Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef.gen!C Google Warning


  • This topic is locked This topic is locked
31 replies to this topic

#1 IBreakPCs

IBreakPCs

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 01:50 AM

Special case exception found for received certificate.
The certificate received has been flagged as erroneous. Please see http://support.google.com/chrome/?p=e_malware_Sirefef&hl=en-US for more details.

The certificate received indicates that this computer is infected with Sirefef.gen!C.

Sirefef.gen!C is a computer virus that intercepts secure web connections and can steal passwords and other sensitive data.

Chrome recognises this virus, but it affects all software on the computer. Other browsers and software may continue to work but they are also affected and rendered insecure.

Microsoft Security Essentials can reportedly remove this virus. When the virus is removed, the warnings in Chrome will stop.

Microsoft Security Essentials is freely available from Microsoft at http://windows.microsoft.com/en-US/windows/security-essentials-download

 

Yes, I have seen the other 'tutorials' (I'm not sure what to call it) but decided not to follow it because we may have different computer/OS or whatever and I thought that it may not work the same with mine.

 

Well, this problem started after I stupidly downloaded a file that came with a video I downloaded somewhere, thinking that it would solve the problem of not being able to read the same video that I downloaded. 

I tried to solve my problem by scanning with my antivirus which is ESET NOD32 but it just can't seem to dig out the malware. I tried Malwarebytes but it did not solve my problem either. I tried to download the Microsoft Security Essentials (as was suggested by the warning) only to have been told by the program that I do not have a genuine windows (I don't actually really know).

Oh, yes. ESET updated its virus database today and was able to detect 2 Sirefef.gen threats.

 

I am using Windows XP.

 

Please take good care of me. I might not be able to follow at times because I am new with this. I am sorry and thank you in advance. :)



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:36 PM

Posted 13 April 2013 - 02:03 AM

Hello IBreakPCs and welcome to BleepingComputer. :)
My name is Elise and I'll assist you with this issue. Please don't run any other fixes or tools while we work on your computer.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
  • Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

    Information on A/V control HERE


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 IBreakPCs

IBreakPCs
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 02:16 AM

That was a fast reply xD I was ready to wait for a few days. Thank you for your reply :D

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_31
Run by nicky at 16:15:51 on 2013-04-13
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\BR040286.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\IMESHA~1\MediaBar\Datamngr\DATAMN~1.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Akamai\netsession_win.exe
C:\DOCUME~1\nicky\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Google\Update\1.3.21.135\GoogleCrashHandler.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\nicky\My Documents\Downloads\PCTools_Safe_Install_SD.exe
C:\Program Files\PC Tools\DMScanning\PCTSFiles.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.garena.com/
uSearch Bar = hxxp://search.imesh.com/sidebar.html?src=ssb&sysid=1
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uProxyOverride = 127.0.0.1:9421;<local>
uSearchAssistant = hxxp://search.imesh.com/sidebar.html?src=ssb&sysid=1
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://search.imesh.com/sidebar.html?src=ssb&sysid=1
uURLSearchHooks: UrlSearchHook Class: {00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - LocalServer32 - <no file>
uURLSearchHooks: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTo0.dll
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053F9267-DC04-4294-A72C-58F732D338C0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahooo Search Protection: {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: UrlHelper Class: {474597C5-AB09-49d6-A4D5-2E8D7341384E} - c:\program files\imesh applications\mediabar\datamngr\IEBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: MediaBar: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - c:\program files\imesh applications\mediabar\toolbar\iMeshMediaBarDx.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTo0.dll
BHO: Complitly: {D27FC31C-6E3D-4305-8D53-ACDAEFA5F862} - c:\documents and settings\nicky\application data\complitly\Complitly.dll
BHO: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - LocalServer32 - <no file>
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: uTorrentBar Toolbar: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\utorrentbar\prxtbuTo0.dll
TB: Freecorder Toolbar: {1392B8D2-5C05-419F-A8F6-B9F15A596612} - c:\program files\freecorder\prxtbFre0.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: MediaBar: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - c:\program files\imesh applications\mediabar\toolbar\iMeshMediaBarDx.dll
TB: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTo0.dll
TB: YouTube Downloader Toolbar: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - LocalServer32 - <no file>
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
uRun: [ChikkaDefault] c:\progra~1\chikka~1\chikka~1.4\ChikkaLauncher.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [Akamai NetSession Interface] "c:\documents and settings\nicky\local settings\application data\akamai\netsession_win.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRunOnce: [PC Tools Security] c:\docume~1\nicky\mydocu~1\downlo~1\PCTOOL~1.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [BisonInst0402] c:\windows\BR040286.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DATAMNGR] c:\progra~1\imesha~1\mediabar\datamngr\DATAMN~1.EXE
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: &Download All using 4shared Desktop - c:\program files\4shared desktop\down_all.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\plants vs. zombies\images\stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341720490000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs= c:\progra~1\imesha~1\mediabar\datamngr\datamngr.dll c:\progra~1\imesha~1\mediabar\datamngr\IEBHO.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nicky\application data\mozilla\firefox\profiles\etd1k36o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=UTR&o=15467&locale=en_US&apn_uid=F71D5660-6F65-45FD-A1C2-2C15ED6C5A1A&apn_ptnrs=HA&apn_sauid=4E30FEFA-7A84-4D04-9C3C-C22CD5918B9E&apn_dtid=YYYYYYU3PH&&q=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\nicky\application data\kalydo\kalydoplayer\npkalydo.dll
FF - plugin: c:\documents and settings\nicky\application data\mozilla\firefox\profiles\etd1k36o.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\nicky\application data\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\nicky\local settings\application data\facebook\video\skype\npFacebookVideoCalling.dll
FF - plugin: c:\documents and settings\nicky\local settings\application data\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_149.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2013-04-13 22:46:53 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2013-04-13 22:46:53 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2013-04-13 22:46:45 368616 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2013-04-13 22:46:44 163288 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2013-04-13 22:46:38 202280 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2013-04-13 22:46:32 -------- d-----w- c:\program files\common files\PC Tools
2013-04-13 22:46:27 -------- d-----w- c:\program files\PC Tools
2013-04-13 22:41:44 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2013-04-13 22:41:42 -------- d-----w- c:\documents and settings\nicky\application data\TestApp
2013-04-13 21:56:20 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-03-25 05:38:52 -------- d-----w- c:\windows\system32\CatRoot_bak
2013-03-25 05:33:09 -------- d-----w- c:\documents and settings\nicky\local settings\application data\PCHealth
2013-03-25 05:31:19 -------- dc-h--w- c:\windows\ie8
2013-03-25 02:53:09 -------- d-----w- c:\documents and settings\nicky\application data\Malwarebytes
2013-03-25 02:52:48 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-03-25 02:27:20 -------- d-----w- c:\program files\AnalogX
2013-03-23 07:21:07 -------- d-----w- c:\program files\K-Lite Codec Pack
2013-03-23 06:40:02 -------- d-----w- c:\program files\Mega Codec Pack
.
==================== Find3M  ====================
.
2013-03-18 01:19:43 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-18 01:19:43 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 16:17:27.46 ===============
 
 
 
 
The pop-up said to only attach the 'attach.txt.' when requested. So do I attach it? :'D

Edited by IBreakPCs, 13 April 2013 - 02:18 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:36 PM

Posted 13 April 2013 - 03:16 AM

You have indeed a sirefef aka ZeroAccess rootkit infection. Please read the following information before continuing.


One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


We need to run a scan with Combofix:
  • Please go to the download page for ComboFix by sUBs.
  • Click the Download Now button pictured below and save the file to your desktop:

    download.png
  • Disable any anti-virus and/or firewall software you have installed.
    instructions can be found here if needed
  • Close all open windows including your web browser
    as mentioned in the first post, you may want to print out all instructions before starting
  • Double-click on the ComboFix icon on your desktop. cf-icon.jpg
  • Read the Disclaimer and click I Agree if you want to run the software, then you should see a window like the one below:

    cf-preparing.jpg
  • DO NOT use your computer while ComboFix is running. There are a lot of things going on behind the scenes and a single mouse click can cause the program to stall.

    However, if you see the prompt below, please click Yes to download the Microsoft Windows Recovery Console.

    recovery-console-prompt.jpg

    If an Internet connection is not available or you choose not to install the recovery console, ComboFix will run in Reduced Functionality mode
  • Allow ComboFix to reboot the computer if necessary, it will run again after you log back in.
  • When complete, a log file will be displayed, please copy and paste the contents of this file into your next post.

    cf-log.jpg
  • More information about downloading and using ComboFix can be found here if needed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 IBreakPCs

IBreakPCs
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 04:14 AM

ComboFix 13-04-12.02 - nicky 04/13/2013  17:58:09.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2038.1605 [GMT -7:00]
Running from: c:\documents and settings\nicky\My Documents\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
 * Created a new restore point
 * Resident AV is active
.
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\nicky\Application Data\Complitly\CoMPlitly.dll
c:\documents and settings\nicky\Application Data\PriceGong
c:\documents and settings\nicky\Application Data\PriceGong\Data\1.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\a.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\b.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\c.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\d.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\e.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\f.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\g.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\h.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\i.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\J.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\k.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\l.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\m.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\n.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\o.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\p.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\q.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\r.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\s.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\t.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\u.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\v.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\w.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\x.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\y.xml
c:\documents and settings\nicky\Application Data\PriceGong\Data\z.xml
c:\documents and settings\nicky\Recent\Thumbs.db
c:\program files\Complitly
c:\program files\Complitly\chrome\ComplitlyChrome.crx
c:\program files\Complitly\FireFoxExtension.exe
c:\program files\Complitly\InstTracker.exe
c:\program files\Complitly\support@Complitly.com\chrome.manifest
c:\program files\Complitly\support@Complitly.com\chrome\content\appIcon.png
c:\program files\Complitly\support@Complitly.com\chrome\content\browserOverlay.xul
c:\program files\Complitly\support@Complitly.com\chrome\content\options.js
c:\program files\Complitly\support@Complitly.com\chrome\content\options.xul
c:\program files\Complitly\support@Complitly.com\chrome\content\utils.js
c:\program files\Complitly\support@Complitly.com\defaults\preferences\predictad.js
c:\program files\Complitly\support@Complitly.com\install.rdf
c:\program files\Complitly\unins000.dat
c:\program files\Complitly\unins000.exe
c:\windows\$NtUninstallKB65511$
c:\windows\$NtUninstallKB65511$\171439568\@
c:\windows\$NtUninstallKB65511$\171439568\Desktop.ini
c:\windows\$NtUninstallKB65511$\171439568\L\00000004.@
c:\windows\$NtUninstallKB65511$\171439568\L\00000008.@
c:\windows\$NtUninstallKB65511$\171439568\L\201d3dde
c:\windows\$NtUninstallKB65511$\171439568\L\76603ac3
c:\windows\$NtUninstallKB65511$\171439568\L\gbvkjoml
c:\windows\$NtUninstallKB65511$\171439568\U\00000004.@
c:\windows\$NtUninstallKB65511$\171439568\U\00000008.@
c:\windows\$NtUninstallKB65511$\171439568\U\000000cb.@
c:\windows\$NtUninstallKB65511$\171439568\U\80000000.@
c:\windows\$NtUninstallKB65511$\171439568\U\80000032.@
c:\windows\$NtUninstallKB65511$\40187194
c:\windows\system32\Desktop_.ini
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected 
Restored copy from - The cat found it :)
.
(((((((((((((((((((((((((   Files Created from 2013-03-14 to 2013-04-14  )))))))))))))))))))))))))))))))
.
.
2013-04-14 00:55 . 2004-08-04 01:07 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2013-04-14 00:55 . 2004-08-04 01:07 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2013-04-14 00:04 . 2013-04-14 00:04 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2013-04-13 23:40 . 2013-04-13 23:40 -------- d-----w- c:\program files\PC Tools
2013-04-13 22:46 . 2012-11-01 22:35 202280 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2013-04-13 22:46 . 2013-04-14 00:37 -------- d-----w- c:\program files\Common Files\PC Tools
2013-04-13 22:41 . 2013-04-14 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2013-04-13 22:41 . 2013-04-13 22:41 -------- d-----w- c:\documents and settings\nicky\Application Data\TestApp
2013-04-13 21:56 . 2013-04-13 21:56 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-03-25 06:31 . 2013-03-25 06:32 -------- d-----w- c:\documents and settings\Administrator
2013-03-25 05:38 . 2013-03-25 05:53 -------- d-----w- c:\windows\system32\CatRoot_bak
2013-03-25 05:33 . 2013-03-25 05:33 -------- d-----w- c:\documents and settings\nicky\Local Settings\Application Data\PCHealth
2013-03-25 05:31 . 2013-03-25 05:32 -------- dc-h--w- c:\windows\ie8
2013-03-25 02:53 . 2013-03-25 02:53 -------- d-----w- c:\documents and settings\nicky\Application Data\Malwarebytes
2013-03-25 02:52 . 2013-03-25 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-03-25 02:27 . 2013-03-25 02:27 -------- d-----w- c:\program files\AnalogX
2013-03-23 07:21 . 2013-03-23 07:21 -------- d-----w- c:\program files\K-Lite Codec Pack
2013-03-23 06:40 . 2013-03-23 07:16 -------- d-----w- c:\program files\Mega Codec Pack
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-18 01:19 . 2012-05-26 01:29 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-18 01:19 . 2011-05-24 01:16 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-20 02:05 . 2011-10-08 04:15 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2012-04-10 1519272]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTo0.dll" [2012-11-06 183112]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2012-11-06 183112]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2012-11-26 1525088]
.
[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2012-11-06 13:01 183112 ----a-w- c:\program files\Freecorder\prxtbFre0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{474597C5-AB09-49d6-A4D5-2E8D7341384E}]
2010-10-19 12:43 585608 ----a-w- c:\progra~1\IMESHA~1\MediaBar\Datamngr\IEBHO.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}]
2009-11-20 17:34 87472 ----a-w- c:\progra~1\IMESHA~1\MediaBar\ToolBar\iMeshMediaBarDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2012-11-06 13:01 183112 ----a-w- c:\program files\uTorrentBar\prxtbuTo0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F}"= "c:\progra~1\IMESHA~1\MediaBar\ToolBar\iMeshMediaBarDx.dll" [2009-11-20 87472]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTo0.dll" [2012-11-06 183112]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2012-11-06 183112]
.
[HKEY_CLASSES_ROOT\clsid\{abb49b3b-ab7d-4ed0-9135-93fd5aa4f69f}]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\prxtbuTo0.dll" [2012-11-06 183112]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\prxtbFre0.dll" [2012-11-06 183112]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\0MediaIconsOerlay]
@="{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
[HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
2013-03-23 06:40 224256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ChikkaDefault"="c:\progra~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe" [2007-08-29 36864]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-10-23 3077528]
"Akamai NetSession Interface"="c:\documents and settings\nicky\Local Settings\Application Data\Akamai\netsession_win.exe" [2013-01-26 4480768]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-01-08 18705664]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-05 16844288]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-18 53248]
"BisonInst0402"="c:\windows\BR040286.exe" [2007-05-09 53248]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]
2012-04-10 00:43 1557160 ----a-w- c:\program files\Ask.com\Updater\Updater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
2013-01-05 18:51 980376 ----a-w- c:\program files\BitTorrent\BitTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update]
2012-07-13 05:14 138096 ----atw- c:\documents and settings\nicky\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Freecorder FLV Service]
2011-03-24 06:11 167936 ----a-w- c:\program files\Freecorder\FLVSrvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2012-06-30 05:54 116648 ----atw- c:\documents and settings\nicky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-03-20 01:27 5248312 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\nicky\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\WINDOWS\\explorer.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1066:TCP"= 1066:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [7/1/2008 10:04 AM 34312]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 6:07 PM 14336]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [3/18/2011 7:56 PM 81920]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [7/1/2008 10:02 AM 468224]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [8/13/2012 1:33 PM 3064000]
S0 vryiav;vryiav;c:\windows\system32\drivers\geof.sys --> c:\windows\system32\drivers\geof.sys [?]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [8/3/2004 6:07 PM 3584]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [1/8/2013 1:55 PM 161536]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 6:07 PM 14336]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [7/12/2012 11:02 PM 66112]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\safedrv.sys --> c:\program files\Garena\safedrv.sys [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [12/31/2010 7:47 PM 100736]
S3 IDMTDI;IDMTDI;c:\windows\system32\DRIVERS\idmtdi.sys --> c:\windows\system32\DRIVERS\idmtdi.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [4/13/2013 2:56 PM 40776]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rak;rak;c:\windows\system32\rakion.sys [5/1/2010 3:34 AM 60928]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [7/12/2012 11:02 PM 180672]
S3 ssudnflt;Remote NDIS Filter Driver;c:\windows\system32\drivers\ssudnflt.sys [7/12/2012 11:02 PM 15936]
S3 ssudobex;SAMSUNG Mobile USB OBEX Serial Port(DEVGURU Ver.);c:\windows\system32\drivers\ssudobex.sys [7/12/2012 11:02 PM 180672]
S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
S3 XDva391;XDva391;\??\c:\windows\system32\XDva391.sys --> c:\windows\system32\XDva391.sys [?]
S3 XDva401;XDva401;\??\c:\windows\system32\XDva401.sys --> c:\windows\system32\XDva401.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ   Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-26 01:19]
.
2013-03-25 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1409082233-1303643608-839522115-1003Core.job
- c:\documents and settings\nicky\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-07-08 05:14]
.
2013-04-13 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1409082233-1303643608-839522115-1003UA.job
- c:\documents and settings\nicky\Local Settings\Application Data\Facebook\Update\FacebookUpdate.exe [2012-07-08 05:14]
.
2013-03-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1303643608-839522115-1003Core.job
- c:\documents and settings\nicky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-06-30 05:54]
.
2013-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1303643608-839522115-1003UA.job
- c:\documents and settings\nicky\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-06-30 05:54]
.
2013-04-14 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2012-04-10 00:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.garena.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
uSearchAssistant = hxxp://search.imesh.com/sidebar.html?src=ssb&sysid=1
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Download All using 4shared Desktop - c:\program files\4shared Desktop\down_all.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\documents and settings\nicky\Application Data\Mozilla\Firefox\Profiles\etd1k36o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=UTR&o=15467&locale=en_US&apn_uid=F71D5660-6F65-45FD-A1C2-2C15ED6C5A1A&apn_ptnrs=HA&apn_sauid=4E30FEFA-7A84-4D04-9C3C-C22CD5918B9E&apn_dtid=YYYYYYU3PH&&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-{4FFBB818-B13C-11E0-931D-B2664824019B}_is1 - c:\program files\Complitly\unins000.exe
AddRemove-01_Simmental - c:\program files\SAMSUNG\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\SAMSUNG\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\SAMSUNG\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\SAMSUNG\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\SAMSUNG\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\SAMSUNG\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\SAMSUNG\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\SAMSUNG\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\SAMSUNG\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\SAMSUNG\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-12_Symbian_USB_Download_Driver - c:\program files\SAMSUNG\USB Drivers\12_Symbian_USB_Download_Driver\Uninstall.exe
AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\SAMSUNG\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\SAMSUNG\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\SAMSUNG\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\SAMSUNG\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\SAMSUNG\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\SAMSUNG\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\SAMSUNG\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\SAMSUNG\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\SAMSUNG\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-13 18:12
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_ca0e279.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):7f,1c,2b,5c,93,f2,d4,0e,d5,e2,38,53,88,c1,33,3a,a0,77,e2,71,0e,
   3f,79,2a,35,4d,47,24,66,78,82,76,fe,4e,a5,56,a3,aa,7e,2f,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{95ecea10-02ba-47eb-b4c6-cc2446aa5f03}]
@Denied: (Full) (Everyone)
"Model"=dword:0000008a
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,88,79,0d,22,8e,33,17,75,13,d8,bf,8a,bd,f3,26,a8,25,ca,a9,35,f2,73,\
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(916)
c:\documents and settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
c:\progra~1\MICROS~2\Office12\GRA8E1~1.DLL
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\progra~1\IMESHA~1\MediaBar\Datamngr\DATAMN~1.EXE
c:\windows\system32\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\docume~1\nicky\LOCALS~1\Temp\RtkBtMnt.exe
c:\windows\System32\rundll32.exe
.
**************************************************************************
.
Completion time: 2013-04-13  18:17:49 - machine was rebooted
ComboFix-quarantined-files.txt  2013-04-14 01:17
.
Pre-Run: 27,742,793,728 bytes free
Post-Run: 29,367,631,872 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6CA61D6382AE0C14CFB89D87764E47E9
 
 
After this, I am able to open google without it redirecting me to the warning page!

Edited by IBreakPCs, 13 April 2013 - 04:17 AM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:36 PM

Posted 13 April 2013 - 04:57 AM

That took care of the rootkit, how are things running at this point?
Lets also verify all services are in place and remove some adware/toolsbars.

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

 

Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 IBreakPCs

IBreakPCs
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 05:07 AM

Results from Farbar:

 

Farbar Service Scanner Version: 03-03-2013
Ran by nicky (administrator) on 13-04-2013 at 19:03:50
Running from "C:\Documents and Settings\nicky\My Documents\Downloads"
Microsoft Windows XP Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 18:07] - [2004-08-03 18:07] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
 
C:\WINDOWS\system32\Drivers\tcpip.sys
[2004-08-03 18:07] - [2004-08-03 18:07] - 0359040 ____A (Microsoft Corporation) 9F4B36614A0FC234525BA224957DE55C
 
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 18:07] - [2004-08-03 18:07] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
 
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-03 18:07] - [2004-08-03 18:07] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D
 
C:\WINDOWS\system32\ipnathlp.dll
[2004-08-03 18:07] - [2004-08-03 18:07] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF
 
C:\WINDOWS\system32\netman.dll
[2004-08-03 18:07] - [2004-08-03 18:07] - 0198144 ____A (Microsoft Corporation) DAB9E6C7105D2EF49876FE92C524F565
 
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-01-13 19:30] - [2004-08-03 18:07] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E
 
C:\WINDOWS\system32\srsvc.dll
[2010-01-13 19:32] - [2004-08-03 18:07] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838
 
C:\WINDOWS\system32\Drivers\sr.sys
[2010-01-13 19:32] - [2004-08-03 18:07] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24
 
C:\WINDOWS\system32\wscsvc.dll
[2004-08-03 18:07] - [2004-08-03 18:07] - 0081408 ____A (Microsoft Corporation) 4D59DAA66C60858CDF4F67A900F42D4A
 
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2010-01-13 19:30] - [2004-08-03 18:07] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E
 
C:\WINDOWS\system32\wuauserv.dll
[2010-01-13 19:32] - [2004-08-03 18:07] - 0006656 ____A (Microsoft Corporation) 13D72740963CBA12D9FF76A7F218BCD8
 
C:\WINDOWS\system32\qmgr.dll
[2010-01-13 19:32] - [2004-08-03 18:07] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA
 
C:\WINDOWS\system32\es.dll
[2004-08-03 18:07] - [2004-08-03 18:07] - 0243200 ____A (Microsoft Corporation) ACD36A2DD7D1E9D8A060AA651DC07E63
 
C:\WINDOWS\system32\cryptsvc.dll
[2004-08-03 18:07] - [2004-08-03 18:07] - 0060416 ____A (Microsoft Corporation) 10654F9DDCEA9C46CFB77554231BE73B
 
C:\WINDOWS\system32\svchost.exe
[2004-08-03 18:07] - [2004-08-03 18:07] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716
 
C:\WINDOWS\system32\rpcss.dll
[2004-08-03 18:07] - [2004-08-03 18:07] - 0395776 ____A (Microsoft Corporation) 5C83A4408604F737717AB96371201680
 
C:\WINDOWS\system32\services.exe
[2004-08-03 18:07] - [2004-08-03 18:07] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4
 
 
Extra List:
=======
epfwtdir(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4) 
0x080000000500000001000000020000000300000004000000060000000700000008000000
IpSec Tag value is correct.
 
**** End of log ****
 
 
Results from AdwCleaner:
# AdwCleaner v2.200 - Logfile created 04/13/2013 at 19:05:25
# Updated 02/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 2 (32 bits)
# User : nicky - NICKY-4777E441A
# Boot Mode : Normal
# Running from : C:\Documents and Settings\nicky\My Documents\Downloads\AdwCleaner.exe
# Option [Search]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Found : C:\Program Files\Mozilla Firefox\extensions\wtxpcom@mybrowserbar.com
File Found : C:\Program Files\Mozilla Firefox\searchplugins\imeshwebsearch.xml
File Found : C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
Folder Found : C:\Documents and Settings\All Users\Start Menu\Programs\Freecorder
Folder Found : C:\Documents and Settings\nicky\Application Data\AskToolbar
Folder Found : C:\Documents and Settings\nicky\Application Data\Complitly
Folder Found : C:\Documents and Settings\nicky\Application Data\Mozilla\Firefox\Profiles\etd1k36o.default\ConduitCommon
Folder Found : C:\Documents and Settings\nicky\Application Data\Mozilla\Firefox\Profiles\etd1k36o.default\CT1060933
Folder Found : C:\Documents and Settings\nicky\Application Data\Mozilla\Firefox\Profiles\etd1k36o.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}
Folder Found : C:\Documents and Settings\nicky\Application Data\Mozilla\Firefox\Profiles\etd1k36o.default\extensions\{33E0DAA6-3AF3-D8B5-6752-10E949C61516}
Folder Found : C:\Documents and Settings\nicky\Application Data\Mozilla\Firefox\Profiles\ibycvgwl.default\extensions\{33E0DAA6-3AF3-D8B5-6752-10E949C61516}
Folder Found : C:\Documents and Settings\nicky\Application Data\Mozilla\Firefox\Profiles\ibycvgwl.default\extensions\toolbar@ask.com
Folder Found : C:\Documents and Settings\nicky\Application Data\Search Settings
Folder Found : C:\Documents and Settings\nicky\Local Settings\Application Data\AskToolbar
Folder Found : C:\Documents and Settings\nicky\Local Settings\Application Data\Conduit
Folder Found : C:\Documents and Settings\nicky\Local Settings\Application Data\ConduitEngine
Folder Found : C:\Documents and Settings\nicky\Local Settings\Application Data\Freecorder
Folder Found : C:\Documents and Settings\nicky\Local Settings\Application Data\PackageAware
Folder Found : C:\Documents and Settings\nicky\Local Settings\Application Data\uTorrentBar
Folder Found : C:\Documents and Settings\nicky\My Documents\Freecorder
Folder Found : C:\Program Files\Application Updater
Folder Found : C:\Program Files\Ask.com
Folder Found : C:\Program Files\Common Files\spigot
Folder Found : C:\Program Files\Conduit
Folder Found : C:\Program Files\Freecorder
Folder Found : C:\Program Files\iMesh Applications\Mediabar
Folder Found : C:\Program Files\uTorrentBar
Folder Found : C:\Program Files\YouTube Downloader Toolbar
Folder Found : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
 
***** [Registry] *****
 
Key Found : HKCU\Software\APN
Key Found : HKCU\Software\AppDataLow\AskToolbarInfo
Key Found : HKCU\Software\Ask&Record
Key Found : HKCU\Software\Ask.com
Key Found : HKCU\Software\AskToolbar
Key Found : HKCU\Software\Complitly
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Freecorder
Key Found : HKCU\Software\Headlight
Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\4shared Tools
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{474597C5-AB09-49D6-A4D5-2E8D7341384E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1392B8D2-5C05-419F-A8F6-B9F15A596612}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{14790EBA-E7D1-4F4D-82CC-B12986388CD5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{474597C5-AB09-49D6-A4D5-2E8D7341384E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Found : HKCU\Software\Search Settings
Key Found : HKCU\Software\uTorrentBar
Key Found : HKCU\Toolbar
Key Found : HKLM\Software\APN
Key Found : HKLM\Software\Application Updater
Key Found : HKLM\Software\AskToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{442F13BC-2031-42D5-9520-437F65271153}
Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\AppID\Complitly.DLL
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1392B8D2-5C05-419F-A8F6-B9F15A596612}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{14790EBA-E7D1-4F4D-82CC-B12986388CD5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{20B4C503-BCDC-4C21-8AF3-73334075AC3A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{31DE7693-6D5A-4E5C-8F63-B05865320CD5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{474597C5-AB09-49D6-A4D5-2E8D7341384E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F51F90A7-ECDD-4B30-9FB7-C4B53969BC49}
Key Found : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Found : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C9AE652B-8C99-4AC2-B556-8B501182874E}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT1060933
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2233703
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\Freecorder
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\defdhglnppeioeflggkmglipcecffkhk
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{309C89B3-75B8-42E6-8A9E-C266EE550617}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6A753F85-9CFC-4FA9-B663-26163ECC3DCC}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C270EC31-18A0-4F6B-8E9F-3365DAC4B30A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F752001C-6ECE-44A8-A259-81002DCCDBD1}
Key Found : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{4FFBB818-B13C-11E0-931D-B2664824019B}_is1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\conduitEngine
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Freecorder Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\uTorrentBar Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1392B8D2-5C05-419F-A8F6-B9F15A596612}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{474597C5-AB09-49D6-A4D5-2E8D7341384E}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{14790EBA-E7D1-4F4D-82CC-B12986388CD5}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F51F90A7-ECDD-4B30-9FB7-C4B53969BC49}
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B5BAE2ED018083A4C8DA86D6E3F4B024
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED1CAE30F47D14B41B5FC8FA53658044
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
Key Found : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Freecorder Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\uTorrentBar Toolbar
Key Found : HKLM\Software\Search Settings
Key Found : HKLM\Software\SimplyGen
Key Found : HKLM\Software\uTorrentBar
Key Found : HKU\S-1-5-21-1409082233-1303643608-839522115-1003\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40B7-AC73-056A5EBA4A7E}
Key Found : HKU\S-1-5-21-1409082233-1303643608-839522115-1003\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{1392B8D2-5C05-419F-A8F6-B9F15A596612}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{00000000-6E41-4FD3-8538-502F5495E5FC}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{1392B8D2-5C05-419F-A8F6-B9F15A596612}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}]
Value Found : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{1392B8D2-5C05-419F-A8F6-B9F15A596612}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[HKCU\Software\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://search.imesh.com/sidebar.html?src=ssb&sysid=1
 
-\\ Mozilla Firefox v14.0.1 (en-US)
 
File : C:\Documents and Settings\nicky\Application Data\Mozilla\Firefox\Profiles\etd1k36o.default\prefs.js
 
Found : user_pref("CT1060933..clientLogIsEnabled", false);
Found : user_pref("CT1060933..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.as[...]
Found : user_pref("CT1060933..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Re[...]
Found : user_pref("CT1060933.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);
Found : user_pref("CT1060933.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Found : user_pref("CT1060933.BrowserCompStateIsOpen_129633202291172081", true);
Found : user_pref("CT1060933.BrowserCompStateIsOpen_129652058719725628", true);
Found : user_pref("CT1060933.BrowserCompStateIsOpen_129681785283868963", true);
Found : user_pref("CT1060933.BrowserCompStateIsOpen_129686665230467549", true);
Found : user_pref("CT1060933.BrowserCompStateIsOpen_130040833450137909", true);
Found : user_pref("CT1060933.CTID", "ct1060933");
Found : user_pref("CT1060933.CurrentServerDate", "20-2-2013");
Found : user_pref("CT1060933.DialogsAlignMode", "LTR");
Found : user_pref("CT1060933.DialogsGetterLastCheckTime", "Tue Feb 19 2013 18:05:43 GMT-0800 (Pacific Standa[...]
Found : user_pref("CT1060933.DownloadReferralCookieData", "");
Found : user_pref("CT1060933.FirstServerDate", "22-9-2011");
Found : user_pref("CT1060933.FirstTime", true);
Found : user_pref("CT1060933.FirstTimeFF3", true);
Found : user_pref("CT1060933.FixPageNotFoundErrors", true);
Found : user_pref("CT1060933.GroupingServerCheckInterval", 1440);
Found : user_pref("CT1060933.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Found : user_pref("CT1060933.HasUserGlobalKeys", true);
Found : user_pref("CT1060933.Initialize", true);
Found : user_pref("CT1060933.InitializeCommonPrefs", true);
Found : user_pref("CT1060933.InstallationAndCookieDataSentCount", 3);
Found : user_pref("CT1060933.InstallationId", "ConduitStubGeneric");
Found : user_pref("CT1060933.InstallationType", "ConduitStubIntegration");
Found : user_pref("CT1060933.InstalledDate", "Thu Sep 22 2011 18:36:44 GMT-0700 (Pacific Standard Time)");
Found : user_pref("CT1060933.InvalidateCache", false);
Found : user_pref("CT1060933.IsAlertDBUpdated", true);
Found : user_pref("CT1060933.IsGrouping", false);
Found : user_pref("CT1060933.IsInitSetupIni", true);
Found : user_pref("CT1060933.IsMulticommunity", false);
Found : user_pref("CT1060933.IsOpenThankYouPage", false);
Found : user_pref("CT1060933.IsOpenUninstallPage", true);
Found : user_pref("CT1060933.LanguagePackLastCheckTime", "Thu Sep 22 2011 18:36:48 GMT-0700 (Pacific Standar[...]
Found : user_pref("CT1060933.LanguagePackReloadIntervalMM", 1440);
Found : user_pref("CT1060933.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
Found : user_pref("CT1060933.LastLogin_3.10.0.1", "Fri May 25 2012 13:04:49 GMT-0700 (Pacific Standard Time)[...]
Found : user_pref("CT1060933.LastLogin_3.12.2.3", "Sat Jun 02 2012 11:57:11 GMT-0700 (Pacific Standard Time)[...]
Found : user_pref("CT1060933.LastLogin_3.13.0.6", "Thu Jul 19 2012 15:18:01 GMT-0700 (Pacific Standard Time)[...]
Found : user_pref("CT1060933.LastLogin_3.14.1.0", "Sun Nov 04 2012 22:50:02 GMT-0800 (Pacific Standard Time)[...]
Found : user_pref("CT1060933.LastLogin_3.15.1.0", "Fri Feb 01 2013 17:12:26 GMT-0800 (Pacific Standard Time)[...]
Found : user_pref("CT1060933.LastLogin_3.16.0.100", "Fri Feb 15 2013 10:55:26 GMT-0800 (Pacific Standard Tim[...]
Found : user_pref("CT1060933.LastLogin_3.18.0.7", "Wed Feb 20 2013 23:34:26 GMT-0800 (Pacific Standard Time)[...]
Found : user_pref("CT1060933.LastLogin_3.6.0.10", "Sat Oct 01 2011 13:10:00 GMT-0700 (Pacific Standard Time)[...]
Found : user_pref("CT1060933.LastLogin_3.7.0.6", "Sat Nov 19 2011 13:13:00 GMT-0800 (Pacific Standard Time)"[...]
Found : user_pref("CT1060933.LastLogin_3.8.0.8", "Tue Dec 06 2011 19:14:49 GMT-0800 (Pacific Standard Time)"[...]
Found : user_pref("CT1060933.LastLogin_3.8.1.0", "Thu Jan 12 2012 11:59:59 GMT-0800 (Pacific Standard Time)"[...]
Found : user_pref("CT1060933.LastLogin_3.9.0.3", "Tue Feb 21 2012 16:35:19 GMT-0800 (Pacific Standard Time)"[...]
Found : user_pref("CT1060933.LatestVersion", "3.18.0.7");
Found : user_pref("CT1060933.Locale", "en-us");
Found : user_pref("CT1060933.MCDetectTooltipHeight", "83");
Found : user_pref("CT1060933.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Found : user_pref("CT1060933.MCDetectTooltipWidth", "295");
Found : user_pref("CT1060933.MyStuffEnabledAtInstallation", true);
Found : user_pref("CT1060933.OriginalFirstVersion", "3.6.0.10");
Found : user_pref("CT1060933.RadioIsPodcast", false);
Found : user_pref("CT1060933.RadioLastCheckTime", "Thu Sep 22 2011 18:36:46 GMT-0700 (Pacific Standard Time)[...]
Found : user_pref("CT1060933.RadioLastUpdateIPServer", "0");
Found : user_pref("CT1060933.RadioLastUpdateServer", "129326918102570000");
Found : user_pref("CT1060933.RadioMediaID", "21503458");
Found : user_pref("CT1060933.RadioMediaType", "Media Player");
Found : user_pref("CT1060933.RadioMenuSelectedID", "EBRadioMenu_CT1060933_RECENT21503458");
Found : user_pref("CT1060933.RadioShrinkedFromSetup", false);
Found : user_pref("CT1060933.RadioStationName", "California%20Rock");
Found : user_pref("CT1060933.RadioStationURL", "hxxp://feedlive.net/california.asx");
Found : user_pref("CT1060933.SearchFromAddressBarIsInit", true);
Found : user_pref("CT1060933.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT106[...]
Found : user_pref("CT1060933.SearchInNewTabEnabled", true);
Found : user_pref("CT1060933.SearchInNewTabIntervalMM", 1440);
Found : user_pref("CT1060933.SearchInNewTabLastCheckTime", "Thu Sep 22 2011 18:36:45 GMT-0700 (Pacific Stand[...]
Found : user_pref("CT1060933.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
Found : user_pref("CT1060933.SearchInNewTabUsageUrl", "hxxp://usage.hosting.toolbar.conduit-services.com/usa[...]
Found : user_pref("CT1060933.ServiceMapLastCheckTime", "Thu Feb 21 2013 00:02:26 GMT-0800 (Pacific Standard [...]
Found : user_pref("CT1060933.SettingsLastCheckTime", "Thu Sep 22 2011 18:36:40 GMT-0700 (Pacific Standard Ti[...]
Found : user_pref("CT1060933.SettingsLastUpdate", "1314078198");
Found : user_pref("CT1060933.ThirdPartyComponentsInterval", 504);
Found : user_pref("CT1060933.ThirdPartyComponentsLastCheck", "Thu Sep 22 2011 18:36:40 GMT-0700 (Pacific Sta[...]
Found : user_pref("CT1060933.ThirdPartyComponentsLastUpdate", "1312887586");
Found : user_pref("CT1060933.ToolbarShrinkedFromSetup", false);
Found : user_pref("CT1060933.TrusteLinkUrl", "hxxp://trust.conduit.com/CT1060933");
Found : user_pref("CT1060933.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,clien[...]
Found : user_pref("CT1060933.UserID", "UN24670180285369925");
Found : user_pref("CT1060933.ValidationData_Search", 2);
Found : user_pref("CT1060933.ValidationData_Toolbar", 2);
Found : user_pref("CT1060933.alertChannelId", "15651");
Found : user_pref("CT1060933.appApproved.129272674122038321", true);
Found : user_pref("CT1060933.backendstorage./9b+7e+x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e,x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e-x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e.x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e/x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e06cg5el8:", "6E6D6F72706B74716E74");
Found : user_pref("CT1060933.backendstorage./9b+7e06cg5el;8i:k", "247E2D2F226A7473757876717A77747A242F4B4947[...]
Found : user_pref("CT1060933.backendstorage./9b+7e0x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e1x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e2x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e3x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e4x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e5x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e6x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e7x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e8x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e9x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e:x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e;x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e<x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e=x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e>x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e?x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7e@x305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7eax305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7ebe3g=;d9n9=d", "372C2D326975762E3A3C7B3A39434A494841434B26[...]
Found : user_pref("CT1060933.backendstorage./9b+7ebx305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7ecx305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7edx305", "2423");
Found : user_pref("CT1060933.backendstorage./9b+7etx305", "2423");
Found : user_pref("CT1060933.backendstorage./9b-0?3g>d", "666A703D73746F437A76714547207B792021257A7A24502A21[...]
Found : user_pref("CT1060933.backendstorage./9b-0?3g@6:5;", "");
Found : user_pref("CT1060933.backendstorage./9b-3=3eccja=f>", "247E333D2C452F4135276F292A212C393D44307832332[...]
Found : user_pref("CT1060933.backendstorage./9b/>01=9a6k6<im;krie@pdawm", "6E6A68707374757677");
Found : user_pref("CT1060933.backendstorage./9b3=>@44i48?", "372C2D32697576334236334148477A213F3E484F4E4D464[...]
Found : user_pref("CT1060933.backendstorage./9b5ba==9cjag", "6A3E3D6D3F4240707A724474754B767B77784F7D7A");
Found : user_pref("CT1060933.backendstorage./9b6b11g4c56b>f;p;anr@p", "6E6D6B717072706D736F797878");
Found : user_pref("CT1060933.backendstorage./9b9643g3/9e", "6A");
Found : user_pref("CT1060933.backendstorage./9b;45>:bi9i7ie", "2B2E2C3D");
Found : user_pref("CT1060933.backendstorage./9b<:222h64<", "393F352F3E");
Found : user_pref("CT1060933.backendstorage./9b=+03eh8h8j?:", "4443");
Found : user_pref("CT1060933.backendstorage./9b?+e2a52d8", "372C2D326975762E3A3C7B3A39434A494841434B26514649[...]
Found : user_pref("CT1060933.backendstorage./9b?b0d:8aj62<h", "6D");
Found : user_pref("CT1060933.backendstorage./9ba@0<0bi6a7gn:6@l?", "6E6B");
Found : user_pref("CT1060933.backendstorage.autocompletepro_enable", "31");
Found : user_pref("CT1060933.backendstorage.autocompletepro_enable_auto", "31");
Found : user_pref("CT1060933.backendstorage.cb_firstuse0100", "31");
Found : user_pref("CT1060933.backendstorage.cbcountry_000", "5048");
Found : user_pref("CT1060933.backendstorage.cbcountry_001", "5048");
Found : user_pref("CT1060933.backendstorage.cbfirsttime", "5468752044656320313520323031312031373A35363A31322[...]
Found : user_pref("CT1060933.backendstorage.cbopenmamsettings", "30");
Found : user_pref("CT1060933.backendstorage.pg_enable", "74727565");
Found : user_pref("CT1060933.backendstorage.printitgreenstatus", "74727565");
Found : user_pref("CT1060933.backendstorage.searchappstate", "33");
Found : user_pref("CT1060933.backendstorage.searchapptracking", "31");
Found : user_pref("CT1060933.backendstorage.shoppingapp.gk.exipres", "5361742041756720323520323031322030393A[...]
Found : user_pref("CT1060933.backendstorage.shoppingapp.gk.geolocation", "7068696C697070696E6573");
Found : user_pref("CT1060933.backendstorage.url_history", "687474703A2F2F7777772E66616365626F6F6B2E636F6D2F6[...]
Found : user_pref("CT1060933.backendstorage.url_history0001", "687474703A2F2F75732E6D63313930332E6D61696C2E7[...]
Found : user_pref("CT1060933.ct1060933.AppTrackingLastCheckTime", "Sat Jul 28 2012 20:19:40 GMT-0700 (Pacifi[...]
Found : user_pref("CT1060933.ct1060933.DialogsAlignMode", "LTR");
Found : user_pref("CT1060933.ct1060933.InvalidateCache", false);
Found : user_pref("CT1060933.ct1060933.LanguagePackLastCheckTime", "Wed Feb 20 2013 23:34:25 GMT-0800 (Pacif[...]
Found : user_pref("CT1060933.ct1060933.Locale", "en-us");
Found : user_pref("CT1060933.ct1060933.RadioLastCheckTime", "Wed Feb 20 2013 23:34:24 GMT-0800 (Pacific Stan[...]
Found : user_pref("CT1060933.ct1060933.RadioLastUpdateIPServer", "0");
Found : user_pref("CT1060933.ct1060933.RadioLastUpdateServer", "129326918102570000");
Found : user_pref("CT1060933.ct1060933.SearchInNewTabLastCheckTime", "Wed Feb 20 2013 23:34:20 GMT-0800 (Pac[...]
Found : user_pref("CT1060933.ct1060933.SettingsLastCheckTime", "Wed Feb 20 2013 23:34:19 GMT-0800 (Pacific S[...]
Found : user_pref("CT1060933.ct1060933.SettingsLastUpdate", "1361369507");
Found : user_pref("CT1060933.ct1060933.ThirdPartyComponentsLastCheck", "Fri Feb 01 2013 17:12:19 GMT-0800 (P[...]
Found : user_pref("CT1060933.ct1060933.ThirdPartyComponentsLastUpdate", "1331805997");
Found : user_pref("CT1060933.ct1060933.globalFirstTimeInfoLastCheckTime", "Fri Feb 15 2013 10:55:27 GMT-0800[...]
Found : user_pref("CT1060933.ct1060933.toolbarAppMetaDataLastCheckTime", "Wed Feb 20 2013 23:34:26 GMT-0800 [...]
Found : user_pref("CT1060933.ct1060933.toolbarContextMenuLastCheckTime", "Tue Feb 19 2013 18:05:41 GMT-0800 [...]
Found : user_pref("CT1060933.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.c[...]
Found : user_pref("CT1060933.globalFirstTimeInfoLastCheckTime", "Thu Sep 22 2011 18:36:41 GMT-0700 (Pacific [...]
Found : user_pref("CT1060933.homepageProtectorEnableByLogin", true);
Found : user_pref("CT1060933.initDone", true);
Found : user_pref("CT1060933.isAppTrackingManagerOn", false);
Found : user_pref("CT1060933.isFirstRadioInstallation", false);
Found : user_pref("CT1060933.myStuffEnabled", true);
Found : user_pref("CT1060933.myStuffPublihserMinWidth", 400);
Found : user_pref("CT1060933.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
Found : user_pref("CT1060933.myStuffServiceIntervalMM", 1440);
Found : user_pref("CT1060933.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
Found : user_pref("CT1060933.oldAppsList", "128346981843587669,128280995260143876,111,129272674122038321,129[...]
Found : user_pref("CT1060933.revertSettingsEnabled", true);
Found : user_pref("CT1060933.searchProtectorDialogDelayInSec", 10);
Found : user_pref("CT1060933.searchProtectorEnableByLogin", true);
Found : user_pref("CT1060933.testingCtid", "");
Found : user_pref("CT1060933.toolbarAppMetaDataLastCheckTime", "Thu Sep 22 2011 18:36:41 GMT-0700 (Pacific S[...]
Found : user_pref("CT1060933.toolbarContextMenuLastCheckTime", "Thu Sep 22 2011 18:36:49 GMT-0700 (Pacific S[...]
Found : user_pref("CT1060933.usagesFlag", 2);
Found : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/ct1060933/CT1060933[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT1060933", [...]
Found : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=ct1060933", [...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&lo[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&loc[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&lo[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&local[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.10[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.12[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.13[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.14[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.15[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.16[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.18[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.6.[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.7.[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.8.[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.8.[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.9.[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT1060933",[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.conduit-services.com/?ctid=CT1060933&octid=[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.conduit-services.com/?ctid=ct1060933&octid=[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/equaliz[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/minimiz[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/play.gi[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/stop.gi[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://storage.conduit.com/BankImages/RadioSkins/Cornflower/vol.gif[...]
Found : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en-us", "\"[...]
Found : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Documents and Settings\\nicky\\Application[...]
Found : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.18.0.7");
Found : user_pref("CommunityToolbar.MiniIPageGadgetSize.hxxp://freecorder.com/fc6/gadget/video.html", "833x2[...]
Found : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "");
Found : user_pref("CommunityToolbar.ToolbarsList", "CT1060933");
Found : user_pref("CommunityToolbar.ToolbarsList2", "CT1060933");
Found : user_pref("CommunityToolbar.ToolbarsList4", "CT1060933");
Found : user_pref("CommunityToolbar.globalUserId", "ca2bed65-cd55-424b-a2da-d08a5fe2404c");
Found : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
Found : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
Found : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Fri Feb 15 2013 10:55:3[...]
Found : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
Found : user_pref("CommunityToolbar.notifications.locale", "en");
Found : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
Found : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Wed Feb 20 2013 23:34:18 GMT-0800 (P[...]
Found : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1313487611");
Found : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
Found : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
Found : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
Found : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
Found : user_pref("CommunityToolbar.notifications.userId", "0f70188d-ccb7-454c-960a-8b1f3a5e7d15");
Found : user_pref("browser.search.defaultengine", "Ask.com");
Found : user_pref("browser.search.defaultenginename", "Ask.com");
Found : user_pref("browser.search.order.1", "Ask.com");
Found : user_pref("extensions.asktb.ff-original-keyword-url", "");
Found : user_pref("keyword.URL", "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=UTR&o=15467&locale=e[...]
 
-\\ Google Chrome v26.0.1410.64
 
File : C:\Documents and Settings\nicky\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [35766 octets] - [13/04/2013 19:05:25]
 
########## EOF - C:\AdwCleaner[R1].txt - [35827 octets] ##########
 
 
 
I am able to search and open websites without google redirecting me to its warning page.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:36 PM

Posted 13 April 2013 - 05:11 AM

I'm glad to hear that. :)
 
Your Windows installation is very outdated, you need to update to service pack 3 as soon as possible!
Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.[/color]



Please rerun AdwCleaner and select the Delete option.

Finally, please rerun DDS and check the option for attach.txt. Post both dds.txt and attach.txt

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 IBreakPCs

IBreakPCs
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 05:42 AM

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_31
Run by nicky at 20:20:01 on 2013-04-13
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2038.1238 [GMT -7:00]
.
AV: ESET NOD32 Antivirus 3.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\BR040286.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Akamai\netsession_win.exe
C:\DOCUME~1\nicky\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.garena.com/
uInternet Connection Wizard,ShellNext = iexplore
uProxyOverride = 127.0.0.1:9421;<local>
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://search.imesh.com/sidebar.html?src=ssb&sysid=1
uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053F9267-DC04-4294-A72C-58F732D338C0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahooo Search Protection: {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: MediaBar: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - 
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: MediaBar: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - 
uRun: [ChikkaDefault] c:\progra~1\chikka~1\chikka~1.4\ChikkaLauncher.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [Akamai NetSession Interface] "c:\documents and settings\nicky\local settings\application data\akamai\netsession_win.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [BisonInst0402] c:\windows\BR040286.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Download All using 4shared Desktop - c:\program files\4shared desktop\down_all.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\plants vs. zombies\images\stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341720490000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{011ED562-B2F6-4ACC-945E-3F1469FE7BB7} : DHCPNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nicky\application data\mozilla\firefox\profiles\etd1k36o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-3 14336]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\supportappxl\cdrom_mon.exe [2011-3-18 81920]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000]
S0 vryiav;vryiav;c:\windows\system32\drivers\geof.sys --> c:\windows\system32\drivers\geof.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2004-8-3 3584]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-7-12 66112]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena\safedrv.sys --> c:\program files\garena\safedrv.sys [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-12-31 100736]
S3 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys --> c:\windows\system32\drivers\idmtdi.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-4-13 40776]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rak;rak;c:\windows\system32\rakion.sys [2010-5-1 60928]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-7-12 180672]
S3 ssudnflt;Remote NDIS Filter Driver;c:\windows\system32\drivers\ssudnflt.sys [2012-7-12 15936]
S3 ssudobex;SAMSUNG Mobile USB OBEX Serial Port(DEVGURU Ver.);c:\windows\system32\drivers\ssudobex.sys [2012-7-12 180672]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva285;XDva285;\??\c:\windows\system32\xdva285.sys --> c:\windows\system32\XDva285.sys [?]
S3 XDva296;XDva296;\??\c:\windows\system32\xdva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva383;XDva383;\??\c:\windows\system32\xdva383.sys --> c:\windows\system32\XDva383.sys [?]
S3 XDva391;XDva391;\??\c:\windows\system32\xdva391.sys --> c:\windows\system32\XDva391.sys [?]
S3 XDva401;XDva401;\??\c:\windows\system32\xdva401.sys --> c:\windows\system32\XDva401.sys [?]
.
=============== Created Last 30 ================
.
2013-04-14 03:14:28 -------- dc-h--w- c:\windows\ie8
2013-04-14 00:55:15 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2013-04-14 00:55:15 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2013-04-14 00:43:49 -------- d-sha-r- C:\cmdcons
2013-04-14 00:41:40 98816 ----a-w- c:\windows\sed.exe
2013-04-14 00:41:40 256000 ----a-w- c:\windows\PEV.exe
2013-04-14 00:41:40 208896 ----a-w- c:\windows\MBR.exe
2013-04-13 23:40:01 -------- d-----w- c:\program files\PC Tools
2013-04-13 22:46:38 202280 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2013-04-13 22:46:32 -------- d-----w- c:\program files\common files\PC Tools
2013-04-13 22:41:44 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2013-04-13 22:41:42 -------- d-----w- c:\documents and settings\nicky\application data\TestApp
2013-04-13 21:56:20 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-03-25 05:38:52 -------- d-----w- c:\windows\system32\CatRoot_bak
2013-03-25 05:33:09 -------- d-----w- c:\documents and settings\nicky\local settings\application data\PCHealth
2013-03-25 02:53:09 -------- d-----w- c:\documents and settings\nicky\application data\Malwarebytes
2013-03-25 02:52:48 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-03-25 02:27:20 -------- d-----w- c:\program files\AnalogX
2013-03-23 07:21:07 -------- d-----w- c:\program files\K-Lite Codec Pack
2013-03-23 06:40:02 -------- d-----w- c:\program files\Mega Codec Pack
.
==================== Find3M  ====================
.
2013-03-18 01:19:43 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-18 01:19:43 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 20:20:54.51 ===============
 
 
 
 
I'm sorry. I just noticed I posted the wrong log.

Attached Files


Edited by IBreakPCs, 13 April 2013 - 06:17 AM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:36 PM

Posted 13 April 2013 - 06:46 AM

Hi, the dds.txt looks like it is from before the update, please rerun DDS and post the new log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 IBreakPCs

IBreakPCs
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 09:12 AM

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_31
Run by nicky at 23:15:10 on 2013-04-13
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2038.1331 [GMT -7:00]
.
AV: ESET NOD32 Antivirus 3.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\BR040286.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\ChikkaLauncher.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Akamai\netsession_win.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Akamai\netsession_win.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\nicky\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\nicky\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.garena.com/
uInternet Connection Wizard,ShellNext = iexplore
uProxyOverride = 127.0.0.1:9421;<local>
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://search.imesh.com/sidebar.html?src=ssb&sysid=1
uURLSearchHooks: YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053F9267-DC04-4294-A72C-58F732D338C0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahooo Search Protection: {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: MediaBar: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - 
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: MediaBar: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - 
uRun: [ChikkaDefault] c:\progra~1\chikka~1\chikka~1.4\ChikkaLauncher.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [Akamai NetSession Interface] "c:\documents and settings\nicky\local settings\application data\akamai\netsession_win.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [BisonInst0402] c:\windows\BR040286.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Download All using 4shared Desktop - c:\program files\4shared desktop\down_all.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\plants vs. zombies\images\stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341720490000
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{011ED562-B2F6-4ACC-945E-3F1469FE7BB7} : DHCPNameServer = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\nicky\application data\mozilla\firefox\profiles\etd1k36o.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-7-1 34312]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-3 14336]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\supportappxl\cdrom_mon.exe [2011-3-18 81920]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-7-1 468224]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-8-13 3064000]
S0 vryiav;vryiav;c:\windows\system32\drivers\geof.sys --> c:\windows\system32\drivers\geof.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2004-8-3 3584]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-1-8 161536]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-7-12 66112]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\garena\safedrv.sys --> c:\program files\garena\safedrv.sys [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-12-31 100736]
S3 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys --> c:\windows\system32\drivers\idmtdi.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-4-13 40776]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rak;rak;c:\windows\system32\rakion.sys [2010-5-1 60928]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-7-12 180672]
S3 ssudnflt;Remote NDIS Filter Driver;c:\windows\system32\drivers\ssudnflt.sys [2012-7-12 15936]
S3 ssudobex;SAMSUNG Mobile USB OBEX Serial Port(DEVGURU Ver.);c:\windows\system32\drivers\ssudobex.sys [2012-7-12 180672]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva285;XDva285;\??\c:\windows\system32\xdva285.sys --> c:\windows\system32\XDva285.sys [?]
S3 XDva296;XDva296;\??\c:\windows\system32\xdva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva383;XDva383;\??\c:\windows\system32\xdva383.sys --> c:\windows\system32\XDva383.sys [?]
S3 XDva391;XDva391;\??\c:\windows\system32\xdva391.sys --> c:\windows\system32\XDva391.sys [?]
S3 XDva401;XDva401;\??\c:\windows\system32\xdva401.sys --> c:\windows\system32\XDva401.sys [?]
.
=============== Created Last 30 ================
.
2013-04-14 03:14:28 -------- dc-h--w- c:\windows\ie8
2013-04-14 00:55:15 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2013-04-14 00:55:15 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2013-04-14 00:43:49 -------- d-sha-r- C:\cmdcons
2013-04-14 00:41:40 98816 ----a-w- c:\windows\sed.exe
2013-04-14 00:41:40 256000 ----a-w- c:\windows\PEV.exe
2013-04-14 00:41:40 208896 ----a-w- c:\windows\MBR.exe
2013-04-13 23:40:01 -------- d-----w- c:\program files\PC Tools
2013-04-13 22:46:38 202280 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2013-04-13 22:46:32 -------- d-----w- c:\program files\common files\PC Tools
2013-04-13 22:41:44 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2013-04-13 22:41:42 -------- d-----w- c:\documents and settings\nicky\application data\TestApp
2013-04-13 21:56:20 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-03-25 05:38:52 -------- d-----w- c:\windows\system32\CatRoot_bak
2013-03-25 05:33:09 -------- d-----w- c:\documents and settings\nicky\local settings\application data\PCHealth
2013-03-25 02:53:09 -------- d-----w- c:\documents and settings\nicky\application data\Malwarebytes
2013-03-25 02:52:48 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-03-25 02:27:20 -------- d-----w- c:\program files\AnalogX
2013-03-23 07:21:07 -------- d-----w- c:\program files\K-Lite Codec Pack
2013-03-23 06:40:02 -------- d-----w- c:\program files\Mega Codec Pack
.
==================== Find3M  ====================
.
2013-03-18 01:19:43 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-18 01:19:43 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
============= FINISH: 23:16:07.85 ===============

Attached Files



#12 IBreakPCs

IBreakPCs
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 13 April 2013 - 10:07 AM

Hmm. I just noticed that. the file that I am quite sure is the source of the virus has not been deleted. It's that Mega Codec Pack written at the end part. It won't let me delete it, saying:

"Cannot delete mkunicode.dll: Access denied. Make sure that disk is not full or write protected and that file is currently not in use."



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:36 PM

Posted 13 April 2013 - 12:30 PM

Look for an uninstall option in Add/Remove programs (Start > Run, type appwiz.cpl and press enter).

Did the Service Pack 3 installation and updates go well? I see service pack 3 in your installed programs, but the DDS log header shows service pack 2.

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
  • Download the latest version of Java Runtime Environment (JRE) Version 7u13.
  • Look for "JDK 7u17 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
  • Save it to your desktop
  • Close any programs you may have running - especially your web browser.
  • Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
  • Reboot your computer once all Java components are removed.
  • Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 IBreakPCs

IBreakPCs
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 14 April 2013 - 05:23 AM

I am very sorry for the very late reply. It has been a busy day (we went to a christening).

 

Do I delete Java™ 6 Update 31 too?

 

I remember trying to upgrade my service pack to 3 and then I also remember failing it. I can't remember what went wrong though.

 

And, no. No uninstall option there.


Edited by IBreakPCs, 14 April 2013 - 05:36 AM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,257 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:12:36 PM

Posted 14 April 2013 - 06:34 AM

Okay, please go to add/remove programs and locate Service Pack 3 there. Click on Remove to uninstall it.

After uninstalling it try to reinstall it through windows update and let me know if that works.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users