Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Searchnow Redirect Virus; Can't Uninstall


  • This topic is locked This topic is locked
19 replies to this topic

#1 Tgolf3

Tgolf3

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 03 March 2013 - 02:04 PM

The Searchnow redirect virus has attached itself to both Chrome and IE.  I have changed my homepage on both browsers back to google and have disabled the searchnow searchbar from IE, however an address bar search still leads me to the searchnow website.  I have tried the typical install/uninstall procedure but they file will not uninstall.  I have tried searching out the program files in the C: drive to delete them but a message appears that says I do not have permission.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16464  BrowserJavaVersion: 1.6.0_27
Run by twgodfrey at 13:51:50 on 2013-03-03
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.1.1033.18.1999.874 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: Microsoft Security Essentials *Enabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\STacSV.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\aestsrv.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDellB.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\twgodfrey\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Users\twgodfrey\AppData\Local\Akamai\netsession_win.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\twgodfrey\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Users\twgodfrey\AppData\Local\Google\Update\1.3.21.135\GoogleCrashHandler.exe
C:\Users\twgodfrey\AppData\Roaming\Spotify\spotify.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
uProxyOverride = 127.0.0.1:9421;<local>;*.local
mURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
BHO: StartNow Toolbar Helper: {6E13D095-45C3-4271-9475-F3B48227DD9F} -
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: BitTorrentBar Toolbar: {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - c:\program files\bittorrentbar\tbBitT.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\tbBitT.dll
TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - c:\program files\conduitengine\ConduitEngine.dll
TB: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} -
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [Google Update] "c:\users\twgodfrey\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Akamai NetSession Interface] "c:\users\twgodfrey\appdata\local\akamai\netsession_win.exe"
uRun: [ISUSPM] "c:\programdata\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [Spotify] "c:\users\twgodfrey\appdata\roaming\spotify\Spotify.exe" /uri spotify:autostart
mRun: [Windows Defender] c:\program files\windows defender\MSASCui.exe -hide
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [DCPstrApp] c:\program files\dell\dell controlpoint\security manager\SecurityDeviceInfoSetRegistryString.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDellB.exe" /mode2
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [StartNowToolbarHelper] "c:\program files\startnow toolbar\ToolbarHelper.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinSetup.exe" startup
StartupFolder: c:\users\twgodf~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{5610C541-25A6-45E1-8F7D-AE84C2358105} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{561F8A36-C903-48DC-BC84-822E8362131D} : DHCPNameServer = 75.75.75.75 75.75.76.76
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
STS: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - c:\windows\system32\DreamScene.dll
LSA: Authentication Packages =  msv1_0 wvauth
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - c:\windows\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - c:\windows\system32\soundschemes2.exe /AddRegistration
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\twgodfrey\appdata\roaming\mozilla\firefox\profiles\2l6ex3qg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - StartNow
FF - prefs.js: browser.startup.homepage - hxxp://search.startnow.com/s/?src=startpage&provider=&provider_name=startnow&provider_code=&partner_id=999&product_id=10&affiliate_id=&channel=&toolbar_id=&toolbar_version=&install_country=&install_date=20130303&user_guid=676E2C56156B40EA8BFEE93D7A727193&machine_id=be866d0657cd7c2b386da2bf0a13c52c&browser=FF&os=win&os_version=6.0-x86-SP2
FF - prefs.js: keyword.URL - hxxp://search.startnow.com/s/?src=addrbar&provider=&provider_name=startnow&provider_code=&partner_id=999&product_id=10&affiliate_id=&channel=&toolbar_id=&toolbar_version=&install_country=&install_date=&user_guid=676E2C56156B40EA8BFEE93D7A727193&machine_id=be866d0657cd7c2b386da2bf0a13c52c&browser=FF&os=win&os_version=6.0-x86-SP2&q=
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\users\twgodfrey\appdata\roaming\mozilla\firefox\profiles\2l6ex3qg.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\components\RadioWMPCoreGecko19.dll
FF - component: c:\users\twgodfrey\appdata\roaming\mozilla\firefox\profiles\2l6ex3qg.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\amazon\mp3 downloader\npAmazonMP3DownloaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\twgodfrey\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\users\twgodfrey\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\twgodfrey\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: BitTorrentBar Community Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - %profile%\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - %profile%\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_d2df6701\AEstSrv.exe [2008-12-1 81920]
R2 alssvc;Ambient Light Sensor;c:\program files\dell\ambient light sensor\AlsSvc.exe [2008-6-3 382232]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2008-9-4 406808]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2008-7-31 808296]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2008-7-31 21352]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2008-11-11 451872]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2009-5-8 45312]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2008-10-1 90112]
R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2012-6-22 265952]
R3 cvusbdrv;Broadcom USH CV;c:\windows\system32\drivers\cvusbdrv.sys [2008-7-31 32808]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2008-12-1 224384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
R3 OA001Ufd;Creative Camera OA001 Upper Filter Driver;c:\windows\system32\drivers\OA001Ufd.sys [2008-12-1 144672]
R3 OA001Vid;Creative Camera OA001 Function Driver;c:\windows\system32\drivers\OA001Vid.sys [2008-9-18 277440]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-12-1 29736]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\drivers\WQ_hwa.sys [2008-4-25 164664]
S3 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\drivers\WQ_ldr.sys [2008-4-25 33592]
S3 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\drivers\WQ_rci.sys [2008-4-25 77880]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\Winword.exe="c:\program files\microsoft office\office12\WINWORD.EXE" /n /dde [UserChoice] [default=edit - 'Open' doesn't exist]
.
=============== Created Last 30 ================
.
2013-03-03 14:54:28 6954968 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{bac6346c-273e-4f37-8a90-f74a4b1f977e}\mpengine.dll
2013-03-03 00:04:04 -------- d-----w- c:\users\twgodfrey\appdata\local\StartNow
2013-02-13 07:23:44 2048512 ----a-w- c:\windows\system32\win32k.sys
2013-02-13 07:23:41 1314816 ----a-w- c:\windows\system32\quartz.dll
2013-02-13 07:23:40 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2013-02-13 07:23:38 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-02-13 07:23:38 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe
.
==================== Find3M  ====================
.
2013-01-30 10:53:21 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-08 22:11:21 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-01-08 22:03:20 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-01-08 22:03:12 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-01-08 21:59:02 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-01-08 21:58:29 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-01-08 21:56:23 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-12-16 13:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-16 10:50:29 293376 ----a-w- c:\windows\system32\atmfd.dll
2012-12-14 21:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 13:52:35.54 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 AM

Posted 03 March 2013 - 03:16 PM


Hello Tgolf3

Welcome to The Forums!!

Around here they call me Gringo and I'll be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-
  • Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
  • Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Tgolf3

Tgolf3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 03 March 2013 - 04:20 PM

Thanks for your quick response!  I have run the programs in the order listed.  The Searchnow redirect is still operating out of the address bar in my browser.  Below are the reports from each program:

 

Security Check:



 

Results of
screen317's Security Check version 0.99.60 



 

 Windows Vista Service Pack 2 x86 (UAC is
enabled) 



 

 Internet Explorer 9 



 

``````````````Antivirus/Firewall
Check:``````````````



 

 Windows Firewall Enabled! 



 

Microsoft
Security Essentials  



 

 Antivirus up to date! 



 

`````````Anti-malware/Other
Utilities Check:`````````



 

 Malwarebytes Anti-Malware version
1.70.0.1100 



 

 Java™ 6 Update 27 



 

 Java version out of
Date!



 

 Adobe Flash Player     11.1.102.62 



 

 Adobe Reader 9 Adobe Reader out
of Date!



 

 Mozilla Firefox (3.0.4) Firefox
out of Date!
 



 

 Google Chrome 24.0.1312.57 



 

 Google Chrome 25.0.1364.97 



 

````````Process
Check: objlist.exe by Laurent````````
 



 

 Microsoft Security Essentials msseces.exe



 

 Windows Defender MSMpEng.exe



 

`````````````````System
Health check`````````````````



 

 Total Fragmentation on Drive C: 2 %
Defragment your hard drive soon! (Do NOT defrag if
SSD!)



````````````````````End
of Log``````````````````````

 

ADW Cleaner:



 

# AdwCleaner
v2.113 - Logfile created 03/03/2013 at 16:01:00



 

# Updated
23/02/2013 by Xplode



 

# Operating
system : Windows Vista ™ Ultimate Service Pack 2 (32 bits)



 

# User :
twgodfrey - TWGODFREY



 

# Boot Mode :
Normal



 

# Running from :
C:\Users\twgodfrey\Downloads\adwcleaner.exe



 

# Option [Delete]



 

 



 

 



 

***** [Services]
*****



 

 



 

Stopped &
Deleted : Updater Service for StartNow Toolbar



 

 



 

***** [Files /
Folders] *****



 

 



 

File Deleted :
C:\Users\twgodfrey\AppData\Roaming\Mozilla\Firefox\Profiles\2l6ex3qg.default\searchplugins\Conduit.xml



 

Folder Deleted :
C:\Program Files\BitTorrentBar



 

Folder Deleted :
C:\Program Files\Conduit



 

Folder Deleted :
C:\Program Files\ConduitEngine



 

Folder Deleted :
C:\Users\twgodfrey\AppData\LocalLow\BitTorrentBar



 

Folder Deleted :
C:\Users\twgodfrey\AppData\LocalLow\Conduit



 

Folder Deleted :
C:\Users\twgodfrey\AppData\LocalLow\ConduitEngine



 

Folder Deleted :
C:\Users\twgodfrey\AppData\LocalLow\PriceGong



 

Folder Deleted :
C:\Users\twgodfrey\AppData\Roaming\Mozilla\Firefox\Profiles\2l6ex3qg.default\Conduit



 

Folder Deleted :
C:\Users\twgodfrey\AppData\Roaming\Mozilla\Firefox\Profiles\2l6ex3qg.default\ConduitEngine



 

Folder Deleted :
C:\Users\twgodfrey\AppData\Roaming\Mozilla\Firefox\Profiles\2l6ex3qg.default\CT2790392



 

Folder Deleted :
C:\Users\twgodfrey\AppData\Roaming\Mozilla\Firefox\Profiles\2l6ex3qg.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}



 

Folder Deleted :
C:\Users\twgodfrey\AppData\Roaming\Mozilla\Firefox\Profiles\2l6ex3qg.default\extensions\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}



 

Folder Deleted :
C:\Users\twgodfrey\AppData\Roaming\Mozilla\Firefox\Profiles\2l6ex3qg.default\extensions\engine@conduit.com



 

 



 

***** [Registry]
*****



 

 



 

Key Deleted :
HKCU\Software\AppDataLow\Software\BitTorrentBar



 

Key Deleted :
HKCU\Software\AppDataLow\Software\Conduit



 

Key Deleted :
HKCU\Software\AppDataLow\Software\conduitEngine



 

Key Deleted :
HKCU\Software\AppDataLow\Software\PriceGong



 

Key Deleted :
HKCU\Software\AppDataLow\Toolbar



 

Key Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\App
Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}



 

Key Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\App
Management\ARPCache\BitTorrentBar Toolbar



 

Key Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine



 

Key Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F9B915-B755-4826-820B-08FBA6BD249D}



 

Key Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5911488E-9D1E-40EC-8CBB-06B231CC153F}



 

Key Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E13D095-45C3-4271-9475-F3B48227DD9F}



 

Key Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{88C7F2AA-F93F-432C-8F0E-B7D85967A527}



 

Key Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}



 

Key Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5911488E-9D1E-40EC-8CBB-06B231CC153F}



 

Key Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13D095-45C3-4271-9475-F3B48227DD9F}



 

Key Deleted :
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{88C7F2AA-F93F-432C-8F0E-B7D85967A527}



 

Key Deleted :
HKCU\Software\StartNow Toolbar



 

Key Deleted :
HKCU\Software\Zugo



 

Key Deleted : HKLM\Software\BitTorrentBar



 

Key Deleted :
HKLM\SOFTWARE\Classes\AppID\{7E8A36EA-2501-4ED3-A3C8-CFA9143FB169}



 

Key Deleted :
HKLM\SOFTWARE\Classes\AppID\{FAA8C612-F1B6-461B-8B60-B54D74D9642E}



 

Key Deleted :
HKLM\SOFTWARE\Classes\AppID\Toolbar.DLL



 

Key Deleted :
HKLM\SOFTWARE\Classes\AppID\ToolbarBroker.EXE



 

Key Deleted :
HKLM\SOFTWARE\Classes\CLSID\{113453C7-9F87-482A-A82D-B461C4AE4537}



 

Key Deleted :
HKLM\SOFTWARE\Classes\CLSID\{2CBD2A57-2FD5-4F1A-9FC8-90ED48FA4187}



 

Key Deleted :
HKLM\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}



 

Key Deleted :
HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}



 

Key Deleted :
HKLM\SOFTWARE\Classes\CLSID\{5911488E-9D1E-40EC-8CBB-06B231CC153F}



 

Key Deleted :
HKLM\SOFTWARE\Classes\CLSID\{6E13D095-45C3-4271-9475-F3B48227DD9F}



 

Key Deleted :
HKLM\SOFTWARE\Classes\CLSID\{88C7F2AA-F93F-432C-8F0E-B7D85967A527}



 

Key Deleted :
HKLM\SOFTWARE\Classes\Conduit.Engine



 

Key Deleted :
HKLM\SOFTWARE\Classes\Interface\{1C888195-0160-4883-91B7-294C0CE2F277}



 

Key Deleted :
HKLM\SOFTWARE\Classes\Interface\{99ACA0F7-D864-45CB-8C40-FD42A077E7CA}



 

Key Deleted :
HKLM\SOFTWARE\Classes\Interface\{E65F40C8-3CEB-47C2-9E01-BF73323DF4E7}



 

Key Deleted :
HKLM\SOFTWARE\Classes\Toolbar.BandObject



 

Key Deleted :
HKLM\SOFTWARE\Classes\Toolbar.BandObject.1



 

Key Deleted :
HKLM\SOFTWARE\Classes\Toolbar.CT2790392



 

Key Deleted :
HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject



 

Key Deleted :
HKLM\SOFTWARE\Classes\Toolbar.ToolbarHelperObject.1



 

Key Deleted :
HKLM\SOFTWARE\Classes\TypeLib\{38BF9661-BDA0-4A74-BB3B-576EC7AE16DC}



 

Key Deleted :
HKLM\SOFTWARE\Classes\TypeLib\{6857AC4A-95B4-4E2C-B2D2-8A235FCCEF4A}



 

Key Deleted :
HKLM\SOFTWARE\Classes\ZGClnt.Mngr



 

Key Deleted :
HKLM\SOFTWARE\Classes\ZGClnt.Mngr.1



 

Key Deleted :
HKLM\Software\Conduit



 

Key Deleted :
HKLM\Software\conduitEngine



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension
Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension
Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{2CBD2A57-2FD5-4F1A-9FC8-90ED48FA4187}



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{3F985018-D3C2-4E93-A227-4792381F9D09}



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{844ECF1F-189F-4586-9ECE-7046D3A8187A}



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{6E13D095-45C3-4271-9475-F3B48227DD9F}



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{88C7F2AA-F93F-432C-8F0E-B7D85967A527}



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{113453C7-9F87-482A-A82D-B461C4AE4537}



 

Key Deleted :
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\063A857434EDED11A893800002C0A966



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrentBar Toolbar



 

Key Deleted :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine



 

Key Deleted :
HKLM\Software\StartNow Toolbar



 

Value Deleted :
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
[{88C7F2AA-F93F-432C-8F0E-B7D85967A527}]



 

Value Deleted :
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
[{30F9B915-B755-4826-820B-08FBA6BD249D}]



 

Value Deleted :
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
[{5911488E-9D1E-40EC-8CBB-06B231CC153F}]



 

Value Deleted :
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
[{88C7F2AA-F93F-432C-8F0E-B7D85967A527}]



 

Value Deleted :
HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks
[{88C7F2AA-F93F-432C-8F0E-B7D85967A527}]



 

Value Deleted :
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [StartNowToolbarHelper]



 

 



 

***** [Internet
Browsers] *****



 

 



 

-\\ Internet
Explorer v9.0.8112.16464



 

 



 

[OK] Registry is
clean.



 

 



 

-\\ Mozilla
Firefox v3.0.4 (en-US)



 

 



 

File :
C:\Users\twgodfrey\AppData\Roaming\Mozilla\Firefox\Profiles\2l6ex3qg.default\prefs.js



 

 



 

Deleted :
user_pref("CT2790392..clientLogIsEnabled", false);



 

Deleted :
user_pref("CT2790392..clientLogServiceUrl",
"hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...]



 

Deleted :
user_pref("CT2790392..uninstallLogServiceUrl",
"hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...]



 

Deleted :
user_pref("CT2790392.AboutPrivacyUrl",
"hxxp://www.conduit.com/privacy/Default.aspx");



 

Deleted :
user_pref("CT2790392.CTID", "CT2790392");



 

Deleted :
user_pref("CT2790392.CurrentServerDate", "30-8-2012");



 

Deleted :
user_pref("CT2790392.DialogsAlignMode", "LTR");



 

Deleted :
user_pref("CT2790392.DownloadReferralCookieData", "");



 

Deleted :
user_pref("CT2790392.EMailNotifierPollDate", "Wed Aug 29 2012
20:10:37 GMT-0400 (Eastern Daylight Ti[...]



 

Deleted :
user_pref("CT2790392.FeedLastCount129313977501788460", 348);



 

Deleted :
user_pref("CT2790392.FeedPollDate129313974171006416", "Wed Aug
29 2012 20:05:20 GMT-0400 (Eastern Da[...]



 

Deleted :
user_pref("CT2790392.FeedPollDate129313975698350231", "Wed Aug
29 2012 20:05:20 GMT-0400 (Eastern Da[...]



 

Deleted :
user_pref("CT2790392.FeedPollDate129313976370850190", "Wed Aug
29 2012 20:05:22 GMT-0400 (Eastern Da[...]



 

Deleted :
user_pref("CT2790392.FeedPollDate129313976648818968", "Wed Aug
29 2012 20:05:22 GMT-0400 (Eastern Da[...]



 

Deleted :
user_pref("CT2790392.FeedPollDate129313977444757117", "Wed Aug
29 2012 20:05:21 GMT-0400 (Eastern Da[...]



 

Deleted :
user_pref("CT2790392.FeedPollDate129313980389131455", "Wed Aug
29 2012 20:05:21 GMT-0400 (Eastern Da[...]



 

Deleted :
user_pref("CT2790392.FeedPollDate129313980655381977", "Wed Aug
29 2012 20:05:21 GMT-0400 (Eastern Da[...]



 

Deleted :
user_pref("CT2790392.FeedPollDate129313980886163259", "Wed Aug
29 2012 20:05:21 GMT-0400 (Eastern Da[...]



 

Deleted :
user_pref("CT2790392.FeedPollDate129313981234756535", "Wed Aug
29 2012 20:05:21 GMT-0400 (Eastern Da[...]



 

Deleted :
user_pref("CT2790392.FeedPollDate129313983226631720", "Wed Aug
29 2012 20:05:21 GMT-0400 (Eastern Da[...]



 

Deleted :
user_pref("CT2790392.FeedPollDate129313983607725691", "Wed Aug
29 2012 20:05:21 GMT-0400 (Eastern Da[...]



 

Deleted :
user_pref("CT2790392.FeedTTL129313974171006416", 10);



 

Deleted :
user_pref("CT2790392.FeedTTL129313977444757117", 15);



 

Deleted :
user_pref("CT2790392.FeedTTL129313980655381977", 5);



 

Deleted :
user_pref("CT2790392.FeedTTL129313981234756535", 5);



 

Deleted :
user_pref("CT2790392.FirstServerDate", "24-6-2011");



 

Deleted :
user_pref("CT2790392.FirstTime", true);



 

Deleted :
user_pref("CT2790392.FirstTimeFF3", true);



 

Deleted :
user_pref("CT2790392.FixPageNotFoundErrors", true);



 

Deleted :
user_pref("CT2790392.GroupingServerCheckInterval", 1440);



 

Deleted :
user_pref("CT2790392.GroupingServiceUrl",
"hxxp://grouping.services.conduit.com/");



 

Deleted :
user_pref("CT2790392.HasUserGlobalKeys", true);



 

Deleted :
user_pref("CT2790392.Initialize", true);



 

Deleted :
user_pref("CT2790392.InitializeCommonPrefs", true);



 

Deleted :
user_pref("CT2790392.InstallationAndCookieDataSentCount", 3);



 

Deleted :
user_pref("CT2790392.InstallationType",
"UnknownIntegration");



 

Deleted :
user_pref("CT2790392.InstalledDate", "Thu Jun 23 2011 20:45:41
GMT-0400 (Eastern Daylight Time)");



 

Deleted :
user_pref("CT2790392.IsGrouping", false);



 

Deleted :
user_pref("CT2790392.IsMulticommunity", false);



 

Deleted :
user_pref("CT2790392.IsOpenThankYouPage", true);



 

Deleted :
user_pref("CT2790392.IsOpenUninstallPage", true);



 

Deleted :
user_pref("CT2790392.LanguagePackLastCheckTime", "Wed Aug 29
2012 20:05:21 GMT-0400 (Eastern Dayligh[...]



 

Deleted :
user_pref("CT2790392.LanguagePackReloadIntervalMM", 1440);



 

Deleted :
user_pref("CT2790392.LanguagePackServiceUrl",
"hxxp://translation.users.conduit.com/Translation.ashx[...]



 

Deleted : user_pref("CT2790392.LastLogin_3.2.5.2",
"Wed Aug 29 2012 20:05:21 GMT-0400 (Eastern Daylight Time)"[...]



 

Deleted :
user_pref("CT2790392.LatestVersion", "3.14.1.0");



 

Deleted :
user_pref("CT2790392.Locale", "en");



 

Deleted :
user_pref("CT2790392.MCDetectTooltipHeight", "83");



 

Deleted :
user_pref("CT2790392.MCDetectTooltipUrl",
"hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");



 

Deleted :
user_pref("CT2790392.MCDetectTooltipWidth", "295");



 

Deleted :
user_pref("CT2790392.SearchFromAddressBarIsInit", true);



 

Deleted :
user_pref("CT2790392.SearchFromAddressBarUrl",
"hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT279[...]



 

Deleted :
user_pref("CT2790392.SearchInNewTabEnabled", true);



 

Deleted :
user_pref("CT2790392.SearchInNewTabIntervalMM", 1440);



 

Deleted :
user_pref("CT2790392.SearchInNewTabLastCheckTime", "Wed Aug 29
2012 20:05:19 GMT-0400 (Eastern Dayli[...]



 

Deleted :
user_pref("CT2790392.SearchInNewTabServiceUrl",
"hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]



 

Deleted :
user_pref("CT2790392.SearchInNewTabUsageUrl",
"hxxp://usage.hosting.toolbar.conduit-services.com/usa[...]



 

Deleted :
user_pref("CT2790392.ServiceMapLastCheckTime", "Wed Aug 29 2012
20:05:19 GMT-0400 (Eastern Daylight [...]



 

Deleted :
user_pref("CT2790392.SettingsLastCheckTime", "Wed Aug 29 2012
20:05:18 GMT-0400 (Eastern Daylight Ti[...]



 

Deleted :
user_pref("CT2790392.SettingsLastUpdate", "1346219987");



 

Deleted :
user_pref("CT2790392.ThirdPartyComponentsInterval", 504);



 

Deleted :
user_pref("CT2790392.ThirdPartyComponentsLastCheck", "Wed Aug 29
2012 20:05:18 GMT-0400 (Eastern Day[...]



 

Deleted :
user_pref("CT2790392.ThirdPartyComponentsLastUpdate",
"1331805997");



 

Deleted :
user_pref("CT2790392.TrusteLinkUrl",
"hxxp://trust.conduit.com/EB_ORIGINAL_CTID");



 

Deleted :
user_pref("CT2790392.UserID", "UN67529036948767620");



 

Deleted :
user_pref("CT2790392.WeatherNetwork", "");



 

Deleted :
user_pref("CT2790392.WeatherPollDate", "Wed Aug 29 2012 20:05:21
GMT-0400 (Eastern Daylight Time)");



 

Deleted :
user_pref("CT2790392.WeatherUnit", "C");



 

Deleted :
user_pref("CT2790392.alertChannelId", "1182482");



 

Deleted :
user_pref("CT2790392.myStuffEnabled", true);



 

Deleted :
user_pref("CT2790392.myStuffPublihserMinWidth", 400);



 

Deleted :
user_pref("CT2790392.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]



 

Deleted :
user_pref("CT2790392.myStuffServiceIntervalMM", 1440);



 

Deleted :
user_pref("CT2790392.myStuffServiceUrl",
"hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]



 

Deleted :
user_pref("CT2790392.testingCtid", "");



 

Deleted :
user_pref("CT2790392.toolbarAppMetaDataLastCheckTime", "Wed Aug
29 2012 20:05:21 GMT-0400 (Eastern D[...]



 

Deleted :
user_pref("CT2790392.toolbarContextMenuLastCheckTime", "Thu Jun
23 2011 20:45:41 GMT-0400 (Eastern D[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/CT2790392/CT2790392[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/1182482/1178159/US",
"\"0\"[...]



 

Deleted : user_pref("CommunityToolbar.ETag.hxxp://alerts.conduit-services.com/root/909619/905414/US",
"\"0\"")[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2790392",
[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/toolbar/",
"\"c912886ea3ba02[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://settings.engine.conduit-services.com/?browser=FF&lut=0",
"63[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://settings.engine.conduit-services.com/?browser=FF&lut=3/13/20[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/CT2790392/CT2790392[...]



 

Deleted :
user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en",
"\"dfe[...]



 

Deleted :
user_pref("CommunityToolbar.EngineOwner", "CT2790392");



 

Deleted :
user_pref("CommunityToolbar.EngineOwnerGuid",
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}");



 

Deleted :
user_pref("CommunityToolbar.EngineOwnerToolbarId",
"bittorrentbar");



 

Deleted : user_pref("CommunityToolbar.IsMyStuffImportedToEngine",
true);



 

Deleted :
user_pref("CommunityToolbar.OriginalEngineOwner",
"CT2790392");



 

Deleted :
user_pref("CommunityToolbar.OriginalEngineOwnerGuid",
"{88c7f2aa-f93f-432c-8f0e-b7d85967a527}");



 

Deleted : user_pref("CommunityToolbar.OriginalEngineOwnerToolbarId",
"bittorrentbar");



 

Deleted :
user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl",
"chrome://browser-region/locale/region.pr[...]



 

Deleted :
user_pref("CommunityToolbar.ToolbarsList", "ConduitEngine,CT2790392");



 

Deleted :
user_pref("CommunityToolbar.ToolbarsList2",
"ConduitEngine,CT2790392");



 

Deleted :
user_pref("CommunityToolbar.alert.alertInfoInterval", 1440);



 

Deleted :
user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Wed
Aug 29 2012 20:05:18 GMT-0400 (Easte[...]



 

Deleted :
user_pref("CommunityToolbar.alert.clientsServerUrl",
"hxxp://alert.client.conduit.com");



 

Deleted :
user_pref("CommunityToolbar.alert.locale", "en");



 

Deleted :
user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);



 

Deleted :
user_pref("CommunityToolbar.alert.loginLastCheckTime", "Wed Aug
29 2012 20:05:18 GMT-0400 (Eastern D[...]



 

Deleted :
user_pref("CommunityToolbar.alert.loginLastUpdateTime",
"1313487611");



 

Deleted :
user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);



 

Deleted :
user_pref("CommunityToolbar.alert.servicesServerUrl",
"hxxp://alert.services.conduit.com");



 

Deleted :
user_pref("CommunityToolbar.alert.showTrayIcon", false);



 

Deleted :
user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);



 

Deleted :
user_pref("CommunityToolbar.alert.userId",
"1bc2762a-860e-4428-9c35-57b557bbf707");



 

Deleted :
user_pref("CommunityToolbar.facebook.settingsLastCheckTime",
"Tue Jul 24 2012 00:05:11 GMT-0400 (Eas[...]



 

Deleted :
user_pref("CommunityToolbar.keywordURLSelectedCTID",
"CT2790392");



 

Deleted :
user_pref("ConduitEngine.CTID", "ConduitEngine");



 

Deleted :
user_pref("ConduitEngine.FirstServerDate", "06/24/2011
03");



 

Deleted :
user_pref("ConduitEngine.FirstTime", true);



 

Deleted :
user_pref("ConduitEngine.FirstTimeFF3", true);



 

Deleted :
user_pref("ConduitEngine.FixPageNotFoundErrors", false);



 

Deleted :
user_pref("ConduitEngine.HasUserGlobalKeys", true);



 

Deleted :
user_pref("ConduitEngine.Initialize", true);



 

Deleted :
user_pref("ConduitEngine.InitializeCommonPrefs", true);



 

Deleted :
user_pref("ConduitEngine.InstallationType",
"UnknownIntegration");



 

Deleted :
user_pref("ConduitEngine.InstalledDate", "Wed Jun 08 2011
18:29:42 GMT-0400 (Eastern Daylight Time)"[...]



 

Deleted :
user_pref("ConduitEngine.IsMulticommunity", false);



 

Deleted :
user_pref("ConduitEngine.IsOpenThankYouPage", false);



 

Deleted :
user_pref("ConduitEngine.IsOpenUninstallPage", false);



 

Deleted :
user_pref("ConduitEngine.LanguagePackLastCheckTime", "Wed Aug 29
2012 20:05:24 GMT-0400 (Eastern Day[...]



 

Deleted :
user_pref("ConduitEngine.LastLogin_3.2.5.2", "Wed Aug 29 2012
20:05:24 GMT-0400 (Eastern Daylight Ti[...]



 

Deleted :
user_pref("ConduitEngine.PublisherContainerWidth", 0);



 

Deleted :
user_pref("ConduitEngine.SearchFromAddressBarIsInit", true);



 

Deleted :
user_pref("ConduitEngine.SearchFromAddressBarUrl",
"hxxp://search.conduit.com/ResultsExt.aspx?ctid=C[...]



 

Deleted :
user_pref("ConduitEngine.SettingsLastCheckTime", "Wed Aug 29
2012 20:05:24 GMT-0400 (Eastern Dayligh[...]



 

Deleted :
user_pref("ConduitEngine.UserID", "UN82655208017626216");



 

Deleted :
user_pref("ConduitEngine.engineLocale", "en-US");



 

Deleted :
user_pref("ConduitEngine.enngineContextMenuLastCheckTime", "Wed
Aug 29 2012 20:05:24 GMT-0400 (Easte[...]



 

Deleted :
user_pref("ConduitEngine.initDone", true);



 

Deleted :
user_pref("browser.search.defaulturl",
"hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2790392&Sea[...]



 

Deleted :
user_pref("browser.search.selectedEngine", "StartNow ");



 

Deleted :
user_pref("browser.startup.homepage",
"hxxp://search.startnow.com/s/?src=startpage&provider=&provide[...]



 

Deleted :
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.name",
"StartNow Toolbar");



 

Deleted :
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.startpage", "au.startnow.com");



 

Deleted :
user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.install_folder",
"C:\Program Files\StartNow Toolba[...]



 

Deleted :
user_pref("keyword.URL",
"hxxp://search.startnow.com/s/?src=addrbar&provider=&provider_name=startnow[...]



 

 



 

-\\ Google Chrome
v25.0.1364.97



 

 



 

File :
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Preferences



 

 



 

Deleted [l.1270]
: homepage =
"hxxp://search.startnow.com/s/?src=startpage&provider=&provider_name=startnow&provide[...]



 

 



 

*************************



 

 



 

AdwCleaner[R1].txt
- [21499 octets] - [03/03/2013 16:00:17]



 

AdwCleaner[S1].txt
- [20817 octets] - [03/03/2013 16:01:00]



 

 



 

########## EOF -
C:\AdwCleaner[S1].txt - [20878 octets] ##########


Rogue Killer:



 

RogueKiller
V8.5.2 [Feb 23 2013] by Tigzy



 

mail :
tigzyRK<at>gmail<dot>com



 

Feedback :
http://www.geekstogo.com/forum/files/file/413-roguekiller/



 

Website :
http://tigzy.geekstogo.com/roguekiller.php



 

Blog :
http://tigzyrk.blogspot.com/



 

 



 

Operating System
: Windows Vista (6.0.6002 Service Pack 2) 32 bits version



 

Started in :
Normal mode



 

User : twgodfrey
[Admin rights]



 

Mode : Scan --
Date : 03/03/2013 16:13:10



 

| ARK || FAK ||
MBR |



 

 



 

¤¤¤ Bad processes
: 0 ¤¤¤



 

 



 

¤¤¤ Registry
Entries : 2 ¤¤¤



 

[HJ DESK] HKLM\[...]\NewStartPanel
: {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND



 

[HJ DESK]
HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) ->
FOUND



 

 



 

¤¤¤ Particular
Files / Folders: ¤¤¤



 

 



 

¤¤¤ Driver :
[LOADED] ¤¤¤



 

 



 

¤¤¤ HOSTS File: ¤¤¤



 

-->
C:\Windows\system32\drivers\etc\hosts



 

 



 

127.0.0.1       localhost



 

::1             localhost



 

 



 

 



 

¤¤¤ MBR Check:
¤¤¤



 

 



 

+++++
PhysicalDrive0: ST9250410ASG +++++



 

--- User ---



 

[MBR]
4707d81bcf8d148d8a6e483e563e9467



 

[BSP]
8d527f0925c429137dfa00addcf14190 : Windows Vista MBR Code



 

Partition table:



 

0 - [ACTIVE] NTFS
(0x07) [VISIBLE] Offset (sectors): 2048 | Size: 152625 Mo



 

User = LL1 ...
OK!



 

User = LL2 ...
OK!



 

 



 

Finished :
<< RKreport[1]_S_03032013_02d1613.txt >>



RKreport[1]_S_03032013_02d1613.txt

 

Thanks again and I look forward to your response!
 



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 AM

Posted 03 March 2013 - 09:03 PM


Hello Tgolf3

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

  • Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Tgolf3

Tgolf3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 04 March 2013 - 06:58 PM

Ok, I have installed and completed the combofix program.  The program completed without any interruptions or problems.  However, after Combofix finished when I tried to open Internet Explorer I received the "Illegal operation attempted on a registry key that has been marked for deletion" message.  I restarted the computer.  After restarting I noticed that the icons on my toolbar/start ribon at the bottom of my display have changed.  The odering of my shortcuts on my desktop has also changed.  After the restart I was able to open internet explorer, however a search in the address bar still takes me to the searchnow redirected site.  Here is the log from combofix:

 



 

ComboFix
13-03-04.01 - twgodfrey 03/04/2013 
18:27:05.1.2 - x86



 

Microsoft®
Windows Vista™ Ultimate  
6.0.6002.2.1252.1.1033.18.1999.795 [GMT -5:00]



 

Running from:
c:\users\twgodfrey\Desktop\ComboFix.exe



 

AV: Microsoft
Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}



 

SP: Microsoft
Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}



 

SP: Windows
Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}



 

.



 

.



 

(((((((((((((((((((((((((((((((((((((((   Other Deletions  
)))))))))))))))))))))))))))))))))))))))))))))))))



 

.



 

.



 

c:\program
files\StartNow Toolbar



 

c:\program
files\StartNow Toolbar\ToolbarUpdaterService.exe



 

c:\users\TWGODF~1\AppData\Local\Temp\1.tmp\F_IN_BOX.dll



 

c:\users\twgodfrey\AppData\Local\Temp\1.tmp\F_IN_BOX.dll



 

c:\windows\system32\test



 

.



 

.



 

(((((((((((((((((((((((((   Files Created from 2013-02-04 to
2013-03-04 
)))))))))))))))))))))))))))))))



 

.



 

.



 

2013-03-04 23:33
. 2013-03-04 23:33 --------    d-----w-    c:\users\Joe\AppData\Local\temp



 

2013-03-04 23:20
. 2013-02-08 00:45 6954968     ----a-w-      c:\programdata\Microsoft\Microsoft
Antimalware\Definition
Updates\{8418C004-DF93-4857-B254-2A7A080557C7}\mpengine.dll



 

2013-03-03 00:04
. 2013-03-03 00:04 --------    d-----w-      c:\users\twgodfrey\AppData\Local\StartNow



 

2013-02-13 07:23

. 2013-01-04 01:38 2048512     ----a-w-    c:\windows\system32\win32k.sys



 

2013-02-13 07:23
. 2012-11-08 03:48 1314816     ----a-w-    c:\windows\system32\quartz.dll



 

2013-02-13 07:23
. 2013-01-04 11:28 905576      ----a-w-      c:\windows\system32\drivers\tcpip.sys



 

2013-02-13 07:23
. 2013-01-05 05:26 3602808     ----a-w-    c:\windows\system32\ntkrnlpa.exe



 

2013-02-13 07:23
. 2013-01-05 05:26 3550072     ----a-w-    c:\windows\system32\ntoskrnl.exe



 

.



 

.



 

.



 

((((((((((((((((((((((((((((((((((((((((   Find3M Report  
))))))))))))))))))))))))))))))))))))))))))))))))))))



 

.



 

2013-02-08 00:45
. 2010-08-24 19:58 6954968     ----a-w-      c:\programdata\Microsoft\Microsoft
Antimalware\Definition Updates\Backup\mpengine.dll



 

2013-01-30 10:53
. 2010-08-09 16:21 232336      ------w-    c:\windows\system32\MpSigStub.exe



 

2012-12-16 13:12
. 2012-12-27 22:11 34304 ----a-w-    c:\windows\system32\atmlib.dll



 

2012-12-16 10:50
. 2012-12-27 22:11 293376      ----a-w-    c:\windows\system32\atmfd.dll



 

2012-12-14 21:49
. 2013-01-13 16:12 21104 ----a-w-    c:\windows\system32\drivers\mbam.sys



 

.



 

.



 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points  
))))))))))))))))))))))))))))))))))))))))))))))))))



 

.



 

.



 

*Note* empty
entries & legit default entries are not shown



 

REGEDIT4



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]



 

@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"



 

[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]



 

2009-11-08 14:55  297808      ----a-w-    c:\windows\System32\mscoree.dll



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]



 

@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"



 

[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]



 

2009-11-08 14:55  297808      ----a-w-    c:\windows\System32\mscoree.dll



 

.



 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]



 

"Sidebar"="c:\program
files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]



 

"WindowsWelcomeCenter"="oobefldr.dll"
[2009-04-11 2153472]



 

"WMPNSCFG"="c:\program
files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]



 

"ehTray.exe"="c:\windows\ehome\ehTray.exe"
[2008-01-21 125952]



 

"Akamai
NetSession Interface"="c:\users\twgodfrey\AppData\Local\Akamai\netsession_win.exe"
[2012-10-09 4441920]



 

"ISUSPM"="c:\programdata\Macrovision\FLEXnet
Connect\6\ISUSPM.exe" [2007-03-29 222128]



 

"Skype"="c:\program
files\Skype\Phone\Skype.exe" [2013-01-08 18705664]



 

"Spotify"="c:\users\twgodfrey\AppData\Roaming\Spotify\Spotify.exe"
[2013-02-25 4484504]



 

"Spotify Web
Helper"="c:\users\twgodfrey\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
[2013-02-25 1103768]



 

.



 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]



 

"NvCplDaemon"="c:\windows\system32\NvCpl.dll"
[2008-06-28 13543968]



 

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll"
[2008-06-28 92704]



 

"NVHotkey"="c:\windows\system32\nvHotkey.dll"
[2008-06-28 96800]



 

"Broadcom
Wireless Manager UI"="c:\windows\system32\WLTRAY.exe"
[2008-12-02 3563520]



 

"DellControlPoint"="c:\program
files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 598016]



 

"SecureUpgrade"="c:\program
files\Wave Systems Corp\SecureUpgrade.exe" [2008-06-24 243000]



 

"DCPstrApp"="c:\program
files\Dell\Dell ControlPoint\Security
Manager\SecurityDeviceInfoSetRegistryString.exe" [2008-08-04 6656]



 

"Dell Webcam
Central"="c:\program files\Dell Webcam\Dell Webcam
Central\WebcamDellB.exe" [2008-04-11 372736]



 

"DellConnectionManager"="c:\program
files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-10-01
1454080]



 

"PDVDDXSrv"="c:\program
files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]



 

"Apoint"="c:\program
files\DellTPad\Apoint.exe" [2008-10-02 200704]



 

"IAAnotif"="c:\program
files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]



 

"MSSE"="c:\program
files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]



 

"SysTrayApp"="c:\program
files\IDT\WDM\sttray.exe" [2009-07-31 458844]



 

"DivXUpdate"="c:\program
files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]



 

"IgfxTray"="c:\windows\system32\igfxtray.exe"
[2010-08-26 136216]



 

"HotKeysCmds"="c:\windows\system32\hkcmd.exe"
[2010-08-26 171032]



 

"Persistence"="c:\windows\system32\igfxpers.exe"
[2010-08-26 170520]



 

"Adobe Reader
Speed Launcher"="c:\program files\Adobe\Reader
9.0\Reader\Reader_sl.exe" [2009-10-03 35696]



 

"Adobe
ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[2009-09-04 935288]



 

"SunJavaUpdateSched"="c:\program
files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]



 

"APSDaemon"="c:\program
files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
[2012-02-21 59240]



 

"QuickTime
Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24
421888]



 

"iTunesHelper"="c:\program
files\iTunes\iTunesHelper.exe" [2012-03-27 421736]



 

"InstaLAN"="c:\program
files\Belkin\Router Setup and Monitor\BelkinSetup.exe" [2009-09-11
6788944]



 

.



 

c:\users\twgodfrey\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\



 

OneNote 2007
Screen Clipper and Launcher.lnk - c:\program files\Microsoft
Office\Office12\ONENOTEM.EXE [2009-2-26 97680]



 

.



 

c:\programdata\Microsoft\Windows\Start
Menu\Programs\Startup\



 

Bluetooth.lnk -
c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-5 752168]



 

Dell ControlPoint
System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System
Manager\DCPSysMgr.exe [2008-11-11 936224]



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]



 

"EnableUIADesktopToggle"=
0 (0x0)



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\drivers32]



 

"aux"=wdmaud.drv



 

.



 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]



 

Authentication
Packages REG_MULTI_SZ      msv1_0
wvauth



 

.



 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]



 

@="Service"



 

.



 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]



 

@="Driver"



 

.



 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]



 

@="Service"



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\WavXMgr]



 

2008-05-14 22:42  99328 ----a-w-    c:\program files\Wave Systems Corp\Services
Manager\DocMgr\bin\WavXDocMgr.exe



 

.



 

S2
AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\aestsrv.exe
[x]



 

.



 

.



 

--- Other
Services/Drivers In Memory ---



 

.



 

*NewlyCreated* -
WS2IFSL



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\svchost]



 

bthsvcs     REG_MULTI_SZ      BthServ



 

LocalServiceAndNoImpersonation      REG_MULTI_SZ      FontCache



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]



 

2008-04-11 22:23  38400 ----a-w-    c:\windows\System32\SoundSchemes.exe



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]



 

2008-08-28 15:50  30720 ----a-w-    c:\windows\System32\soundschemes2.exe



 

.



 

Contents of the
'Scheduled Tasks' folder



 

.



 

2013-02-10
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-7444275-691754428-2964961868-1016Core1ce07c4a577cf40.job



 

-
c:\users\twgodfrey\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-24
20:04]



 

.



 

.



 

-------
Supplementary Scan -------



 

.



 

uStart Page =
hxxp://www.google.com/



 

uInternet
Settings,ProxyOverride = 127.0.0.1:9421;<local>;*.local



 

TCP:
DhcpNameServer = 192.168.2.1



 

FF - ProfilePath
- c:\users\twgodfrey\AppData\Roaming\Mozilla\Firefox\Profiles\2l6ex3qg.default\



 

FF - Ext:
Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla
Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}



 

FF - Ext: Java
Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla
Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}



 

FF - Ext: Skype
extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla
Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}



 

FF - Ext: Java
Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla
Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}



 

FF - Ext: Java
Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla
Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}



 

FF - Ext: Java
Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla
Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}



 

FF - Ext:
Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation
Foundation\DotNetAssistantExtension



 

FF - Ext:
Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -
%profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}



 

.



 

- - - - ORPHANS
REMOVED - - - -



 

.



 

SafeBoot-WudfPf



 

SafeBoot-WudfRd



 

MSConfigStartUp-StartNow
Search Protect - c:\program files\StartNow Toolbar\search_protect.exe



 

AddRemove-{B9ECA41B-55CC-4654-B6B5-6731D009EC69}
- c:\program files\InstallShield Installation
Information\{B9ECA41B-55CC-4654-B6B5-6731D009EC69}\setup.exe



 

.



 

.



 

.



 

**************************************************************************



 

scanning hidden
processes ... 



 

.



 

scanning hidden
autostart entries ...



 

.



 

scanning hidden
files ... 



 

.



 

scan completed
successfully



 

hidden files:



 

.



 

**************************************************************************



 

.



 

---------------------
DLLs Loaded Under Running Processes ---------------------



 

.



 

- - - - - - -
> 'lsass.exe'(704)



 

c:\windows\system32\wvauth.dll



 

c:\windows\system32\biolsp.dll



 

.



 

- - - - - - -
> 'Explorer.exe'(1932)



 

c:\windows\system32\btncopy.dll



 

.



 

------------------------
Other Running Processes ------------------------



 

.



 

c:\program
files\Microsoft Security Essentials\MsMpEng.exe



 

c:\windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\STacSV.exe



 

c:\windows\System32\WLTRYSVC.EXE



 

c:\windows\System32\bcmwltry.exe



 

c:\windows\system32\WLANExt.exe



 

c:\program
files\Broadcom Corporation\Broadcom USH Host
Components\CV\bin\HostControlService.exe



 

c:\program
files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe



 

c:\program
files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe



 

c:\program
files\Belkin\Router Setup and Monitor\BelkinService.exe



 

c:\program
files\Dell\Ambient Light Sensor\AlsSvc.exe



 

c:\program
files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe



 

c:\program
files\Bonjour\mDNSResponder.exe



 

c:\program
files\WIDCOMM\Bluetooth Software\bin\btwdins.exe



 

c:\program
files\Dell\Dell ControlPoint\DCPButtonSvc.exe



 

c:\program
files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe



 

c:\program
files\Intel\WiFi\bin\EvtEng.exe



 

c:\program
files\Intel\Intel Matrix Storage Manager\IAANTMon.exe



 

c:\program
files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe



 

c:\program
files\Common Files\Intel\WirelessCommon\RegSrvc.exe



 

c:\program
files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe



 

c:\windows\system32\igfxsrvc.exe



 

c:\windows\servicing\TrustedInstaller.exe



 

.



 

**************************************************************************



 

.



 

Completion time:
2013-03-04  18:45:47 - machine was
rebooted



 

ComboFix-quarantined-files.txt  2013-03-04 23:45



 

.



 

Pre-Run:
83,412,402,176 bytes free



 

Post-Run:
84,157,157,376 bytes free



 

.



- - End Of File - -
F87AE2E454C7D1AB899CBBCF8021D662



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 AM

Posted 04 March 2013 - 09:46 PM

Hello Tgolf3

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.
  • Gringo

Edited by gringo_pr, 04 March 2013 - 09:46 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Tgolf3

Tgolf3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 04 March 2013 - 10:01 PM

Here's the OTL Report:

 

OTL logfile created on: 3/4/2013 9:51:27 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\twgodfrey\Desktop
Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.95 Gb Total Physical Memory | 0.82 Gb Available Physical Memory | 42.22% Memory free
4.14 Gb Paging File | 2.46 Gb Available in Paging File | 59.33% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 78.22 Gb Free Space | 52.48% Space Free | Partition Type: NTFS
 
Computer Name: TWGODFREY | User Name: twgodfrey | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\twgodfrey\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Users\twgodfrey\AppData\Roaming\Spotify\spotify.exe (Spotify Ltd)
PRC - C:\Users\twgodfrey\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (Spotify Ltd)
PRC - C:\Users\twgodfrey\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc.)
PRC - C:\Windows\System32\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
PRC - C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe (Affinegy, Inc.)
PRC - C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe (Affinegy, Inc.)
PRC - C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
PRC - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\stacsv.exe (IDT, Inc.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
PRC - C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe (NewTech Infosystems, Inc.)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\AEstSrv.exe (Andrea Electronics Corporation)
PRC - C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe (Dell Inc.)
PRC - C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe (Dell Inc.)
PRC - C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe (Smith Micro Software, Inc.)
PRC - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe (Smith Micro Software, Inc.)
PRC - C:\Program Files\DellTPad\ApMsgFwd.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe (Dell Inc.)
PRC - C:\Program Files\DellTPad\hidfind.exe (Alps Electric Co., Ltd.)
PRC - C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (Dell, Inc.)
PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
PRC - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe (Broadcom Corporation)
PRC - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe (Broadcom Corporation)
PRC - C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (Wave Systems Corp.)
PRC - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (Wave Systems Corp.)
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe (Dell Inc.)
PRC - C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDellB.exe ()
PRC - C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
PRC - C:\Program Files\DellTPad\ApntEx.exe (Alps Electric Co., Ltd.)
PRC - C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Users\twgodfrey\AppData\Roaming\Spotify\Data\libcef.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\421cb77e6a4c21f94e3c5ddf766de23b\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\e64304962098e90f0d3f4c33c1b080a6\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\f042f66c2ad8fd5b8c34fa22cd22079e\System.Management.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b5df40c22ab563a816103629e2ca99d4\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\004bc6615f9c06df5c98859d35149fe6\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b757806657fa5db2b1ed1a89b026b463\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\78157a494dc9a7e52be8840decfcd9cc\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\cc149d08e75f8c53cd28ac926b38c370\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\2227d1559f87943255069398608d5c56\mscorlib.ni.dll ()
MOD - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSPTLS.DLL ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll ()
MOD - C:\Program Files\DivX\DivX Update\DivXUpdateCheck.dll ()
MOD - C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
MOD - C:\Program Files\Belkin\Router Setup and Monitor\BelkinServicePS.dll ()
MOD - C:\Program Files\Belkin\Router Setup and Monitor\gateways\GenericBelkinGatewayLOC.dll ()
MOD - C:\Windows\System32\bcmwlrmt.dll ()
MOD - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\UCMPlugin\SmithMicro.Common.dll ()
MOD - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.SharedUI.dll ()
MOD - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.AsyncOperations.dll ()
MOD - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\VpnWrapper.dll ()
MOD - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.VpnController.dll ()
MOD - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.Application.dll ()
MOD - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.Message.dll ()
MOD - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SmithMicro.Common.dll ()
MOD - C:\Program Files\Dell\Dell ControlPoint\Dell.DcpPlugin.dll ()
MOD - C:\Program Files\Dell\Dell ControlPoint\SmithMicro.Common.dll ()
MOD - C:\Windows\System32\Wavx_ESC_Logging.dll ()
MOD - C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll ()
MOD - C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDellB.exe ()
MOD - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\TspPopup_ENU.dll ()
MOD - C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDellB.crl ()
 
 
========== Services (SafeList) ==========
 
SRV - (SkypeUpdate) -- C:\Program Files\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation)
SRV - (AffinegyService) -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe (Affinegy, Inc.)
SRV - (STacSV) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\stacsv.exe (IDT, Inc.)
SRV - (IAANTMON) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation)
SRV - (NTI BackupNowEZSvr) -- C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe (NewTech Infosystems, Inc.)
SRV - (AESTFilters) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\AEstSrv.exe (Andrea Electronics Corporation)
SRV - (dcpsysmgrsvc) -- C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe (Dell Inc.)
SRV - (SMManager) -- C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe (Smith Micro Software, Inc.)
SRV - (buttonsvc32) -- C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe (Dell Inc.)
SRV - (EvtEng) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
SRV - (RegSrvc) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
SRV - (Credential Vault Host Control Service) -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe (Broadcom Corporation)
SRV - (Credential Vault Host Storage) -- C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe (Broadcom Corporation)
SRV - (TdmService) -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe (Wave Systems Corp.)
SRV - (alssvc) -- C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe (Dell Inc.)
SRV - (SecureStorageService) -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe (Wave Systems Corp.)
SRV - (tcsd_win32.exe) -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe ()
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (NwlnkFwd) -- system32\DRIVERS\nwlnkfwd.sys File not found
DRV - (NwlnkFlt) -- system32\DRIVERS\nwlnkflt.sys File not found
DRV - (IpInIp) -- system32\DRIVERS\ipinip.sys File not found
DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (MpNWMon) -- C:\Windows\System32\drivers\MpNWMon.sys (Microsoft Corporation)
DRV - (STHDA) -- C:\Windows\System32\drivers\stwrt.sys (IDT, Inc.)
DRV - (USBCCID) -- C:\Windows\System32\drivers\usbccid.sys (Microsoft Corporation)
DRV - (BCM42RLY) -- C:\Windows\System32\drivers\bcm42rly.sys (Broadcom Corporation)
DRV - (OA001Vid) -- C:\Windows\System32\drivers\OA001Vid.sys (Creative Technology Ltd.)
DRV - (cvusbdrv) -- C:\Windows\System32\drivers\cvusbdrv.sys (Broadcom Corporation)
DRV - (ApfiltrService) -- C:\Windows\System32\drivers\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (WavxDMgr) -- C:\Windows\System32\drivers\WavxDMgr.sys (Wave Systems Corp.)
DRV - (OA001Ufd) -- C:\Windows\System32\drivers\OA001Ufd.sys (Creative Technology Ltd.)
DRV - (WQ_USBRCI) -- C:\Windows\System32\drivers\WQ_rci.sys (WiQuest Communications, Inc.)
DRV - (WQ_USBHWA) -- C:\Windows\System32\drivers\WQ_hwa.sys (WiQuest Communications, Inc.)
DRV - (WQ_USBLOAD) -- C:\Windows\System32\drivers\WQ_ldr.sys (WiQuest Communications, Inc.)
DRV - (e1yexpress) -- C:\Windows\System32\drivers\e1y6032.sys (Intel Corporation)
DRV - (NAL) -- C:\Windows\System32\drivers\iqvw32.sys (Intel Corporation )
DRV - (TPM) -- C:\Windows\System32\drivers\tpm.sys (Microsoft Corporation)
DRV - (PBADRV) -- C:\Windows\System32\drivers\PBADRV.sys (Dell Inc)
DRV - (rimmptsk) -- C:\Windows\System32\drivers\rimmptsk.sys (REDC)
DRV - (PCASp50) -- C:\Windows\System32\drivers\PCASp50.sys (Printing Communications Assoc., Inc. (PCAUSA))
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
 
IE - HKU\S-1-5-21-7444275-691754428-2964961868-1016\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-7444275-691754428-2964961868-1016\..\SearchScopes,DefaultScope = {ABD93EAF-D775-BC54-E63B-2804F22FD156}
IE - HKU\S-1-5-21-7444275-691754428-2964961868-1016\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-7444275-691754428-2964961868-1016\..\SearchScopes\{180780f0-b348-4b44-8210-94a8f3ee15b2}: "URL" = http://search.comcast.net/search/?cat=Web&con=toolbar&q={searchTerms}
IE - HKU\S-1-5-21-7444275-691754428-2964961868-1016\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-7444275-691754428-2964961868-1016\..\SearchScopes\{ABD93EAF-D775-BC54-E63B-2804F22FD156}: "URL" = http://search.startnow.com/s/?q={searchTerms}&src=defsearch&provider=&provider_name=startnow&provider_code=&partner_id=999&product_id=10&affiliate_id=&channel=&toolbar_id=&toolbar_version=&install_country=&install_date=20130303&user_guid=676E2C56156B40EA8BFEE93D7A727193&machine_id=be866d0657cd7c2b386da2bf0a13c52c&browser=IE&os=win&os_version=6.0-x86-SP2&iesrc={referrer:source}
IE - HKU\S-1-5-21-7444275-691754428-2964961868-1016\..\SearchScopes\{F99D3F43-D6BF-E64F-D25A-DF3E0DB5D180}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=Z196&form=ZGAIDF&install_date=20111124&iesrc={referrer:source}
IE - HKU\S-1-5-21-7444275-691754428-2964961868-1016\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-7444275-691754428-2964961868-1016\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;<local>;*.local
 
========== FireFox ==========
 
FF - prefs.js..browser.search.defaultenginename: "XFINITY"
FF - prefs.js..browser.search.defaultthis.engineName: "  "
FF - prefs.js..extensions.enabledItems: {88c7f2aa-f93f-432c-8f0e-b7d85967a527}:3.2.5.2
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.2.5.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}:6.0.27
FF - prefs.js..extensions.enabledItems: {5911488E-9D1E-40ec-8CBB-06B231CC153F}:2.3.0
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\twgodfrey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O1DPlugin: C:\Users\twgodfrey\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\twgodfrey\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\twgodfrey\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\twgodfrey\AppData\Local\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin1017300.dll (Amazon.com, Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.4\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/05/10 07:22:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/05/10 07:22:38 | 000,000,000 | ---D | M]
 
[2010/10/10 08:00:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\twgodfrey\AppData\Roaming\mozilla\Extensions
[2013/03/03 16:01:33 | 000,000,000 | ---D | M] (No name found) -- C:\Users\twgodfrey\AppData\Roaming\mozilla\Firefox\Profiles\2l6ex3qg.default\extensions
[2011/06/23 19:45:34 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\twgodfrey\AppData\Roaming\mozilla\Firefox\Profiles\2l6ex3qg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/01/20 21:21:57 | 000,004,815 | ---- | M] () (No name found) -- C:\Users\twgodfrey\AppData\Roaming\mozilla\firefox\profiles\2l6ex3qg.default\extensions\unmfwpkwkt@unmfwpkwkt.org.xpi
[2011/11/24 18:58:24 | 000,001,945 | ---- | M] () -- C:\Users\twgodfrey\AppData\Roaming\mozilla\firefox\profiles\2l6ex3qg.default\searchplugins\bing-zugo.xml
[2013/03/02 19:04:17 | 000,000,940 | ---- | M] () -- C:\Users\twgodfrey\AppData\Roaming\mozilla\firefox\profiles\2l6ex3qg.default\searchplugins\startnow.xml
[2011/10/13 07:06:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/03/21 16:01:58 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/12/21 15:23:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/04/02 21:07:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/10/13 07:06:04 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
File not found (No name found) -- C:\USERS\TWGODFREY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2L6EX3QG.DEFAULT\EXTENSIONS\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
File not found (No name found) -- C:\USERS\TWGODFREY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2L6EX3QG.DEFAULT\EXTENSIONS\{88C7F2AA-F93F-432C-8F0E-B7D85967A527}
File not found (No name found) -- C:\USERS\TWGODFREY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\2L6EX3QG.DEFAULT\EXTENSIONS\ENGINE@CONDUIT.COM
[2011/07/19 04:05:25 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/02/28 15:04:46 | 000,020,569 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\xfinity.xml
 
========== Chrome  ==========
 
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: http://www.google.com/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\twgodfrey\AppData\Local\Google\Chrome\Application\25.0.1364.97\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\twgodfrey\AppData\Local\Google\Chrome\Application\25.0.1364.97\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\twgodfrey\AppData\Local\Google\Chrome\Application\25.0.1364.97\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.270.7 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U27 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7.1 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Users\twgodfrey\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Users\twgodfrey\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: AmazonMP3DownloaderPlugin (Enabled) = C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin.dll
CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
CHR - plugin: Google Update (Enabled) = C:\Users\twgodfrey\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: StartNow = C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\incfcgceegpikennjoplhfghaaikdgei\2.5.0_0\
 
O1 HOSTS File: ([2013/03/04 18:36:09 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [DCPstrApp] C:\Program Files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe (Broadcom Corporation)
O4 - HKLM..\Run: [Dell Webcam Central] C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDellB.exe ()
O4 - HKLM..\Run: [DellConnectionManager] C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe (Smith Micro Software, Inc.)
O4 - HKLM..\Run: [DellControlPoint] C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe (Dell, Inc.)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [InstaLAN] C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe (Affinegy, Inc.)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NVHotkey] C:\Windows\System32\nvHotkey.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKU\S-1-5-21-7444275-691754428-2964961868-1016..\Run: [Akamai NetSession Interface] C:\Users\twgodfrey\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc.)
O4 - HKU\S-1-5-21-7444275-691754428-2964961868-1016..\Run: [ISUSPM] C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe (Macrovision Corporation)
O4 - HKU\S-1-5-21-7444275-691754428-2964961868-1016..\Run: [Spotify] C:\Users\twgodfrey\AppData\Roaming\Spotify\Spotify.exe (Spotify Ltd)
O4 - HKU\S-1-5-21-7444275-691754428-2964961868-1016..\Run: [Spotify Web Helper] C:\Users\twgodfrey\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (Spotify Ltd)
O4 - HKU\S-1-5-21-7444275-691754428-2964961868-1016..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-21-7444275-691754428-2964961868-1016\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-7444275-691754428-2964961868-1016\Software\Policies\Microsoft\Internet Explorer\Main present
O7 - HKU\S-1-5-21-7444275-691754428-2964961868-1016\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-7444275-691754428-2964961868-1016\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-7444275-691754428-2964961868-1016\..Trusted Domains: wm.edu ([]* in Local intranet)
O15 - HKU\S-1-5-21-7444275-691754428-2964961868-1016\..Trusted Domains: wm.edu ([*.campus] * in Local intranet)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab (Java Plug-in 1.6.0_27)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5610C541-25A6-45E1-8F7D-AE84C2358105}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{561F8A36-C903-48DC-BC84-822E8362131D}: DhcpNameServer = 75.75.75.75 75.75.76.76
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: GinaDLL - (msgina.dll) -  File not found
O22 - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\System32\DreamScene.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\twgodfrey\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\twgodfrey\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O30 - LSA: Authentication Packages - (wvauth) - C:\Windows\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/03/04 21:50:12 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\twgodfrey\Desktop\OTL.exe
[2013/03/04 18:45:49 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/03/04 18:36:11 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2013/03/04 18:25:10 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/03/04 18:25:10 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/03/04 18:25:10 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/03/04 18:25:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/03/04 18:24:23 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/03/04 18:24:00 | 005,036,013 | R--- | C] (Swearware) -- C:\Users\twgodfrey\Desktop\ComboFix.exe
[2013/03/03 16:10:36 | 000,000,000 | ---D | C] -- C:\Users\twgodfrey\Desktop\RK_Quarantine
[2013/03/02 19:04:04 | 000,000,000 | ---D | C] -- C:\Users\twgodfrey\AppData\Local\StartNow
[2013/02/13 03:05:51 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/02/13 03:05:50 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/02/13 03:05:49 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/02/13 03:05:49 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/02/13 03:05:49 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/02/13 03:05:48 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/02/13 03:05:48 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/02/13 03:05:46 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/02/13 02:23:44 | 002,048,512 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/02/13 02:23:41 | 001,314,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\quartz.dll
[2013/02/13 02:23:38 | 003,602,808 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2013/02/13 02:23:38 | 003,550,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2013/02/05 17:29:24 | 000,000,000 | ---D | C] -- C:\Config.Msi
 
========== Files - Modified Within 30 Days ==========
 
[2013/03/04 21:50:16 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\twgodfrey\Desktop\OTL.exe
[2013/03/04 20:49:23 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/03/04 20:49:23 | 000,003,216 | ---- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/03/04 18:54:25 | 000,604,752 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/03/04 18:54:25 | 000,104,420 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/03/04 18:49:21 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/03/04 18:49:19 | 2094,968,832 | -HS- | M] () -- C:\hiberfil.sys
[2013/03/04 18:48:42 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2013/03/04 18:36:09 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/03/04 18:24:08 | 005,036,013 | R--- | M] (Swearware) -- C:\Users\twgodfrey\Desktop\ComboFix.exe
[2013/03/03 16:10:26 | 000,816,640 | ---- | M] () -- C:\Users\twgodfrey\Desktop\RogueKiller.exe
[2013/02/24 19:26:45 | 000,002,074 | ---- | M] () -- C:\Users\twgodfrey\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/02/24 19:26:45 | 000,002,072 | ---- | M] () -- C:\Users\twgodfrey\Desktop\Google Chrome.lnk
[2013/02/13 03:26:21 | 000,270,552 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/02/10 14:27:21 | 000,000,872 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-7444275-691754428-2964961868-1016Core1ce07c4a577cf40.job
 
========== Files Created - No Company Name ==========
 
[2013/03/04 18:25:10 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/03/04 18:25:10 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/03/04 18:25:10 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/03/04 18:25:10 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/03/04 18:25:10 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/03/03 16:10:10 | 000,816,640 | ---- | C] () -- C:\Users\twgodfrey\Desktop\RogueKiller.exe
[2013/02/10 14:27:21 | 000,000,872 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-7444275-691754428-2964961868-1016Core1ce07c4a577cf40.job
[2012/03/13 22:29:25 | 000,000,065 | ---- | C] () -- C:\Windows\minitab.ini
[2011/03/21 16:04:13 | 000,000,056 | ---- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/11/24 15:38:53 | 000,011,264 | ---- | C] () -- C:\Users\twgodfrey\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/08/24 14:46:32 | 000,007,728 | ---- | C] () -- C:\Users\twgodfrey\AppData\Local\d3d9caps.dat
[2010/08/24 14:46:31 | 000,000,434 | RHS- | C] () -- C:\Users\twgodfrey\ntuser.pol
[2008/12/01 11:34:57 | 000,028,599 | ---- | C] () -- C:\ProgramData\nvModes.001
[2008/12/01 11:29:47 | 000,028,599 | ---- | C] () -- C:\ProgramData\nvModes.dat
 
========== ZeroAccess Check ==========
 
[2006/11/02 07:53:06 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 12:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 01:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 01:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 AM

Posted 05 March 2013 - 12:08 PM


Hello Tgolf3

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script
  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box.
    :OTL
    FF - user.js - File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O20 - HKLM Winlogon: GinaDLL - (msgina.dll) -  File not found
    IE - HKU\S-1-5-21-7444275-691754428-2964961868-1016\..\SearchScopes\{ABD93EAF-D775-BC54-E63B-2804F22FD156}: "URL" = http://search.startnow.com/s/?q={searchTerms}&src=defsearch&provider=&provider_name=startnow&provider_code=&partner_id=999&product_id=10&affiliate_id=&channel=&toolbar_id=&toolbar_version=&install_country=&install_date=20130303&user_guid=676E2C56156B40EA8BFEE93D7A727193&machine_id=be866d0657cd7c2b386da2bf0a13c52c&browser=IE&os=win&os_version=6.0-x86-SP2&iesrc={referrer:source}
    FF - prefs.js..browser.search.defaultenginename: "XFINITY"
    FF - prefs.js..browser.search.defaultthis.engineName: "  "
    FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.2.5.2
    [2008/01/20 21:21:57 | 000,004,815 | ---- | M] () (No name found) -- C:\Users\twgodfrey\AppData\Roaming\mozilla\firefox\profiles\2l6ex3qg.default\extensions\unmfwpkwkt@unmfwpkwkt.org.xpi
    [2013/03/02 19:04:17 | 000,000,940 | ---- | M] () -- C:\Users\twgodfrey\AppData\Roaming\mozilla\firefox\profiles\2l6ex3qg.default\searchplugins\startnow.xml
    [2012/02/28 15:04:46 | 000,020,569 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\xfinity.xml
    [2013/03/02 19:04:04 | 000,000,000 | ---D | C] -- C:\Users\twgodfrey\AppData\Local\StartNow
    :Files
    ipconfig /flushdns /c
    C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.


  • Let me know How things are doing

    Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Tgolf3

Tgolf3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 05 March 2013 - 06:28 PM

I ran the program and the computer restarted.  After that automatic reboot my cursor was visible but not my desktop after the login.  I restarted the computer again from the login page and the desktop appeared fine this time.  Address bar searches no longer take me to the searchnow site.  I have checked the settings in IE and searchnow is no longer listed as an add-on or search option.  Chrome appears to be ok now as well.  Here is the log from OTL.  Thanks for all the quick responses!

 

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\Windows\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\GinaDLL:msgina.dll deleted successfully.
Registry key HKEY_USERS\S-1-5-21-7444275-691754428-2964961868-1016\Software\Microsoft\Internet Explorer\SearchScopes\{ABD93EAF-D775-BC54-E63B-2804F22FD156}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ABD93EAF-D775-BC54-E63B-2804F22FD156}\ not found.
Prefs.js: "XFINITY" removed from browser.search.defaultenginename
Prefs.js: "  " removed from browser.search.defaultthis.engineName
Prefs.js: engine@conduit.com:3.2.5.2 removed from extensions.enabledItems
C:\Users\twgodfrey\AppData\Roaming\mozilla\firefox\profiles\2l6ex3qg.default\extensions\unmfwpkwkt@unmfwpkwkt.org.xpi moved successfully.
C:\Users\twgodfrey\AppData\Roaming\mozilla\firefox\profiles\2l6ex3qg.default\searchplugins\startnow.xml moved successfully.
C:\Program Files\Mozilla Firefox\searchplugins\xfinity.xml moved successfully.
C:\Users\twgodfrey\AppData\Local\StartNow folder moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\twgodfrey\Desktop\cmd.bat deleted successfully.
C:\Users\twgodfrey\Desktop\cmd.txt deleted successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\User StyleSheets folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Sync Data folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Session Storage folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#www.usanetwork.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#www.rolex.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#www.purdey.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#www.npr.org folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#www.merkel-usa.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#www.lexus.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#www.landrover.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#www.hulu.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#www.audiusa.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#static.wix.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#secure.hulu.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#secure-us.imrworldwide.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#s0.2mdn.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#s.ytimg.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#player.ooyala.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#p1.soundcloud.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#opf.ooyala.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#media.npr.org folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#media.mtvnservices.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#mail.google.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#ia.media-imdb.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#g-ecx.images-amazon.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#extras.ooyala.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#entitlement.auth.adobe.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#core.saymedia.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#cnettv.cnet.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#cdnbakmi.kaltura.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#assets.bunchball.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#aa.online-metrix.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#a248.e.akamai.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#a.vimeocdn.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys\#a.huluad.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer\sys folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support\flashplayer folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com\support folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\macromedia.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.usanetwork.com\videos\pdk\swf\flvPlayer.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.usanetwork.com\videos\pdk\swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.usanetwork.com\videos\pdk folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.usanetwork.com\videos folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.usanetwork.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.rolex.com\[[IMPORT]]\79423.analytics.edgesuite.net\csma\plugin\csma.swf\Akama# folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.rolex.com\[[IMPORT]]\79423.analytics.edgesuite.net\csma\plugin\csma.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.rolex.com\[[IMPORT]]\79423.analytics.edgesuite.net\csma\plugin folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.rolex.com\[[IMPORT]]\79423.analytics.edgesuite.net\csma folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.rolex.com\[[IMPORT]]\79423.analytics.edgesuite.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.rolex.com\[[IMPORT]] folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.rolex.com\swf\main_31213.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.rolex.com\swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.rolex.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.purdey.com\video\flowplayer-3.2.7.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.purdey.com\video folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.purdey.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.npr.org\player\v2\audioPlayer.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.npr.org\player\v2 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.npr.org\player folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.npr.org folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.merkel-usa.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.lexus.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.landrover.com\c\flashconfig\container.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.landrover.com\c\flashconfig folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.landrover.com\c folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.landrover.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.hulu.com\cram.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.hulu.com\##DD0E293FC501FD1C folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.hulu.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.audiusa.com\ngwext_mofi\swf\modelfinderv2.swf\de.nd.au# folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.audiusa.com\ngwext_mofi\swf\modelfinderv2.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.audiusa.com\ngwext_mofi\swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.audiusa.com\ngwext_mofi folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\www.audiusa.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\tbupdate.zugo.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\static.wix.com\client\app.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\static.wix.com\client folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\static.wix.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\smartcoup-a.akamaihd.net\items\e6a00\storage.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\smartcoup-a.akamaihd.net\items\e6a00 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\smartcoup-a.akamaihd.net\items folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\smartcoup-a.akamaihd.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\secure.hulu.com\cram.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\secure.hulu.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\secure-us.imrworldwide.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\s0.2mdn.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\s.ytimg.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\player.ooyala.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\p1.soundcloud.com\player.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\p1.soundcloud.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\opf.ooyala.com\3rdparty\espn_ui_module_v2_99.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\opf.ooyala.com\3rdparty folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\opf.ooyala.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\media.npr.org folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\media.mtvnservices.com\player\prime\mediaplayerprime.1.12.1.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\media.mtvnservices.com\player\prime folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\media.mtvnservices.com\player folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\media.mtvnservices.com\com.m#\tvnservices.media.as3player.mo# folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\media.mtvnservices.com\com.m# folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\media.mtvnservices.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\mail.google.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\macromedia.com\support\flashplayer\sys\#tbupdate.zugo.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\macromedia.com\support\flashplayer\sys\#smartcoup-a.akamaihd.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\macromedia.com\support\flashplayer\sys\#s.ytimg.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\macromedia.com\support\flashplayer\sys folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\macromedia.com\support\flashplayer folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\macromedia.com\support folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\macromedia.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\ia.media-imdb.com folder moved successfully.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G\01\zeitgeist\mp3player\swf\z#\gMp3Player-1.0._V212274098_.swf scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G\01\zeitgeist\mp3player\swf\z# scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G\01\zeitgeist\mp3player\swf scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G\01\zeitgeist\mp3player scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G\01\zeitgeist scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G\01\digital\music\swfs\AlbumSampler_#\Localized_Prod._V228929840_.swf scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G\01\digital\music\swfs\AlbumSampler_# scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G\01\digital\music\swfs scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G\01\digital\music scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G\01\digital scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G\01 scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images\G scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com\images scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\g-ecx.images-amazon.com scheduled to be moved on reboot.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\extras.ooyala.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\entitlement.auth.adobe.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\core.saymedia.com\#ve folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\core.saymedia.com\#com\videoegg folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\core.saymedia.com\#com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\core.saymedia.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\[[IMPORT]]\vidtech.cbsinteractive.com\player\2_9_2\CBSI_PLAYER.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\[[IMPORT]]\vidtech.cbsinteractive.com\player\2_9_2 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\[[IMPORT]]\vidtech.cbsinteractive.com\player folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\[[IMPORT]]\vidtech.cbsinteractive.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\[[IMPORT]]\79423.analytics.edgesuite.net\csma\plugin\csma.swf\Akama# folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\[[IMPORT]]\79423.analytics.edgesuite.net\csma\plugin\csma.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\[[IMPORT]]\79423.analytics.edgesuite.net\csma\plugin folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\[[IMPORT]]\79423.analytics.edgesuite.net\csma folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\[[IMPORT]]\79423.analytics.edgesuite.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\[[IMPORT]] folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\av\video\cbsnews\atlantis2\cbsnews_player_embed.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\av\video\cbsnews\atlantis2 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\av\video\cbsnews folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\av\video folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com\av folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cnettv.cnet.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cdnbakmi.kaltura.com\p\269692\sp\26969200\flash\kdp3\v3.5.55\kdp3.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cdnbakmi.kaltura.com\p\269692\sp\26969200\flash\kdp3\v3.5.55 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cdnbakmi.kaltura.com\p\269692\sp\26969200\flash\kdp3 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cdnbakmi.kaltura.com\p\269692\sp\26969200\flash folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cdnbakmi.kaltura.com\p\269692\sp\26969200 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cdnbakmi.kaltura.com\p\269692\sp folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cdnbakmi.kaltura.com\p\269692 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cdnbakmi.kaltura.com\p folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\cdnbakmi.kaltura.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\assets.bunchball.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\aa.online-metrix.net\fpc.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\aa.online-metrix.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\a248.e.akamai.net\swf.soundcloud.com\player.swf folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\a248.e.akamai.net\swf.soundcloud.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\a248.e.akamai.net folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\a.vimeocdn.com folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S\a.huluad.com folder moved successfully.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects\TP76BY4S scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot\#SharedObjects scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\WritableRoot scheduled to be moved on reboot.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot\AssetCache\S895EER2 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot\AssetCache folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\CacheWritableAdobeRoot folder moved successfully.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash scheduled to be moved on reboot.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Pepper Data scheduled to be moved on reboot.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\old_Cache_000 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Media Cache folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Local Storage folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\incfcgceegpikennjoplhfghaaikdgei\2.5.0_0\Popup\images\providers folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\incfcgceegpikennjoplhfghaaikdgei\2.5.0_0\Popup\images folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\incfcgceegpikennjoplhfghaaikdgei\2.5.0_0\Popup\.idea\scopes folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\incfcgceegpikennjoplhfghaaikdgei\2.5.0_0\Popup\.idea\inspectionProfiles folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\incfcgceegpikennjoplhfghaaikdgei\2.5.0_0\Popup\.idea folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\incfcgceegpikennjoplhfghaaikdgei\2.5.0_0\Popup folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\incfcgceegpikennjoplhfghaaikdgei\2.5.0_0 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Extensions\incfcgceegpikennjoplhfghaaikdgei folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Extensions folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Default\aadjddgddiggdbdgdbdhdjdjdedadbdc folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Default folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\databases\https_www.walmart.com_0 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\databases\https_www.ups.com_0 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\databases\https_twitter.com_0 folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\databases folder moved successfully.
C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default\Cache folder moved successfully.
Folder move failed. C:\Users\twgodfrey\AppData\Local\Google\Chrome\User Data\Default scheduled to be moved on reboot.
========== COMMANDS ==========
 
[EMPTYJAVA]
 
User: Administrator
 
User: All Users
 
User: Default
 
User: Default User
 
User: Joe
 
User: Public
 
User: twgodfrey
->Java cache emptied: 1553197 bytes
 
Total Java Files Cleaned = 1.00 mb
 
 
[EMPTYFLASH]
 
User: Administrator
 
User: All Users
 
User: Default
 
User: Default User
 
User: Joe
 
User: Public
 
User: twgodfrey
->Flash cache emptied: 44055 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 03052013_173942



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 AM

Posted 05 March 2013 - 08:47 PM


Hello Tgolf3

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:
 ClearJavaCache:: 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
      • let me know of any problems you may have had
        • How is the computer doing now after running the script?
      Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Tgolf3

Tgolf3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 06 March 2013 - 07:13 AM

I ran the program and restarted the machine after getting the "Illegal Operation" message while trying to reconnect to my router.  After that restart I had trouble reconnecting to the router and received an "incorrect safe key" message.  I then restarted my router and modem and that seemed to fix the problem.  I now have no trouble accessing the internet and I see no signs of Searchnow. 

 

Here is the log from the ComboFix run:

 



 

ComboFix
13-03-04.01 - twgodfrey 03/05/2013 
21:16:37.2.2 - x86



 

Microsoft®
Windows Vista™ Ultimate  
6.0.6002.2.1252.1.1033.18.1999.961 [GMT -5:00]



 

Running from:
c:\users\twgodfrey\Desktop\ComboFix.exe



 

Command switches
used :: c:\users\twgodfrey\Desktop\CFScript.txt



 

AV: Microsoft
Security Essentials *Disabled/Updated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}



 

SP: Microsoft
Security Essentials *Disabled/Updated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}



 

SP: Windows
Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}



 

.



 

.



 

(((((((((((((((((((((((((((((((((((((((   Other Deletions  
)))))))))))))))))))))))))))))))))))))))))))))))))



 

.



 

.



 

c:\users\TWGODF~1\AppData\Local\Temp\1.tmp\F_IN_BOX.dll



 

c:\users\twgodfrey\AppData\Local\Temp\1.tmp\F_IN_BOX.dll



 

c:\users\twgodfrey\AppData\Roaming\Mozilla\Firefox\Profiles\2l6ex3qg.default\searchplugins\bing-zugo.xml



 

c:\windows\system32\drivers\etc\lmhosts



 

.



 

.



 

(((((((((((((((((((((((((   Files Created from 2013-02-06 to
2013-03-06  )))))))))))))))))))))))))))))))



 

.



 

.



 

2013-03-06 02:22
. 2013-03-06 02:25 --------    d-----w-      c:\users\twgodfrey\AppData\Local\temp



 

2013-03-06 02:22
. 2013-03-06 02:22 --------    d-----w-    c:\users\Joe\AppData\Local\temp



 

2013-03-06 02:22
. 2013-03-06 02:22 --------    d-----w-      c:\users\Default\AppData\Local\temp



 

2013-03-06 02:22

. 2013-03-06 02:22 --------    d-----w-      c:\users\Administrator\AppData\Local\temp



 

2013-03-05 23:31
. 2013-02-08 00:45 6954968     ----a-w-      c:\programdata\Microsoft\Microsoft
Antimalware\Definition Updates\{0ABE19CA-D20E-4315-8DA0-E4CB82E53079}\mpengine.dll



 

2013-03-05 22:39
. 2013-03-05 22:39 --------    d-----w-    C:\_OTL



 

2013-02-13 07:23
. 2013-01-04 01:38 2048512     ----a-w-    c:\windows\system32\win32k.sys



 

2013-02-13 07:23
. 2012-11-08 03:48 1314816     ----a-w-    c:\windows\system32\quartz.dll



 

2013-02-13 07:23
. 2013-01-04 11:28 905576      ----a-w-      c:\windows\system32\drivers\tcpip.sys



 

2013-02-13 07:23
. 2013-01-05 05:26 3602808     ----a-w-    c:\windows\system32\ntkrnlpa.exe



 

2013-02-13 07:23
. 2013-01-05 05:26 3550072     ----a-w-    c:\windows\system32\ntoskrnl.exe



 

.



 

.



 

.



 

((((((((((((((((((((((((((((((((((((((((   Find3M Report  
))))))))))))))))))))))))))))))))))))))))))))))))))))



 

.



 

2013-02-08 00:45
. 2010-08-24 19:58 6954968     ----a-w-      c:\programdata\Microsoft\Microsoft
Antimalware\Definition Updates\Backup\mpengine.dll



 

2013-01-30 10:53
. 2010-08-09 16:21 232336      ------w-    c:\windows\system32\MpSigStub.exe



 

2012-12-16 13:12
. 2012-12-27 22:11 34304 ----a-w-    c:\windows\system32\atmlib.dll



 

2012-12-16 10:50
. 2012-12-27 22:11 293376      ----a-w-    c:\windows\system32\atmfd.dll



 

2012-12-14 21:49
. 2013-01-13 16:12 21104 ----a-w-    c:\windows\system32\drivers\mbam.sys



 

.



 

.



 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points  
))))))))))))))))))))))))))))))))))))))))))))))))))



 

.



 

.



 

*Note* empty
entries & legit default entries are not shown



 

REGEDIT4



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]



 

@="{022F2F51-CDDA-4873-8A29-72C66C808A3F}"



 

[HKEY_CLASSES_ROOT\CLSID\{022F2F51-CDDA-4873-8A29-72C66C808A3F}]



 

2009-11-08 14:55  297808      ----a-w-    c:\windows\System32\mscoree.dll



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]



 

@="{661963C1-99A1-44e7-A671-1CF3768AE9D4}"



 

[HKEY_CLASSES_ROOT\CLSID\{661963C1-99A1-44e7-A671-1CF3768AE9D4}]



 

2009-11-08 14:55  297808      ----a-w-    c:\windows\System32\mscoree.dll



 

.



 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]



 

"Sidebar"="c:\program
files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]



 

"WindowsWelcomeCenter"="oobefldr.dll"
[2009-04-11 2153472]



 

"WMPNSCFG"="c:\program
files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]



 

"ehTray.exe"="c:\windows\ehome\ehTray.exe"
[2008-01-21 125952]



 

"Akamai
NetSession
Interface"="c:\users\twgodfrey\AppData\Local\Akamai\netsession_win.exe"
[2012-10-09 4441920]



 

"ISUSPM"="c:\programdata\Macrovision\FLEXnet
Connect\6\ISUSPM.exe" [2007-03-29 222128]



 

"Skype"="c:\program
files\Skype\Phone\Skype.exe" [2013-01-08 18705664]



 

"Spotify"="c:\users\twgodfrey\AppData\Roaming\Spotify\Spotify.exe"
[2013-03-05 4477336]



 

"Spotify Web
Helper"="c:\users\twgodfrey\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
[2013-03-05 1103768]



 

.



 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]



 

"NvCplDaemon"="c:\windows\system32\NvCpl.dll"
[2008-06-28 13543968]



 

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll"
[2008-06-28 92704]



 

"NVHotkey"="c:\windows\system32\nvHotkey.dll"
[2008-06-28 96800]



 

"Broadcom
Wireless Manager UI"="c:\windows\system32\WLTRAY.exe"
[2008-12-02 3563520]



 

"DellControlPoint"="c:\program
files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2008-08-18 598016]



 

"SecureUpgrade"="c:\program
files\Wave Systems Corp\SecureUpgrade.exe" [2008-06-24 243000]



 

"DCPstrApp"="c:\program
files\Dell\Dell ControlPoint\Security
Manager\SecurityDeviceInfoSetRegistryString.exe" [2008-08-04 6656]



 

"Dell Webcam
Central"="c:\program files\Dell Webcam\Dell Webcam
Central\WebcamDellB.exe" [2008-04-11 372736]



 

"DellConnectionManager"="c:\program
files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2008-10-01
1454080]



 

"PDVDDXSrv"="c:\program
files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]



 

"Apoint"="c:\program
files\DellTPad\Apoint.exe" [2008-10-02 200704]



 

"IAAnotif"="c:\program
files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]



 

"MSSE"="c:\program
files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]



 

"SysTrayApp"="c:\program
files\IDT\WDM\sttray.exe" [2009-07-31 458844]



 

"DivXUpdate"="c:\program
files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]



 

"IgfxTray"="c:\windows\system32\igfxtray.exe"
[2010-08-26 136216]



 

"HotKeysCmds"="c:\windows\system32\hkcmd.exe"
[2010-08-26 171032]



 

"Persistence"="c:\windows\system32\igfxpers.exe"
[2010-08-26 170520]



 

"Adobe
Reader Speed Launcher"="c:\program files\Adobe\Reader
9.0\Reader\Reader_sl.exe" [2009-10-03 35696]



 

"Adobe
ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[2009-09-04 935288]



 

"SunJavaUpdateSched"="c:\program
files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]



 

"APSDaemon"="c:\program
files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
[2012-02-21 59240]



 

"QuickTime
Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24
421888]



 

"iTunesHelper"="c:\program
files\iTunes\iTunesHelper.exe" [2012-03-27 421736]



 

"InstaLAN"="c:\program
files\Belkin\Router Setup and Monitor\BelkinSetup.exe" [2009-09-11
6788944]



 

.



 

c:\users\twgodfrey\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\



 

OneNote 2007
Screen Clipper and Launcher.lnk - c:\program files\Microsoft
Office\Office12\ONENOTEM.EXE [2009-2-26 97680]



 

.



 

c:\programdata\Microsoft\Windows\Start
Menu\Programs\Startup\



 

Bluetooth.lnk -
c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-6-5 752168]



 

Dell ControlPoint
System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System
Manager\DCPSysMgr.exe [2008-11-11 936224]



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]



 

"EnableUIADesktopToggle"=
0 (0x0)



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\drivers32]



 

"aux"=wdmaud.drv



 

.



 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]



 

Authentication
Packages REG_MULTI_SZ      msv1_0
wvauth



 

.



 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]



 

@="Service"



 

.



 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]



 

@="Driver"



 

.



 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]



 

@="Service"



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\WavXMgr]



 

2008-05-14 22:42  99328 ----a-w-    c:\program files\Wave Systems Corp\Services
Manager\DocMgr\bin\WavXDocMgr.exe



 

.



 

S2
AESTFilters;Andrea ST Filters
Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\aestsrv.exe
[x]



 

.



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\svchost]



 

bthsvcs     REG_MULTI_SZ      BthServ



 

LocalServiceAndNoImpersonation      REG_MULTI_SZ      FontCache



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]



 

2008-04-11 22:23  38400 ----a-w-    c:\windows\System32\SoundSchemes.exe



 

.



 

[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]



 

2008-08-28 15:50  30720 ----a-w-    c:\windows\System32\soundschemes2.exe



 

.



 

Contents of the
'Scheduled Tasks' folder



 

.



 

2013-02-10
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-7444275-691754428-2964961868-1016Core1ce07c4a577cf40.job



 

-
c:\users\twgodfrey\AppData\Local\Google\Update\GoogleUpdate.exe [2010-08-24
20:04]



 

.



 

.



 

-------
Supplementary Scan -------



 

.



 

uStart Page =
hxxp://www.google.com/



 

uInternet Settings,ProxyOverride
= 127.0.0.1:9421;<local>;*.local



 

TCP:
DhcpNameServer = 192.168.2.1



 

FF - ProfilePath
- c:\users\twgodfrey\AppData\Roaming\Mozilla\Firefox\Profiles\2l6ex3qg.default\



 

FF - Ext:
Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla
Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}



 

FF - Ext: Java
Console: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - c:\program files\Mozilla
Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}



 

FF - Ext: Skype
extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla
Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}



 

FF - Ext: Java
Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla
Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}



 

FF - Ext: Java
Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla
Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}



 

FF - Ext: Java
Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}



 

FF - Ext:
Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation
Foundation\DotNetAssistantExtension



 

FF - Ext: Microsoft
.NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -
%profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}



 

.



 

.



 

**************************************************************************



 

.



 

catchme 0.3.1398
W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net



 

Rootkit scan
2013-03-05 21:26



 

Windows 6.0.6002
Service Pack 2 NTFS



 

.



 

scanning hidden
processes ... 



 

.



 

scanning hidden
autostart entries ...



 

.



 

scanning hidden
files ... 



 

.



 

scan completed successfully



 

hidden files: 0



 

.



 

**************************************************************************



 

.



 

---------------------
DLLs Loaded Under Running Processes ---------------------



 

.



 

- - - - - - -
> 'lsass.exe'(708)



 

c:\windows\system32\wvauth.dll



 

c:\windows\system32\biolsp.dll



 

.



 

- - - - - - -
> 'Explorer.exe'(2388)



 

c:\windows\system32\btncopy.dll



 

.



 

------------------------
Other Running Processes ------------------------



 

.



 

c:\program
files\Microsoft Security Essentials\MsMpEng.exe



 

c:\windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\STacSV.exe



 

c:\windows\System32\WLTRYSVC.EXE



 

c:\windows\System32\bcmwltry.exe



 

c:\windows\system32\WLANExt.exe



 

c:\program
files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe



 

c:\program
files\Broadcom Corporation\Broadcom USH Host
Components\CV\bin\HostStorageService.exe



 

c:\program
files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe



 

c:\program
files\Belkin\Router Setup and Monitor\BelkinService.exe



 

c:\program
files\Dell\Ambient Light Sensor\AlsSvc.exe



 

c:\program
files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe



 

c:\program
files\Bonjour\mDNSResponder.exe



 

c:\program
files\WIDCOMM\Bluetooth Software\bin\btwdins.exe



 

c:\program
files\Dell\Dell ControlPoint\DCPButtonSvc.exe



 

c:\program
files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe



 

c:\program
files\Intel\WiFi\bin\EvtEng.exe



 

c:\program
files\Intel\Intel Matrix Storage Manager\IAANTMon.exe



 

c:\program
files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe



 

c:\program
files\Common Files\Intel\WirelessCommon\RegSrvc.exe



 

c:\program
files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe



 

c:\windows\system32\igfxsrvc.exe



 

c:\\?\c:\windows\system32\wbem\WMIADAP.EXE



 

.



 

**************************************************************************



 

.



 

Completion time:
2013-03-05  21:29:04 - machine was
rebooted



 

ComboFix-quarantined-files.txt  2013-03-06 02:29



 

ComboFix2.txt  2013-03-04 23:45



 

.



 

Pre-Run: 84,231,032,832
bytes free



 

Post-Run:
83,903,180,800 bytes free



 

.



- - End Of File - -
4256509F47B5D8A2869A1718C8B8FAE8



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 AM

Posted 06 March 2013 - 01:04 PM



Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.These logs are looking allot better. But we still have some work to do.


uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job
  • Programs to remove

    • Adobe Reader 9.2
      BitTorrent
      BitTorrentBar Toolbar
      Conduit Engine
      Java™ 6 Update 27



  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
  • .


    Update Adobe reader
    • Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

      You can download it from http://www.adobe.com/products/acrobat/readstep2.html
      After installing the latest Adobe Reader, uninstall all previous versions.
      If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      • If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

        Note: When installing FoxitReader, be careful not to install anything to do with AskBar.

    Clean Out Temp Files
    • This small application you may want to keep and use once a week to keep the computer clean.

      Download CCleaner from here http://www.ccleaner.com/
      • Run the installer to install the application.
      • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
      • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
      • Click Run Cleaner.
      • Close CCleaner.
: Malwarebytes' Anti-Malware :

I see you have MBAM installed - I think this is a great program and would like you to run a quick scan at this time
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



    Download HijackThis
    • Go Here to download HijackThis program
    • Save HijackThis to your desktop.
    • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
    • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
    • copy and paste hijackthis report into the topic
    "information and logs"
    • In your next post I need the following
      • Log From MBAM
      • report from Hijackthis
      • let me know of any problems you may have had
      • How is the computer doing now?
    Gringo









I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Tgolf3

Tgolf3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 07 March 2013 - 10:15 AM

Thanks Gringo, my Internet is out due to a storm so I am posting this from my phone. I will take these steps and post the results as soon as my Internet is restored.

#14 Tgolf3

Tgolf3
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 07 March 2013 - 07:02 PM

I had no trouble running any of the programs and have followed all of your requested steps.  I haven't had any trouble with the computer, everything seems to be performing as it should.

 

Here is the MBAM Log:

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.03.07.14

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
twgodfrey :: TWGODFREY [administrator]

3/7/2013 6:47:36 PM
mbam-log-2013-03-07 (18-47-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 251748
Time elapsed: 6 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

Here is the HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:58:59 PM, on 3/7/2013
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16464)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDellB.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\twgodfrey\AppData\Local\Akamai\netsession_win.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Users\twgodfrey\AppData\Roaming\Spotify\spotify.exe
C:\Users\twgodfrey\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Users\twgodfrey\AppData\Local\Akamai\netsession_win.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_4_402_265_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\notepad.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\twgodfrey\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1:9421;<local>;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [DCPstrApp] C:\Program Files\Dell\Dell ControlPoint\Security Manager\SecurityDeviceInfoSetRegistryString.exe
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDellB.exe" /mode2
O4 - HKLM\..\Run: [DellConnectionManager] "C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [InstaLAN] "C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe" startup
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\twgodfrey\AppData\Local\Akamai\netsession_win.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKCU\..\Run: [Spotify] "C:\Users\twgodfrey\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\twgodfrey\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\aestsrv.exe
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
O23 - Service: Ambient Light Sensor (alssvc) - Dell Inc. - C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Dell ControlPoint Button Service (buttonsvc32) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
O23 - Service: Credential Vault Host Control Service - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
O23 - Service: Credential Vault Host Storage - Broadcom Corporation - C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NTI BackupNowEZSvr - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Smith Micro Connection Manager Service (SMManager) - Smith Micro Software, Inc. - C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\STacSV.exe
O23 - Service: NTRU TSS v1.2.1.27 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 11310 bytes



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:30 AM

Posted 07 March 2013 - 09:32 PM


Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis (rightclick and run as admin)
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
      O4 - HKLM\..\Run: [DellControlPoint] "C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
      O4 - HKLM\..\Run: [DellConnectionManager] "C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe"
      O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
      O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      O4 - HKLM\..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe
      O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
      O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\twgodfrey\AppData\Local\Akamai\netsession_win.exe"
      O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
      O4 - HKCU\..\Run: [Spotify] "C:\Users\twgodfrey\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
      O4 - HKCU\..\Run: [Spotify Web Helper] "C:\Users\twgodfrey\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
      O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
      O4 - Global Startup: Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe


  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
    • NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brackets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.

  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish
  • When the scan is complete
    • If no threats were found
      • put a checkmark in "Uninstall application on close"
      • close program
      • report to me that nothing was found
  • If threats were found
    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish
    • close program
    • copy and paste the report here
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users