (2) (S-1-5-21-1701486222-638236263-3622458788-1000)
@Denied: (2) (LocalSystem)
"Progid"="IE.AssocFile.SVG"
.
[HKEY_USERS\S-1-5-21-1701486222-638236263-3622458788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (S-1-5-21-1701486222-638236263-3622458788-1000)
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-1701486222-638236263-3622458788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (S-1-5-21-1701486222-638236263-3622458788-1000)
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-1701486222-638236263-3622458788-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice]
@Denied: (2) (S-1-5-21-1701486222-638236263-3622458788-1000)
@Denied: (2) (LocalSystem)
"Progid"="Applications\\WordPad.exe"
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(276)
c:\users\Jennifer\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
Completion time: 2012-11-01 18:33:27
ComboFix-quarantined-files.txt 2012-11-02 01:33
.
Pre-Run: 50,117,857,280 bytes free
Post-Run: 49,943,101,440 bytes free
.
- - End Of File - - FA274665CCF9C015E4903F1980A127DD

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:39 PM

Posted 02 November 2012 - 04:39 PM

Please run the following:

Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT

Please download Malwarebytes Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 ImDownHere

ImDownHere
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:39 PM

Posted 02 November 2012 - 08:24 PM

ADWCLEANER LOG

# AdwCleaner v2.006 - Logfile created 11/02/2012 at 16:16:22
# Updated 30/10/2012 by Xplode
# Operating system : Windows 7 Enterprise Service Pack 1 (32 bits)
# User : Jenns PC - JENNIFER-PC
# Boot Mode : Normal
# Running from : C:\Users\Jennifer\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : \user.js
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\SearchResults.xml
File Deleted : C:\Users\Jenns PC\AppData\Roaming\Mozilla\Firefox\Profiles\127mlx0k.default\searchplugins\Conduit.xml
Folder Deleted : C:\Program Files\AVG Secure Search
Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
Folder Deleted : C:\Program Files\InternetHelper1.5
Folder Deleted : C:\Program Files\Vuze_Remote
Folder Deleted : C:\Program Files\Windows iLivid Toolbar
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\Trymedia
Folder Deleted : C:\Users\Jennifer\AppData\Local\Conduit
Folder Deleted : C:\Users\Jennifer\AppData\Local\Ilivid Player
Folder Deleted : C:\Users\Jennifer\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Jennifer\AppData\LocalLow\InternetHelper1.5
Folder Deleted : C:\Users\Jennifer\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Jennifer\AppData\LocalLow\Vuze_Remote
Folder Deleted : C:\Users\Jennifer\AppData\Roaming\iWin
Folder Deleted : C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\x84drvwo.default\ConduitCommon
Folder Deleted : C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\x84drvwo.default\CT2504091
Folder Deleted : C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\x84drvwo.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
Folder Deleted : C:\Users\Jenns PC\AppData\LocalLow\AVG Secure Search
Folder Deleted : C:\Users\Jenns PC\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Jenns PC\AppData\LocalLow\InternetHelper1.5
Folder Deleted : C:\Users\Jenns PC\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Jenns PC\AppData\LocalLow\Vuze_Remote
Folder Deleted : C:\Users\Jenns PC\AppData\Roaming\iWin
Folder Deleted : C:\Users\Jenns PC\AppData\Roaming\Mozilla\Firefox\Profiles\127mlx0k.default\CT3247201
Folder Deleted : C:\Users\Jenns PC\AppData\Roaming\Mozilla\Firefox\Profiles\127mlx0k.default\extensions\{1930e38a-deef-4cf4-9bfb-9c4ea3689a9d}
Folder Deleted : C:\Users\Jenns PC\AppData\Roaming\Mozilla\Firefox\Profiles\127mlx0k.default\Smartbar

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1930E38A-DEEF-4CF4-9BFB-9C4EA3689A9D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BA14329E-9550-4989-B3F2-9732E92D17CC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1930E38A-DEEF-4CF4-9BFB-9C4EA3689A9D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA14329E-9550-4989-B3F2-9732E92D17CC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E30ED111-BD63-48C2-A6CB-AB3C9FFFB07C}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1930E38A-DEEF-4CF4-9BFB-9C4EA3689A9D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BA14329E-9550-4989-B3F2-9732E92D17CC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CF0A6C67-CFD0-40B0-A375-4B9893C2B339}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E30ED111-BD63-48C2-A6CB-AB3C9FFFB07C}
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100709.IEToolbar
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100709.IEToolbar.1
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100709.JSOptionsImpl
Key Deleted : HKLM\SOFTWARE\Classes\FCTB000100709.JSOptionsImpl.1
Key Deleted : HKLM\SOFTWARE\Classes\FreeCauseURLSearchHook.FCToolbarURLSearchHook
Key Deleted : HKLM\SOFTWARE\Classes\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2504091
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3247201
Key Deleted : HKLM\SOFTWARE\FCTB000100709
Key Deleted : HKLM\Software\InternetHelper1.5
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{0C8DAAA6-DDCA-46C4-951A-5A5848AC80C6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{517C7BEB-BE97-4C01-9189-E8D7C08588FA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6A2684EC-E96C-4CA5-B535-071CD6D38090}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA3E94EC-0B36-4F93-BB40-2B17B5E39705}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1930E38A-DEEF-4CF4-9BFB-9C4EA3689A9D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA14329E-9550-4989-B3F2-9732E92D17CC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CF0A6C67-CFD0-40B0-A375-4B9893C2B339}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E30ED111-BD63-48C2-A6CB-AB3C9FFFB07C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InternetHelper1.5 Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vuze_Remote Toolbar
Key Deleted : HKLM\Software\Vuze_Remote
Key Deleted : HKU\S-1-5-21-1701486222-638236263-3622458788-1000\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{BA14329E-9550-4989-B3F2-9732E92D17CC}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{1930E38A-DEEF-4CF4-9BFB-9C4EA3689A9D}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{BA14329E-9550-4989-B3F2-9732E92D17CC}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{1930E38A-DEEF-4CF4-9BFB-9C4EA3689A9D}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{BA14329E-9550-4989-B3F2-9732E92D17CC}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{1930E38A-DEEF-4CF4-9BFB-9C4EA3689A9D}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{BA14329E-9550-4989-B3F2-9732E92D17CC}]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://search.conduit.com?SearchSource=10&ctid=CT3247201 --> hxxp://www.google.com

-\\ Mozilla Firefox v [Unable to get version]

Profile name : default
File : C:\Users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\x84drvwo.default\prefs.js

Deleted : user_pref("CT2504091..clientLogIsEnabled", false);
Deleted : user_pref("CT2504091..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...]
Deleted : user_pref("CT2504091..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...]
Deleted : user_pref("CT2504091.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Deleted : user_pref("CT2504091.AppTrackingLastCheckTime", "Thu Sep 29 2011 16:24:28 GMT-0700 (Pacific Daylight[...]
Deleted : user_pref("CT2504091.CTID", "CT2504091");
Deleted : user_pref("CT2504091.CurrentServerDate", "6-10-2011");
Deleted : user_pref("CT2504091.DSInstall", true);
Deleted : user_pref("CT2504091.DialogsAlignMode", "LTR");
Deleted : user_pref("CT2504091.DialogsGetterLastCheckTime", "Mon Oct 03 2011 23:36:22 GMT-0700 (Pacific Daylig[...]
Deleted : user_pref("CT2504091.DownloadReferralCookieData", "");
Deleted : user_pref("CT2504091.EMailNotifierCheckInterval", "60");
Deleted : user_pref("CT2504091.EMailNotifierLabelLength", 5);
Deleted : user_pref("CT2504091.EMailNotifierPollDate", "Thu Oct 06 2011 02:56:09 GMT-0700 (Pacific Daylight Ti[...]
Deleted : user_pref("CT2504091.EMailNotifierSound", "DEFAULT");
Deleted : user_pref("CT2504091.FeedLastCount129079840422964131", 10);
Deleted : user_pref("CT2504091.FeedPollDate128891351169457140", "Thu Oct 06 2011 03:33:14 GMT-0700 (Pacific Da[...]
Deleted : user_pref("CT2504091.FeedPollDate129079840422964131", "Thu Oct 06 2011 02:33:14 GMT-0700 (Pacific Da[...]
Deleted : user_pref("CT2504091.FeedTTL128891351169457140", 40);
Deleted : user_pref("CT2504091.FirstServerDate", "30-9-2011");
Deleted : user_pref("CT2504091.FirstTime", true);
Deleted : user_pref("CT2504091.FirstTimeFF3", true);
Deleted : user_pref("CT2504091.FixPageNotFoundErrors", true);
Deleted : user_pref("CT2504091.GroupingServerCheckInterval", 1440);
Deleted : user_pref("CT2504091.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Deleted : user_pref("CT2504091.HPInstall", false);
Deleted : user_pref("CT2504091.HasUserGlobalKeys", true);
Deleted : user_pref("CT2504091.HomePageProtectorEnabled", false);
Deleted : user_pref("CT2504091.HomepageBeforeUnload", "chrome://branding/locale/browserconfig.properties");
Deleted : user_pref("CT2504091.Initialize", true);
Deleted : user_pref("CT2504091.InitializeCommonPrefs", true);
Deleted : user_pref("CT2504091.InstallationAndCookieDataSentCount", 3);
Deleted : user_pref("CT2504091.InstallationType", "ConduitIntegration");
Deleted : user_pref("CT2504091.InstalledDate", "Thu Sep 29 2011 16:23:07 GMT-0700 (Pacific Daylight Time)");
Deleted : user_pref("CT2504091.InvalidateCache", false);
Deleted : user_pref("CT2504091.IsAlertDBUpdated", true);
Deleted : user_pref("CT2504091.IsGrouping", false);
Deleted : user_pref("CT2504091.IsInitSetupIni", true);
Deleted : user_pref("CT2504091.IsMulticommunity", false);
Deleted : user_pref("CT2504091.IsOpenThankYouPage", false);
Deleted : user_pref("CT2504091.IsOpenUninstallPage", false);
Deleted : user_pref("CT2504091.LanguagePackLastCheckTime", "Thu Oct 06 2011 02:33:14 GMT-0700 (Pacific Dayligh[...]
Deleted : user_pref("CT2504091.LanguagePackReloadIntervalMM", 1440);
Deleted : user_pref("CT2504091.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
Deleted : user_pref("CT2504091.LastLogin_3.7.0.6", "Thu Oct 06 2011 02:33:14 GMT-0700 (Pacific Daylight Time)"[...]
Deleted : user_pref("CT2504091.LatestVersion", "3.7.0.6");
Deleted : user_pref("CT2504091.Locale", "en-us");
Deleted : user_pref("CT2504091.MCDetectTooltipHeight", "83");
Deleted : user_pref("CT2504091.MCDetectTooltipShow", false);
Deleted : user_pref("CT2504091.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Deleted : user_pref("CT2504091.MCDetectTooltipWidth", "295");
Deleted : user_pref("CT2504091.MyStuffEnabledAtInstallation", true);
Deleted : user_pref("CT2504091.OriginalFirstVersion", "3.7.0.6");
Deleted : user_pref("CT2504091.RadioLastCheckTime", "Thu Oct 06 2011 02:56:29 GMT-0700 (Pacific Daylight Time)[...]
Deleted : user_pref("CT2504091.RadioLastUpdateIPServer", "3");
Deleted : user_pref("CT2504091.RadioLastUpdateServer", "0");
Deleted : user_pref("CT2504091.RadioShrinkedFromSetup", false);
Deleted : user_pref("CT2504091.SHRINK_TOOLBAR", 1);
Deleted : user_pref("CT2504091.SearchCaption", "Web Search");
Deleted : user_pref("CT2504091.SearchEngineBeforeUnload", "chrome://browser-region/locale/region.properties");
Deleted : user_pref("CT2504091.SearchFromAddressBarIsInit", true);
Deleted : user_pref("CT2504091.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT250[...]
Deleted : user_pref("CT2504091.SearchInNewTabEnabled", true);
Deleted : user_pref("CT2504091.SearchInNewTabIntervalMM", 1440);
Deleted : user_pref("CT2504091.SearchInNewTabLastCheckTime", "Thu Oct 06 2011 02:33:12 GMT-0700 (Pacific Dayli[...]
Deleted : user_pref("CT2504091.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
Deleted : user_pref("CT2504091.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usa[...]
Deleted : user_pref("CT2504091.SearchProtectorEnabled", false);
Deleted : user_pref("CT2504091.SearchProtectorToolbarDisabled", false);
Deleted : user_pref("CT2504091.SendProtectorDataViaLogin", true);
Deleted : user_pref("CT2504091.ServiceMapLastCheckTime", "Thu Oct 06 2011 02:33:13 GMT-0700 (Pacific Daylight [...]
Deleted : user_pref("CT2504091.SettingsLastCheckTime", "Thu Oct 06 2011 02:33:11 GMT-0700 (Pacific Daylight Ti[...]
Deleted : user_pref("CT2504091.SettingsLastUpdate", "1317151165");
Deleted : user_pref("CT2504091.TBHomePageUrl", "hxxp://search.conduit.com/?ctid=CT2504091&SearchSource=13");
Deleted : user_pref("CT2504091.ThirdPartyComponentsInterval", 504);
Deleted : user_pref("CT2504091.ThirdPartyComponentsLastCheck", "Thu Sep 29 2011 16:23:00 GMT-0700 (Pacific Day[...]
Deleted : user_pref("CT2504091.ThirdPartyComponentsLastUpdate", "1312887586");
Deleted : user_pref("CT2504091.ToolbarShrinkedFromSetup", false);
Deleted : user_pref("CT2504091.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2504091");
Deleted : user_pref("CT2504091.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,clien[...]
Deleted : user_pref("CT2504091.UserID", "UN04912124756639202");
Deleted : user_pref("CT2504091.ValidationData_Toolbar", 2);
Deleted : user_pref("CT2504091.alertChannelId", "897164");
Deleted : user_pref("CT2504091.approveUntrustedApps", false);
Deleted : user_pref("CT2504091.backendstorage.for_aoi", "31333137333338363331");
Deleted : user_pref("CT2504091.backendstorage.for_ccid", "4C6F6E67204265616368");
Deleted : user_pref("CT2504091.backendstorage.for_cdtr2", "31333137333338363636");
Deleted : user_pref("CT2504091.backendstorage.for_cdtr6", "31333137333338363331");
Deleted : user_pref("CT2504091.backendstorage.for_cid", "5553");
Deleted : user_pref("CT2504091.backendstorage.for_ip", "37312E3130382E352E313533");
Deleted : user_pref("CT2504091.backendstorage.for_lcut", "31333137383933363031");
Deleted : user_pref("CT2504091.backendstorage.for_pid", "31303231");
Deleted : user_pref("CT2504091.backendstorage.for_rid", "4341");
Deleted : user_pref("CT2504091.backendstorage.for_zoneid", "3130313537");
Deleted : user_pref("CT2504091.components.1000082", true);
Deleted : user_pref("CT2504091.components.1002", true);
Deleted : user_pref("CT2504091.components.1003", true);
Deleted : user_pref("CT2504091.components.1008", true);
Deleted : user_pref("CT2504091.components.129079840422339107", false);
Deleted : user_pref("CT2504091.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.c[...]
Deleted : user_pref("CT2504091.globalFirstTimeInfoLastCheckTime", "Thu Oct 06 2011 02:33:14 GMT-0700 (Pacific [...]
Deleted : user_pref("CT2504091.homepageProtectorEnableByLogin", true);
Deleted : user_pref("CT2504091.initDone", true);
Deleted : user_pref("CT2504091.isAppTrackingManagerOn", true);
Deleted : user_pref("CT2504091.isFirstRadioInstallation", false);
Deleted : user_pref("CT2504091.myStuffEnabled", true);
Deleted : user_pref("CT2504091.myStuffPublihserMinWidth", 400);
Deleted : user_pref("CT2504091.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
Deleted : user_pref("CT2504091.myStuffServiceIntervalMM", 1440);
Deleted : user_pref("CT2504091.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
Deleted : user_pref("CT2504091.oldAppsList", "129079840421557838,129079840422026594,111,129079849636241789,129[...]
Deleted : user_pref("CT2504091.revertSettingsEnabled", false);
Deleted : user_pref("CT2504091.searchProtectorDialogDelayInSec", 10);
Deleted : user_pref("CT2504091.searchProtectorEnableByLogin", true);
Deleted : user_pref("CT2504091.testingCtid", "");
Deleted : user_pref("CT2504091.toolbarAppMetaDataLastCheckTime", "Thu Oct 06 2011 02:33:14 GMT-0700 (Pacific D[...]
Deleted : user_pref("CT2504091.toolbarContextMenuLastCheckTime", "Thu Sep 29 2011 16:23:34 GMT-0700 (Pacific D[...]
Deleted : user_pref("CT2504091.undefined", "Sun Oct 02 2011 14:04:35 GMT-0700 (Pacific Daylight Time)");
Deleted : user_pref("CT2504091.usagesFlag", 2);
Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/897164/892962/US", "\"0\"")[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2504091", [...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.7.[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT2504091",[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.conduit-services.com/?ctid=CT2504091&octid=[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=EB_LOCALE",[...]
Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en-us", "\"[...]
Deleted : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Users\\Jennifer\\AppData\\Roaming\\Mozilla[...]
Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.7.0.6");
Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "");
Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2504091");
Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2504091");
Deleted : user_pref("CommunityToolbar.ToolbarsList4", "CT2504091");
Deleted : user_pref("CommunityToolbar.globalUserId", "d70cd568-f941-4952-afac-6c7908b398d3");
Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
Deleted : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT2504091");
Deleted : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Thu Sep 29 2011 16:23:1[...]
Deleted : user_pref("CommunityToolbar.notifications.alertInfoInterval", 1440);
Deleted : user_pref("CommunityToolbar.notifications.alertInfoLastCheckTime", "Thu Oct 06 2011 02:33:20 GMT-070[...]
Deleted : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
Deleted : user_pref("CommunityToolbar.notifications.locale", "en");
Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Thu Oct 06 2011 02:33:13 GMT-0700 (P[...]
Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
Deleted : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
Deleted : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
Deleted : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
Deleted : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
Deleted : user_pref("CommunityToolbar.notifications.userId", "ca6b5545-187e-44d4-8178-715f01fe0ca8");
Deleted : user_pref("CommunityToolbar.originalHomepage", "chrome://branding/locale/browserconfig.properties");
Deleted : user_pref("CommunityToolbar.originalSearchEngine", "chrome://browser-region/locale/region.properties[...]
Deleted : user_pref("browser.search.defaultenginename", "iLivid Web Search");
Deleted : user_pref("browser.search.order.1", "iLivid Web Search");
Deleted : user_pref("extensions.browserprotect.searchProviderExceptions", "hxxp://en.wikipedia.org/wiki/Specia[...]
Deleted : user_pref("extensions.ntk.recentClosedPers", "hxxp://scraphacker.com/hanging-diy/::Put your stuff up[...]

Profile name : default
File : C:\Users\Jenns PC\AppData\Roaming\Mozilla\Firefox\Profiles\127mlx0k.default\prefs.js

C:\Users\Jenns PC\AppData\Roaming\Mozilla\Firefox\Profiles\127mlx0k.default\user.js ... Deleted !

Deleted : user_pref("CT3247201.1000082.isPlayDisplay", "true");
Deleted : user_pref("CT3247201.1000082.state", "{\"state\":\"stopped\",\"text\":\"Californi...\",\"description[...]
Deleted : user_pref("CT3247201.1000234.TWC_TMP_city", "LOS ANGELES");
Deleted : user_pref("CT3247201.1000234.TWC_TMP_country", "US");
Deleted : user_pref("CT3247201.1000234.TWC_locId", "USCA0638");
Deleted : user_pref("CT3247201.1000234.TWC_location", "Los Angeles, CA");
Deleted : user_pref("CT3247201.1000234.TWC_region", "US");
Deleted : user_pref("CT3247201.1000234.TWC_temp_dis", "f");
Deleted : user_pref("CT3247201.1000234.TWC_wind_dis", "mph");
Deleted : user_pref("CT3247201.1000234.weatherData", "{\"icon\":\"31.png\",\"temperature\":\"67F\",\"temperat[...]
Deleted : user_pref("CT3247201.ENABALE_HISTORY", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3247201.ENABLE_RETURN_WEB_SEARCH_ON_THE_PAGE", "{\"dataType\":\"string\",\"data\":\"tru[...]
Deleted : user_pref("CT3247201.FirstTime", "true");
Deleted : user_pref("CT3247201.FirstTimeFF3", "true");
Deleted : user_pref("CT3247201.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT324[...]
Deleted : user_pref("CT3247201.UserID", "UN50155798644644921");
Deleted : user_pref("CT3247201.addressBarTakeOverEnabledInHidden", "true");
Deleted : user_pref("CT3247201.autoDisableScopes", -1);
Deleted : user_pref("CT3247201.browser.search.defaultthis.engineName", true);
Deleted : user_pref("CT3247201.defaultSearch", "true");
Deleted : user_pref("CT3247201.embeddedsData", "[{\"appId\":\"10000002\",\"apiPermissions\":{\"crossDomainAjax[...]
Deleted : user_pref("CT3247201.enableAlerts", "always");
Deleted : user_pref("CT3247201.enableSearchFromAddressBar", "true");
Deleted : user_pref("CT3247201.firstTimeDialogOpened", "true");
Deleted : user_pref("CT3247201.fixPageNotFoundError", "true");
Deleted : user_pref("CT3247201.fixPageNotFoundErrorInHidden", "true");
Deleted : user_pref("CT3247201.fixUrls", true);
Deleted : user_pref("CT3247201.hxxp___pinterest_aot_im.isEnabled", "Y");
Deleted : user_pref("CT3247201.installId", "air764C.exe");
Deleted : user_pref("CT3247201.installType", "ConduitNSISIntegration");
Deleted : user_pref("CT3247201.isEnableAllDialogs", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3247201.isNewTabEnabled", true);
Deleted : user_pref("CT3247201.isPerformedSmartBarTransition", "true");
Deleted : user_pref("CT3247201.isToolbarShrinked", "{\"dataType\":\"string\",\"data\":\"false\"}");
Deleted : user_pref("CT3247201.keyword", true);
Deleted : user_pref("CT3247201.navigationAliasesJson", "{\"EB_SEARCH_TERM\":\"\",\"EB_MAIN_FRAME_URL\":\"hxxp%[...]
Deleted : user_pref("CT3247201.openThankYouPage", "false");
Deleted : user_pref("CT3247201.openUninstallPage", "true");
Deleted : user_pref("CT3247201.search.searchAppId", "10000002");
Deleted : user_pref("CT3247201.search.searchCount", "2");
Deleted : user_pref("CT3247201.searchInNewTabEnabledInHidden", "true");
Deleted : user_pref("CT3247201.selectToSearchBoxEnabled", "{\"dataType\":\"string\",\"data\":\"true\"}");
Deleted : user_pref("CT3247201.serviceLayer_service_login_isFirstLoginInvoked", "{\"dataType\":\"boolean\",\"d[...]
Deleted : user_pref("CT3247201.serviceLayer_service_login_loginCount", "{\"dataType\":\"number\",\"data\":\"4\[...]
Deleted : user_pref("CT3247201.serviceLayer_service_toolbarGrouping_activeCTID", "{\"dataType\":\"string\",\"d[...]
Deleted : user_pref("CT3247201.serviceLayer_service_toolbarGrouping_activeDownloadUrl", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3247201.serviceLayer_service_toolbarGrouping_activeToolbarName", "{\"dataType\":\"strin[...]
Deleted : user_pref("CT3247201.serviceLayer_service_toolbarGrouping_invoked", "{\"dataType\":\"string\",\"data[...]
Deleted : user_pref("CT3247201.serviceLayer_service_usage_toolbarUsageCount", "{\"dataType\":\"number\",\"data[...]
Deleted : user_pref("CT3247201.serviceLayer_services_appTrackingFirstTime_lastUpdate", "1350458465847");
Deleted : user_pref("CT3247201.serviceLayer_services_appsMetadata_lastUpdate", "1350627973854");
Deleted : user_pref("CT3247201.serviceLayer_services_gottenAppsContextMenu_lastUpdate", "1350458467473");
Deleted : user_pref("CT3247201.serviceLayer_services_login_10.10.27.6_lastUpdate", "1350627974109");
Deleted : user_pref("CT3247201.serviceLayer_services_otherAppsContextMenu_lastUpdate", "1350458467372");
Deleted : user_pref("CT3247201.serviceLayer_services_searchAPI_lastUpdate", "1350627974228");
Deleted : user_pref("CT3247201.serviceLayer_services_serviceMap_lastUpdate", "1350627973440");
Deleted : user_pref("CT3247201.serviceLayer_services_toolbarContextMenu_lastUpdate", "1350458466997");
Deleted : user_pref("CT3247201.serviceLayer_services_toolbarSettings_lastUpdate", "1350627973865");
Deleted : user_pref("CT3247201.serviceLayer_services_translation_lastUpdate", "1350627973768");
Deleted : user_pref("CT3247201.settingsINI", true);
Deleted : user_pref("CT3247201.shouldFirstTimeDialog", "false");
Deleted : user_pref("CT3247201.smartbar.CTID", "CT3247201");
Deleted : user_pref("CT3247201.smartbar.Uninstall", "0");
Deleted : user_pref("CT3247201.smartbar.homepage", true);
Deleted : user_pref("CT3247201.smartbar.toolbarName", "InternetHelper1.5 ");
Deleted : user_pref("CT3247201.toolbarBornServerTime", "17-10-2012");
Deleted : user_pref("CT3247201.toolbarCurrentServerTime", "19-10-2012");
Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3247201&SearchSource=1[...]
Deleted : user_pref("Smartbar.ConduitSearchEngineList", "InternetHelper1.5 Customized Web Search");
Deleted : user_pref("Smartbar.ConduitSearchUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3247201[...]
Deleted : user_pref("Smartbar.keywordURLSelectedCTID", "CT3247201");
Deleted : user_pref("browser.search.selectedEngine", "InternetHelper1.5 Customized Web Search");
Deleted : user_pref("browser.startup.homepage", "hxxp://search.conduit.com/?ctid=CT3247201&SearchSource=13");
Deleted : user_pref("keyword.URL", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3247201&SearchSource=2&q=[...]

-\\ Google Chrome v [Unable to get version]

File : C:\Users\Jennifer\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

File : C:\Users\Jenns PC\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [27675 octets] - [02/11/2012 16:16:22]

########## EOF - \AdwCleaner[S1].txt - [27736 octets] #########



MALWAREBYTES ANTI-MALWARE LOGS



Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.11.02.11

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Jenns PC :: JENNIFER-PC [administrator]

11/2/2012 4:54:09 PM
mbam-log-2012-11-02 (16-54-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 261818
Time elapsed: 7 minute(s), 58 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.09.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Jenns PC :: JENNIFER-PC [administrator]

1/22/2012 9:14:23 AM
mbam-log-2012-01-22 (09-14-23).txt

Scan type: Custom scan
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra
Objects scanned: 1
Time elapsed: 1 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Jenns PC\Downloads\DownloadSetup.exe (Affiliate.Downloader) -> Quarantined and deleted successfully.

(end)



Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.09.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Jenns PC :: JENNIFER-PC [administrator]

1/9/2012 1:01:18 AM
mbam-log-2012-01-09 (01-01-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 192101
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)





waiting for the last scan will report that soon

#14 ImDownHere

ImDownHere
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:39 PM

Posted 03 November 2012 - 09:49 PM

Sorry it took so long I was busy helping a friend move. Here is the results for the last scan.


C:\Program Files\Vuze\.install4j\i4j_extf_32_5p83tu.dll a variant of Win32/Bunndle application
C:\ProgramData\Spybot - Search & Destroy\Recovery\WiIQfraud10.zip Win32/Bagle.gen.zip worm
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP287\A0074194.dll a variant of Win32/Toolbar.MyWebSearch.A application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP287\A0074197.dll probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP287\A0074202.dll a variant of Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP287\A0074205.dll a variant of Win32/Toolbar.MyWebSearch.P application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP288\A0074271.exe a variant of Win32/Toolbar.MyWebSearch.O application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP288\A0074273.dll Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP288\A0074274.dll a variant of Win32/Toolbar.MyWebSearch.Q application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP288\A0074275.dll Win32/Toolbar.MyWebSearch application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP288\A0074282.dll probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP288\A0074283.dll probably a variant of Win32/Toolbar.MyWebSearch.P application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP328\A0088781.exe Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP328\A0088782.dll a variant of Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP341\A0092688.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP341\A0092717.dll Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP341\A0092719.exe Win32/Toolbar.Zugo application
C:\System Volume Information\_restore{5AE0F6B6-1588-4CC0-8833-1528C24E818A}\RP347\A0093381.exe Win32/SpeedUpMyPC application
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WiIQfraud10.zip Win32/Bagle.gen.zip worm
C:\Users\Jennifer\Desktop\.blapk\apps\GingerBreak-v1.20.apk Android/DroidRooter.B application
C:\Users\Jennifer\Desktop\.blapk\apps\Penetrate Pro (2.11).apk Android/Penetho.A application
C:\Users\Jennifer\Desktop\.blapk\apps\.aptoide\com.vicman.photolabpro.apk a variant of Android/Adware.AirPush.C application
C:\Users\Jennifer\Desktop\.blapk\apps\.aptoide\org.drhu.camonline.apk a variant of Android/Adware.AirPush.C application
C:\Users\Jennifer\Desktop\.blapk\apps\.aptoide\org.underdev.penetratepro.apk Android/Penetho.A application
C:\Users\Jennifer\Downloads\Hirens.BootCD.14.0.zip Win32/PSWTool.KonBoot.A application
C:\Users\Jennifer\Downloads\Hirens.BootCD.14.0\Hiren's.BootCD.14.0.iso Win32/PSWTool.KonBoot.A application
C:\Windows.old\Documents and Settings\Jennifer\font\Hirens.BootCD.14.0.zip Win32/PSWTool.KonBoot.A application
C:\Windows.old\Documents and Settings\jennnicole\Application Data\Mozilla\Firefox\Profiles\j5bcvtnk.default\extensions\plugin@yontoo.com\content\overlay.js Win32/Adware.Yontoo application
C:\Windows.old\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe a variant of Win32/Toolbar.Zugo application

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:39 PM

Posted 04 November 2012 - 07:05 AM

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files\Vuze\.install4j\i4j_extf_32_5p83tu.dll 
C:\ProgramData\Spybot - Search & Destroy\Recovery\WiIQfraud10.zip 
C:\Users\All Users\Spybot - Search & Destroy\Recovery\WiIQfraud10.zip 
C:\Users\Jennifer\Desktop\.blapk\apps\GingerBreak-v1.20.apk 
C:\Users\Jennifer\Desktop\.blapk\apps\Penetrate Pro (2.11).apk 
C:\Users\Jennifer\Desktop\.blapk\apps\.aptoide\com.vicman.photolabpro.apk 
C:\Users\Jennifer\Desktop\.blapk\apps\.aptoide\org.drhu.camonline.apk 
C:\Users\Jennifer\Desktop\.blapk\apps\.aptoide\org.underdev.penetratepro.apk 
C:\Windows.old\Documents and Settings\jennnicole\Application Data\Mozilla\Firefox\Profiles\j5bcvtnk.default\extensions\plugin@yontoo.com\content\overlay.js 
C:\Windows.old\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

You can remove this outdated version of Java as you already have the latest version installed:
Java™ 6 Update 37
do so via start > control panel > Programs and Features


NEXT

Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users