Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZeroAccess rootkit


  • This topic is locked This topic is locked
36 replies to this topic

#1 Sin is Jecht

Sin is Jecht

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 16 August 2013 - 04:13 PM

Hi,

 

I was redirected from the "Am I infected" forum, I posted some logs over there:

 

http://www.bleepingcomputer.com/forums/t/504520/various-issues-malware/

 

I've been having various issues, initially with installing the Partypoker app - it told me there is a problem with swflash.cab.
 
I tried to install a flash update and got "certificate authentication failed"
 
Tried to run windows auto-update in the bottom corner as below but clicking on the icon does nothing.
 
So I searched google for fixes to this.  One of them involved setting up a new user account.  So I went to Control Panel and tried clicking on User Accounts but that won't open either.  Tried a few other icons on Control Panel at this point just out of curiosity - "Troubleshooting", "System", "Windows Update", "Action Center", "Backup and Restore", "Credential Manager", "Default Programs", "Homegroup", "Network and Sharing center" all won't open when clicked on.  Haven't even tried them all.
 
Finally, I tried running "Microsoft Fix it" and got a runtime error: code 80040402.

 

Thanks

 

 

DDS log below:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16470  BrowserJavaVersion: 10.13.2
Run by Tom at 22:06:25 on 2013-08-16
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.5996.3751 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Users\Tom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe
C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\iTunes\iTunes.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_8_800_94.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://acer.msn.com
uDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mDefault_Page_URL = hxxp://acer.msn.com
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: CescrtHlpr Object: {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.19\bh\BabylonToolbar.dll
BHO: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Vuze Remote Toolbar: {BA14329E-9550-4989-B3F2-9732E92D17CC} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
TB: Babylon Toolbar: {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarTlbr.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuze.dll
TB: Conduit Engine: {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
uRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [Spotify Web Helper] "C:\Users\Tom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRun: [Spotify] "C:\Users\Tom\AppData\Roaming\Spotify\spotify.exe" /uri spotify:autostart
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
mRun: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [BackupManagerTray] "C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [MDS_Menu] "C:\Program Files (x86)\Acer\clear.fi\MediaEspresso\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\Acer\clear.fi\MediaEspresso" UpdateWithCreateOnce "Software\CyberLink\MediaEspresso\6.1"
mRun: [ArcadeMovieService] "C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe"
mRun: [BabylonToolbar] "C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe" /md I
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe" -osboot
mRun: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
StartupFolder: C:\Users\Tom\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: NameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{1C67A75D-42F4-4820-B2E6-5ED4E560D3CB} : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{3C0F1A3E-05FC-41E2-AB75-6E4BF0865A1D} : DHCPNameServer = 194.168.4.100 194.168.8.100
TCP: Interfaces\{3C0F1A3E-05FC-41E2-AB75-6E4BF0865A1D}\244584F6D656845726D293630303 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{3C0F1A3E-05FC-41E2-AB75-6E4BF0865A1D}\35B4959383435343 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{3C0F1A3E-05FC-41E2-AB75-6E4BF0865A1D}\8445340205F627471626C6560284F6473707F647 : DHCPNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = hxxp://acer.msn.com
x64-mDefault_Page_URL = hxxp://acer.msn.com
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [RtHDVBg] C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /FORPCEE4
x64-Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Run: [SynTPEnh] C:\Program Files (x86)\Synaptics\SynTP\SynTPEnh.exe
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\3emxycwh.default\
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=toolbar2&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Downloader\npdd.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Veetle\Player\npvlc.dll
FF - plugin: C:\Program Files (x86)\Veetle\plugins\npVeetle.dll
FF - plugin: C:\Program Files (x86)\Vizzed\Vizzed Retro Game Room\NpVizzedRgr.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Tom\AppData\Roaming\TorrentStream\player\npts.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1168638.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_8_800_94.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\System32\drivers\mwlPSDFilter.sys [2010-12-6 22912]
R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\System32\drivers\mwlPSDNserv.sys [2010-12-6 20328]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\System32\drivers\mwlPSDVDisk.sys [2010-12-6 62584]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2010-12-10 311376]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2010-12-6 868224]
R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2010-1-8 23584]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-12-6 13336]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-2 2804568]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [2010-11-12 257344]
R2 PassThru Service;Internet Pass-Through Service;C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2010-9-16 80896]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-3-7 2656280]
R2 Updater Service;Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2010-12-6 243232]
R3 b57xdbd;Broadcom xD Picture Bus Driver Service;C:\Windows\System32\drivers\b57xdbd.sys [2010-12-11 67112]
R3 b57xdmp;Broadcom xD Picture vstorp client drv;C:\Windows\System32\drivers\b57xdmp.sys [2010-12-11 19496]
R3 bScsiMSa;bScsiMSa;C:\Windows\System32\drivers\bScsiMSa.sys [2010-12-15 35368]
R3 bScsiSDa;bScsiSDa;C:\Windows\System32\drivers\bScsiSDa.sys [2010-12-11 85544]
R3 IntcDAud;Intel® Display Audio;C:\Windows\System32\drivers\IntcDAud.sys [2011-1-6 317440]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\System32\drivers\k57nd60a.sys [2010-12-1 411688]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-9-30 80384]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-9-30 180736]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 EgisTec Ticket Service;EgisTec Ticket Service;C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2010-9-28 172912]
S3 htcnprot;HTC NDIS Protocol Driver;C:\Windows\System32\drivers\htcnprot.sys [2010-6-25 36928]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-7-9 52736]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2011-5-10 1255736]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
.
=============== Created Last 30 ================
.
2013-08-16 20:06:20    --------    d-----w-    C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2013-08-15 19:03:45    --------    d-----w-    C:\Program Files\CCleaner
2013-08-15 18:54:11    9460976    ----a-w-    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0D340219-286A-40BF-BE3F-AA0D9CA02B3B}\mpengine.dll
2013-08-14 19:29:48    --------    d-----w-    C:\Users\Tom\AppData\Local\Programs
2013-08-11 16:12:18    --------    d-----w-    C:\Users\Tom\AppData\Local\eclipse
2013-08-11 16:06:29    --------    d-----w-    C:\Program Files (x86)\CarbonPoker
2013-08-11 16:04:29    --------    d-----w-    C:\Programs
2013-07-31 18:17:44    --------    d-----w-    C:\Users\Tom\AppData\Local\{472EC4A2-EB7A-44DB-B39A-4E6434853F72}
.
==================== Find3M  ====================
.
2013-08-14 19:03:38    71048    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-14 19:03:38    692104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
.
============= FINISH: 22:06:55.26 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Sin is Jecht

Sin is Jecht
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 17 August 2013 - 09:32 AM

Just a quick update if this makes any difference..just tried to run the Full Tilt poker app, it freezes my computer now.  It worked OK last night.

Thanks.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 AM

Posted 19 August 2013 - 01:19 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
===

Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: Turorial
Link 1
Link 2

IMPORTANT !!! Save ComboFix.exe to your Desktop

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe and follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note: Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply DO NOT ATTACH THEM.

Let me know what problem persists.

#4 Sin is Jecht

Sin is Jecht
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 20 August 2013 - 01:34 PM

Hi, thanks for picking this up - all reports posted below.  No change - none of the issues I had have been resolved yet.

 

RogueKiller gave me two reports on the desktop after running, as well as opening a suspicious-looking website (adlice.com/zeroaccess-removal-with-roguekiller).

 

Report 1:

 

RogueKiller V8.6.6 _x64_ [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Tom [Admin rights]
Mode : Remove -- Date : 08/20/2013 18:51:23
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\GoogleUpdate.exe" >) -> DELETED
[RUN][ZeroAccess] HKUS\S-1-5-21-1614719051-2263270317-2779530731-1001\[...]\Run : Google Update ("C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\GoogleUpdate.exe" >) -> [0xc0000034] Unknown error
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Users\Tom\AppData\Local\Google\Desktop\Install [-] --> DELETED
[ZeroAccess][File] @ : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\@ [-] --> DELETED
[ZeroAccess][File] 00000004.@ : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\L\00000004.@ [-] --> DELETED
[ZeroAccess][Folder] L : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\L [-] --> DELETED
[ZeroAccess][File] 00000004.@ : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\U\00000004.@ [-] --> DELETED
[ZeroAccess][File] 00000008.@ : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\U\00000008.@ [-] --> DELETED
[ZeroAccess][File] 80000000.@ : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\U\80000000.@ [-] --> DELETED
[ZeroAccess][File] 80000064.@ : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\U\80000064.@ [-] --> DELETED
[ZeroAccess][Folder] U : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\U [-] --> DELETED
[ZeroAccess][Folder] {09ce9126-9945-11bf-4d74-f194d4b2e056} : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056} [-] --> DELETED
[ZeroAccess][Folder] ???ﯹ๛ : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛ [-] --> DELETED
[ZeroAccess][Folder] ?��?��?�� : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?�� [-] --> DELETED
[ZeroAccess][Folder] ?��?��?�� : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?�� [-] --> DELETED
[ZeroAccess][Folder] {09ce9126-9945-11bf-4d74-f194d4b2e056} : C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056} [-] --> DELETED

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BPVT-22HXZT1 +++++
--- User ---
[MBR] 95ac5055065ccde65ca212ee8983f914
[BSP] 98c5b6c3197ce61220181646a23fb4d5 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31459328 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 31664128 | Size: 461478 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_08202013_185123.txt >>
RKreport[0]_S_08202013_185019.txt
 

Report 2:

 

RogueKiller V8.6.6 _x64_ [Aug 19 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User : Tom [Admin rights]
Mode : Scan -- Date : 08/20/2013 18:50:19
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\GoogleUpdate.exe" >) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-1614719051-2263270317-2779530731-1001\[...]\Run : Google Update ("C:\Users\Tom\AppData\Local\Google\Desktop\Install\{09ce9126-9945-11bf-4d74-f194d4b2e056}\?��?��?��\?��?��?��\???ﯹ๛\{09ce9126-9945-11bf-4d74-f194d4b2e056}\GoogleUpdate.exe" >) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][Folder] Install : C:\Users\Tom\AppData\Local\Google\Desktop\Install [-] --> FOUND

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BPVT-22HXZT1 +++++
--- User ---
[MBR] 95ac5055065ccde65ca212ee8983f914
[BSP] 98c5b6c3197ce61220181646a23fb4d5 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31459328 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 31664128 | Size: 461478 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_08202013_185019.txt >>


Adwcleaner
 

 

# AdwCleaner v3.000 - Report created 20/08/2013 at 18:59:42
# Updated 20/08/2013 by Xplode
# Operating System : Windows 7 Home Premium  (64 bits)
# Username : Tom - TOM-PC
# Running from : C:\Users\Tom\Downloads\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\boost_interprocess
Folder Deleted : C:\ProgramData\FREEzeFlipSA
Folder Deleted : C:\Program Files (x86)\BabylonToolbar
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\ConduitEngine
Folder Deleted : C:\Program Files (x86)\FREEzeFlip
Folder Deleted : C:\Program Files (x86)\Vuze_Remote
Folder Deleted : C:\Users\Tom\AppData\Local\Conduit
Folder Deleted : C:\Users\Tom\AppData\LocalLow\BabylonToolbar
Folder Deleted : C:\Users\Tom\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Tom\AppData\LocalLow\ConduitEngine
Folder Deleted : C:\Users\Tom\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Tom\AppData\LocalLow\Vuze_Remote
Folder Deleted : C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\3emxycwh.default\ConduitCommon
Folder Deleted : C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\3emxycwh.default\CT2504091
Folder Deleted : C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\3emxycwh.default\Extensions\ffxtlbr@babylon.com
Folder Deleted : C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\3emxycwh.default\Extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
File Deleted : C:\Users\Public\Desktop\eBay.lnk

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\Babylon.dskBnd
Key Deleted : HKLM\SOFTWARE\Classes\Babylon.dskBnd.1
Key Deleted : HKLM\SOFTWARE\Classes\bbylnApp.appCore
Key Deleted : HKLM\SOFTWARE\Classes\bbylnApp.appCore.1
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
Key Deleted : HKLM\SOFTWARE\Classes\escort.escrtBtn.1
Key Deleted : HKLM\SOFTWARE\Classes\esrv.BabylonESrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.BabylonESrvc.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BabylonToolbarsrv_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BabylonToolbarsrv_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\MyBabylontb_RASMANCS
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [BabylonToolbar]
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_java_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_java_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{AD25754E-D76C-42B3-A335-2F81478B722F}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\
Key Deleted : HKLM\SOFTWARE\Classes\AppID\
Key Deleted : HKLM\SOFTWARE\Classes\AppID\
Key Deleted : HKLM\SOFTWARE\Classes\AppID\
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{291BCCC1-6890-484A-89D3-318C928DAC1B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B8276A94-891D-453C-9FF3-715C042A2575}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BA14329E-9550-4989-B3F2-9732E92D17CC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FFB9ADCB-8C79-4C29-81D3-74D46A93D370}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{78C7EFB2-32AC-4173-A30C-74D1097C516F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{706D4A4B-184A-4434-B331-296B07493D2D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{78888F8B-D5E4-43CE-89F5-C8C18223AF64}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8B8558F6-DC26-4F39-8417-34B8934AA459}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{94C0B25D-3359-4B10-B227-F96A77DB773F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E393F82-2644-4AB6-B994-1AD39D6C59EE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A3A2A5C0-1306-4D1A-A093-9CECA4230002}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B0B75FBA-7288-4FD3-A9EB-7EE27FA65599}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B173667F-8395-4317-8DD6-45AD1FE00047}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BFE569F7-646C-4512-969B-9BE3E580D393}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2434722-5C85-4CA0-BA69-1B67E7AB3D68}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C2996524-2187-441F-A398-CD6CB6B3D020}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C8D424EF-CB21-49A0-8659-476FBAB0F8E8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E047E227-5342-4D94-80F7-CFB154BF55BD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3F79BE9-24D4-4F4D-8C13-DF2C9899F82E}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E77EEF95-3E83-4BB8-9C0D-4A5163774997}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\
Key Deleted : HKLM\SOFTWARE\Classes\Interface\
Key Deleted : HKLM\SOFTWARE\Classes\Interface\
Key Deleted : HKLM\SOFTWARE\Classes\Interface\
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6E8BF012-2C85-4834-B10A-1B31AF173D70}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{AD25754E-D76C-42B3-A335-2F81478B722F}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA14329E-9550-4989-B3F2-9732E92D17CC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA14329E-9550-4989-B3F2-9732E92D17CC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BA14329E-9550-4989-B3F2-9732E92D17CC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78C7EFB2-32AC-4173-A30C-74D1097C516F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{392D6BB6-5E2D-48BB-99F6-7603ADC4089D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DF635E60-775D-4F44-81BF-2CDFA2A84636}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{94EA1C66-EAEE-4E08-937A-DDECE4903484}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{30F9B915-B755-4826-820B-08FBA6BD249D}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{98889811-442D-49DD-99D7-DC866BE87DBC}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{BA14329E-9550-4989-B3F2-9732E92D17CC}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{BA14329E-9550-4989-B3F2-9732E92D17CC}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{BA14329E-9550-4989-B3F2-9732E92D17CC}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{BA14329E-9550-4989-B3F2-9732E92D17CC}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\
Key Deleted : HKCU\Software\BabylonToolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\FREEzeFlipSA
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\conduitEngine
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\Vuze_Remote
Key Deleted : HKLM\Software\BabylonToolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\conduitEngine
Key Deleted : HKLM\Software\FREEzeFlip
Key Deleted : HKLM\Software\Vuze_Remote
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BabylonToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Conduit Engine
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vuze_Remote Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16470


-\\ Mozilla Firefox v23.0 (en-GB)

[ File : C:\Users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\3emxycwh.default\prefs.js ]

Line Deleted : user_pref("CT2504091..clientLogIsEnabled", false);
Line Deleted : user_pref("CT2504091..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
Line Deleted : user_pref("CT2504091..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
Line Deleted : user_pref("CT2504091.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);
Line Deleted : user_pref("CT2504091.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Line Deleted : user_pref("CT2504091.BrowserCompStateIsOpen_129707804829376918", true);
Line Deleted : user_pref("CT2504091.CTID", "ct2504091");
Line Deleted : user_pref("CT2504091.CurrentServerDate", "18-8-2012");
Line Deleted : user_pref("CT2504091.DialogsAlignMode", "LTR");
Line Deleted : user_pref("CT2504091.DialogsGetterLastCheckTime", "Tue Aug 07 2012 23:15:11 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.DownloadReferralCookieData", "");
Line Deleted : user_pref("CT2504091.EMailNotifierPollDate", "Wed Jul 06 2011 20:50:28 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.FeedLastCount129079840422964131", 0);
Line Deleted : user_pref("CT2504091.FeedPollDate128891351169457140", "Thu Jul 07 2011 20:42:30 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.FeedPollDate129079840422964131", "Wed Jul 06 2011 20:45:26 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.FeedTTL128891351169457140", 40);
Line Deleted : user_pref("CT2504091.FirstServerDate", "6-7-2011");
Line Deleted : user_pref("CT2504091.FirstTime", true);
Line Deleted : user_pref("CT2504091.FirstTimeFF3", true);
Line Deleted : user_pref("CT2504091.FixPageNotFoundErrors", true);
Line Deleted : user_pref("CT2504091.GroupingServerCheckInterval", 1440);
Line Deleted : user_pref("CT2504091.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Line Deleted : user_pref("CT2504091.HasUserGlobalKeys", true);
Line Deleted : user_pref("CT2504091.Initialize", true);
Line Deleted : user_pref("CT2504091.InitializeCommonPrefs", true);
Line Deleted : user_pref("CT2504091.InstallationAndCookieDataSentCount", 3);
Line Deleted : user_pref("CT2504091.InstallationType", "ConduitIntegration");
Line Deleted : user_pref("CT2504091.InstalledDate", "Wed Jul 06 2011 20:45:25 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.IsGrouping", false);
Line Deleted : user_pref("CT2504091.IsInitSetupIni", true);
Line Deleted : user_pref("CT2504091.IsMulticommunity", false);
Line Deleted : user_pref("CT2504091.IsOpenThankYouPage", false);
Line Deleted : user_pref("CT2504091.IsOpenUninstallPage", false);
Line Deleted : user_pref("CT2504091.LanguagePackLastCheckTime", "Wed Jul 06 2011 20:45:28 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.LanguagePackReloadIntervalMM", 1440);
Line Deleted : user_pref("CT2504091.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx");
Line Deleted : user_pref("CT2504091.LastLogin_3.13.0.6", "Tue Aug 07 2012 18:10:01 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.LastLogin_3.14.1.0", "Sat Aug 18 2012 18:35:41 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.LastLogin_3.5.0.12", "Wed Jul 06 2011 20:45:28 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.LatestVersion", "3.14.1.0");
Line Deleted : user_pref("CT2504091.Locale", "en-us");
Line Deleted : user_pref("CT2504091.MCDetectTooltipHeight", "83");
Line Deleted : user_pref("CT2504091.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Line Deleted : user_pref("CT2504091.MCDetectTooltipWidth", "295");
Line Deleted : user_pref("CT2504091.MyStuffEnabledAtInstallation", true);
Line Deleted : user_pref("CT2504091.OriginalFirstVersion", "3.5.0.12");
Line Deleted : user_pref("CT2504091.SearchFromAddressBarIsInit", true);
Line Deleted : user_pref("CT2504091.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2504091&q=");
Line Deleted : user_pref("CT2504091.SearchInNewTabEnabled", true);
Line Deleted : user_pref("CT2504091.SearchInNewTabIntervalMM", 1440);
Line Deleted : user_pref("CT2504091.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID");
Line Deleted : user_pref("CT2504091.SearchInNewTabUsageUrl", "hxxp://Usage.Hosting.conduit-services.com/UsageService.asmx/UsersRequests?ctid=EB_TOOLBAR_ID");
Line Deleted : user_pref("CT2504091.ServiceMapLastCheckTime", "Tue Aug 07 2012 23:15:10 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.SettingsLastCheckTime", "Wed Jul 06 2011 20:45:24 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.SettingsLastUpdate", "1306530423");
Line Deleted : user_pref("CT2504091.ThirdPartyComponentsInterval", 504);
Line Deleted : user_pref("CT2504091.ThirdPartyComponentsLastCheck", "Wed Jul 06 2011 20:45:24 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.ThirdPartyComponentsLastUpdate", "1246786978");
Line Deleted : user_pref("CT2504091.ToolbarShrinkedFromSetup", false);
Line Deleted : user_pref("CT2504091.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2504091");
Line Deleted : user_pref("CT2504091.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]
Line Deleted : user_pref("CT2504091.UserID", "UN25457940036321125");
Line Deleted : user_pref("CT2504091.ValidationData_Toolbar", 0);
Line Deleted : user_pref("CT2504091.alertChannelId", "897164");
Line Deleted : user_pref("CT2504091.ct2504091.DialogsAlignMode", "LTR");
Line Deleted : user_pref("CT2504091.ct2504091.FeedLastCount129079840422964131", 0);
Line Deleted : user_pref("CT2504091.ct2504091.LanguagePackLastCheckTime", "Sat Aug 18 2012 18:35:40 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.ct2504091.Locale", "en-us");
Line Deleted : user_pref("CT2504091.ct2504091.SearchInNewTabLastCheckTime", "Thu Aug 16 2012 21:57:15 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.ct2504091.SettingsLastCheckTime", "Sat Aug 18 2012 18:35:40 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.ct2504091.SettingsLastUpdate", "1345149440");
Line Deleted : user_pref("CT2504091.ct2504091.ThirdPartyComponentsLastCheck", "Wed Jul 06 2011 20:45:25 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.ct2504091.ThirdPartyComponentsLastUpdate", "1246786978");
Line Deleted : user_pref("CT2504091.ct2504091.globalFirstTimeInfoLastCheckTime", "Thu Jul 07 2011 17:42:32 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.ct2504091.toolbarAppMetaDataLastCheckTime", "Tue Aug 07 2012 23:15:11 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.ct2504091.toolbarContextMenuLastCheckTime", "Wed Jul 06 2011 20:45:29 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.generalConfigFromLogin", "{\"ApiMaxAlerts\":\"12\",\"SocialDomains\":\"social.conduit.com;apps.conduit.com;services.apps.conduit.com\",\"AppsDetectionUrlPattern\":\"hxxp://appdown[...]
Line Deleted : user_pref("CT2504091.globalFirstTimeInfoLastCheckTime", "Wed Jul 06 2011 20:45:27 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.homepageProtectorEnableByLogin", true);
Line Deleted : user_pref("CT2504091.initDone", true);
Line Deleted : user_pref("CT2504091.isAppTrackingManagerOn", true);
Line Deleted : user_pref("CT2504091.myStuffEnabled", true);
Line Deleted : user_pref("CT2504091.myStuffPublihserMinWidth", 400);
Line Deleted : user_pref("CT2504091.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOrigin=29&ctid=EB_TOOLBAR_ID&octid=EB_ORIGINAL_CTID");
Line Deleted : user_pref("CT2504091.myStuffServiceIntervalMM", 1440);
Line Deleted : user_pref("CT2504091.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?ComponentId=EB_MY_STUFF_INSTANCE_GUID&lut=EB_MY_STUFF_LUT");
Line Deleted : user_pref("CT2504091.revertSettingsEnabled", true);
Line Deleted : user_pref("CT2504091.searchProtectorDialogDelayInSec", 10);
Line Deleted : user_pref("CT2504091.searchProtectorEnableByLogin", true);
Line Deleted : user_pref("CT2504091.testingCtid", "");
Line Deleted : user_pref("CT2504091.toolbarAppMetaDataLastCheckTime", "Wed Jul 06 2011 20:45:25 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.toolbarContextMenuLastCheckTime", "Wed Jul 06 2011 20:45:28 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CT2504091.usagesFlag", 2);
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://Settings.toolbar.search.conduit.com/root/ct2504091/CT2504091", "\"c924aae506e763db29e6fd1d54ac7b602\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=CT2504091", "\"0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://appsmetadata.toolbar.conduit-services.com/?ctid=ct2504091", "\"1326306883\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=GottenApps&locale=en-us", "wVmmvqqOMqrv5xct1cJIHg==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=OtherApps&locale=en-us", "0uSPYx+Kl2jpu8sJZMeHjw==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=SharedApps&locale=en-us", "Dclc8oo4TTv7+mAkSlUSWg==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://contextmenu.toolbar.conduit-services.com/?name=Toolbar&locale=en-us", "K4Vqu91uAzWURlxJRdXJOg==");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.alert.conduit-services.com/alert/dlg.pkg", "\"803651ba7facb1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.13.0.6", "\"0d648794549cd1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.14.1.0", "\"80b45d28468cd1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://dynamicdialogs.toolbar.conduit-services.com/DLG.pkg?ver=3.5.0.12", "\"807dc126dd28cc1:0\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://servicemap.conduit-services.com/Toolbar/?ownerId=CT2504091", "\"c912886ea3ba021d3a9ef2d6ad700899\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/CT2504091/CT2504091", "\"1306530423\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://settings.toolbar.search.conduit.com/root/ct2504091/CT2504091", "\"1306530423\"");
Line Deleted : user_pref("CommunityToolbar.ETag.hxxp://translation.toolbar.conduit-services.com/?locale=en-us", "\"59d84c253c1c4473e2fda664257ba2bb\"");
Line Deleted : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Users\\Tom\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3emxycwh.default\\conduitCommon\\modules\\3.5.0.12");
Line Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.5.0.12");
Line Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://search.babylon.com/?babsrc=toolbar2&q=");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2504091");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2504091");
Line Deleted : user_pref("CommunityToolbar.ToolbarsList4", "CT2504091");
Line Deleted : user_pref("CommunityToolbar.globalUserId", "15eefda3-2c5c-4926-94b7-bba7ffa6ee62");
Line Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
Line Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
Line Deleted : user_pref("CommunityToolbar.notifications.alertDialogsGetterLastCheckTime", "Wed Jul 06 2011 20:45:26 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.clientsServerUrl", "hxxp://alert.client.conduit.com");
Line Deleted : user_pref("CommunityToolbar.notifications.locale", "en");
Line Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 1440);
Line Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Wed Jul 06 2011 20:45:24 GMT+0100 (GMT Daylight Time)");
Line Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "1305622559");
Line Deleted : user_pref("CommunityToolbar.notifications.messageShowTimeSec", 20);
Line Deleted : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
Line Deleted : user_pref("CommunityToolbar.notifications.showTrayIcon", false);
Line Deleted : user_pref("CommunityToolbar.notifications.userCloseIntervalMin", 300);
Line Deleted : user_pref("CommunityToolbar.notifications.userId", "da0ea714-e922-4b56-a80b-4e3f72df3a3d");
Line Deleted : user_pref("extensions.BabylonToolbar.admin", false);
Line Deleted : user_pref("extensions.BabylonToolbar.aflt", "orgnl");
Line Deleted : user_pref("extensions.BabylonToolbar.bbDpng", 19);
Line Deleted : user_pref("extensions.BabylonToolbar.cntry", "GB");
Line Deleted : user_pref("extensions.BabylonToolbar.dfltSrch", false);
Line Deleted : user_pref("extensions.BabylonToolbar.excTlbr", false);
Line Deleted : user_pref("extensions.BabylonToolbar.firstRun", false);
Line Deleted : user_pref("extensions.BabylonToolbar.hdrMd5", "90C068F620002D491C1B21DF99CDA089");
Line Deleted : user_pref("extensions.BabylonToolbar.hmpg", false);
Line Deleted : user_pref("extensions.BabylonToolbar.lastActv", "18");
Line Deleted : user_pref("extensions.BabylonToolbar.lastDP", 19);
Line Deleted : user_pref("extensions.BabylonToolbar.lastVrsn", "1.1.5");
Line Deleted : user_pref("extensions.BabylonToolbar.lastVrsnTs", "");
Line Deleted : user_pref("extensions.BabylonToolbar.mntrFFxVrsn", "23.0");
Line Deleted : user_pref("extensions.BabylonToolbar.newTab", true);
Line Deleted : user_pref("extensions.BabylonToolbar.newTabUrl", "hxxp://search.babylon.com/?babsrc=NT_FFUP");
Line Deleted : user_pref("extensions.BabylonToolbar.noFFXTlbr", false);
Line Deleted : user_pref("extensions.BabylonToolbar.propectorlck", 115433567);
Line Deleted : user_pref("extensions.BabylonToolbar.smplGrp", "azb");
Line Deleted : user_pref("extensions.enabledAddons", "ffxtlbr%40babylon.com:1.2.0,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:23.0");
Line Deleted : user_pref("extensions.installCache", "[{\"name\":\"app-global\",\"addons\":{\"{972ce4c6-7e08-4474-a285-3208198ce6fd}\":{\"descriptor\":\"C:\\\\Program Files (x86)\\\\Mozilla Firefox\\\\browser\\\\exte[...]
Line Deleted : user_pref("keyword.URL", "hxxp://search.babylon.com/?babsrc=toolbar2&q=");

-\\ Google Chrome v25.0.1364.172

[ File : C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [31013 octets] - [20/08/2013 18:58:43]
AdwCleaner[S0].txt - [27444 octets] - [20/08/2013 18:59:42]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [27505 octets] ##########
 

 

Junkware Removal Tool

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.1 (08.19.2013:1)
OS: Windows 7 Home Premium x64
Ran by Tom on 20/08/2013 at 19:03:36.21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT2504091
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\AskInstallChecker-1_RASMANCS



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"
Successfully deleted: [Empty Folder] C:\Users\Tom\appdata\local\{408D0585-5505-45D0-8D2A-C73A69BC673D}
Successfully deleted: [Empty Folder] C:\Users\Tom\appdata\local\{472EC4A2-EB7A-44DB-B39A-4E6434853F72}
Successfully deleted: [Empty Folder] C:\Users\Tom\appdata\local\{532B88F7-7958-4741-8E4D-1FAC647BC8E3}
Successfully deleted: [Empty Folder] C:\Users\Tom\appdata\local\{59C6EC57-E01D-46A6-ABC7-5F7709D04D74}
Successfully deleted: [Empty Folder] C:\Users\Tom\appdata\local\{9E93C75C-F3B0-4D81-9CCF-B0F8EA8F218A}



~~~ FireFox

Successfully deleted: [File] C:\Users\Tom\AppData\Roaming\mozilla\firefox\profiles\3emxycwh.default\searchplugins\youtube-video-search.xml
Emptied folder: C:\Users\Tom\AppData\Roaming\mozilla\firefox\profiles\3emxycwh.default\minidumps [25 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 20/08/2013 at 19:08:52.40
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

ComboFix 13-08-19.02 - Tom 20/08/2013  19:13:42.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.5996.4216 [GMT 1:00]
Running from: c:\users\Tom\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\frapsvid.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-20 to 2013-08-20  )))))))))))))))))))))))))))))))
.
.
2013-08-20 18:20 . 2013-08-20 18:20    --------    d-----w-    c:\users\Default\AppData\Local\temp
2013-08-20 18:14 . 2013-08-20 18:14    76232    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{0D340219-286A-40BF-BE3F-AA0D9CA02B3B}\offreg.dll
2013-08-20 18:03 . 2013-08-20 18:03    --------    d-----w-    c:\windows\ERUNT
2013-08-20 17:58 . 2013-08-20 17:59    --------    d-----w-    C:\AdwCleaner
2013-08-16 20:06 . 2013-08-16 20:27    --------    d-----w-    c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-08-15 19:03 . 2013-08-15 19:03    --------    d-----w-    c:\program files\CCleaner
2013-08-15 18:54 . 2013-07-02 08:34    9460976    ----a-w-    c:\programdata\Microsoft\Windows Defender\Definition Updates\{0D340219-286A-40BF-BE3F-AA0D9CA02B3B}\mpengine.dll
2013-08-14 19:29 . 2013-08-14 19:29    --------    d-----w-    c:\users\Tom\AppData\Local\Programs
2013-08-11 16:12 . 2013-08-11 16:12    --------    d-----w-    c:\users\Tom\AppData\Local\eclipse
2013-08-11 16:06 . 2013-08-16 23:17    --------    d-----w-    c:\program files (x86)\CarbonPoker
2013-08-11 16:04 . 2013-08-11 16:04    --------    d-----w-    C:\Programs
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-15 18:54 . 2010-06-24 10:33    22240    ----a-w-    c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2013-08-14 19:03 . 2012-11-06 17:27    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-08-14 19:03 . 2012-11-06 17:27    692104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2013-07-26 1807272]
"Spotify Web Helper"="c:\users\Tom\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-07-10 1104384]
"Spotify"="c:\users\Tom\AppData\Roaming\Spotify\spotify.exe" [2013-07-10 4640768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-09-14 283160]
"SuiteTray"="c:\program files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2010-09-28 340336]
"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2010-09-18 407920]
"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2010-09-18 201584]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"BackupManagerTray"="c:\program files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" [2010-11-12 296768]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-04-27 113288]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2010-12-09 1025616]
"MDS_Menu"="c:\program files (x86)\Acer\clear.fi\MediaEspresso\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"ArcadeMovieService"="c:\program files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe" [2010-12-09 177448]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\Update\realsched.exe" [2011-06-26 273544]
"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-01-27 585728]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-11 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-09-09 421776]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-10-25 421888]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2009-07-14 73216]
.
c:\users\Tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe;c:\program files\Acer\Acer Updater\UpdaterService.exe [x]
R3 EgisTec Ticket Service;EgisTec Ticket Service;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [x]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys;c:\windows\SYSNATIVE\DRIVERS\htcnprot.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDFilter.sys [x]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDNServ.sys [x]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDVDisk.sys [x]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe [x]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [x]
S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe;c:\program files (x86)\Acer\Registration\GREGsvc.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe;c:\program files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [x]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 b57xdbd;Broadcom xD Picture Bus Driver Service;c:\windows\system32\DRIVERS\b57xdbd.sys;c:\windows\SYSNATIVE\DRIVERS\b57xdbd.sys [x]
S3 b57xdmp;Broadcom xD Picture vstorp client drv;c:\windows\system32\DRIVERS\b57xdmp.sys;c:\windows\SYSNATIVE\DRIVERS\b57xdmp.sys [x]
S3 bScsiMSa;bScsiMSa;c:\windows\system32\DRIVERS\bScsiMSa.sys;c:\windows\SYSNATIVE\DRIVERS\bScsiMSa.sys [x]
S3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys;c:\windows\SYSNATIVE\DRIVERS\bScsiSDa.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-14 07:23    1629648    ----a-w-    c:\program files (x86)\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-06 19:03]
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-08 16:37]
.
2013-08-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-08 16:37]
.
2013-08-20 c:\windows\Tasks\Norton Security Scan for Tom.job
- c:\progra~2\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-26 02:30]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-12-23 11725928]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-12-10 2186856]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2010-10-29 860040]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-12-30 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-12-30 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-12-30 418328]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://acer.msn.com
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
Trusted Zone: vizzed.com\www
TCP: DhcpNameServer = 194.168.4.100 194.168.8.100
FF - ProfilePath - c:\users\Tom\AppData\Roaming\Mozilla\Firefox\Profiles\3emxycwh.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\DbgagD\1*]
"value"="?\07\02\05\03\01\05?"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-08-20  19:23:06
ComboFix-quarantined-files.txt  2013-08-20 18:23
.
Pre-Run: 275,637,493,760 bytes free
Post-Run: 275,488,747,520 bytes free
.
- - End Of File - - 4D9C23CB0E36395A9B940B8195E120D8
 

 

 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 AM

Posted 21 August 2013 - 08:14 AM


Please run one or both of these tools.

Sophos Anti-Rootkit
http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx
===

Trend Micro RootkitBuster
http://free.antivirus.com/us/rootkit-buster/index.html

If you get a log please post it.

Keep me posted.

#6 Sin is Jecht

Sin is Jecht
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 21 August 2013 - 02:26 PM

Thanks.

 

I ran Sophos..it was running for over an hour but it seems to be going round in circles.  I'll leave it going overnight and report in the morning (UK time)

 

Trend Micro RootkitBuster found nothing:

 

+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 5.0.0.1129
| Computer Name: TOM-PC
| OS version: 6.1-7600
| User Name: Tom
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.



#7 Sin is Jecht

Sin is Jecht
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 22 August 2013 - 02:14 AM

Ok, I left Sophos running overnight and it didn't get anywhere..it's still running but the progress bar has hardly moved from the far left. Looks like it's just scanning the same files over and over again.

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 AM

Posted 22 August 2013 - 08:20 AM

Close the process if not already off.

Restart the scan. Just run it for one hour or two.

#9 Sin is Jecht

Sin is Jecht
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 22 August 2013 - 09:07 AM

Ok, I did restart the computer yesterday before I ran it a second time, that would stop the process, right? I'll try again this evening if you don't say otherwise though.

Thanks

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 AM

Posted 22 August 2013 - 12:27 PM

Do it one more time just in case you get lucky.
Do not let it run too long.

#11 Sin is Jecht

Sin is Jecht
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 22 August 2013 - 01:28 PM

I ran it again for an hour, same result as before.

 

The bar hardly moves to the right at all, it starts scanning "Volume{b714225b-485c-11e0-856a-806e6f6e6963}\Windows\xxxxx

 

The xxxxx bit keeps changing but it seems to keep going back in circles to the same folders.  Screenshot here if you need it: http://imgur.com/luLXei7

 

Thanks



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 AM

Posted 22 August 2013 - 01:42 PM

How to address disk space issues that are caused by a large Windows component store (WinSxS) directory
http://support.microsoft.com/kb/2795190

I suggest that your run the Disk Cleanup Wizard (cleanmgr.exe) as suggested in the article.

Keep me posted.

#13 Sin is Jecht

Sin is Jecht
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 22 August 2013 - 02:08 PM

OK, I've run Disk Cleanup and deleted the bits that were pre-ticked.  My winsxs folder is now 14.3GB.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,752 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:01 AM

Posted 23 August 2013 - 07:01 AM

It's lower than mine so you should be OK.


See if you can get the Last Good Configuration.
http://windows.microsoft.com/en-CA/windows7/Using-Last-Known-Good-Configuration


Keep me posted.

#15 Sin is Jecht

Sin is Jecht
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:10:01 AM

Posted 23 August 2013 - 01:17 PM

OK, tried that, the boot process looked the same as usual.  Tried running Sophos again after, same result as before.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users