Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SweetPacks...And Maybe More?!


  • This topic is locked This topic is locked
37 replies to this topic

#1 bkaczmarek

bkaczmarek

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 02 October 2013 - 03:23 PM

As I had posted in "Am I Infected? What do I do?" forum, I fear I have more than just SweetPacks

 

"Boopme" thought maybe I might have Encryption Malware.  

 

Below is:

 - the text of my prior post

 - my DDS.txt log

 

=====================

my files seem to be disappearing as well?...ie maybe I am infected with something else additionally?  

 

I say 'disappearing' because AVG scans usually shows 'number of objects scanned' at about 1,200,000.  Since this virus incident last week (see details below...), AVG reported it scanned only 120,000 objects.  And today it scanned only 103,000 objects.

 

........................................

BACKGROUND:

 

I've been very good about using AVG Free anti-virus and weekly scans have never found any suspicious files. 

 

Last week I was prompted to upgrade to AVG 2014 Free.  It didn't seem to take - showing 'protection not active' - and I contacted AVG who sent instructions for removal of old version and how to do a clean install.

 

But upon reboot, AVG 2014 showed that components were active.  (So I ignored the removal/reinstall). Thought I was good.

 

Since things were goofy, I googled "registry cleaner tools' and clicked on a CNET downloader of some registry cleaner with 4 or 5 stars.  It offered to add additional software tools (twice) and i "declined" both times but then got cold feet and tried to abort.

 

AVG then showed that its four components were again NOT active.    Rebooted and the AVG 2014 tools were active again.  Did an AVG scan and it found no threats... and I didn't notice immediately that 'objects scanned' was fewer than normal.

 

My browser then mentioned sweetpacks and I googled it and was instructed to go to Add/Remove.  I found sweetpacks there and the options were <Hide> "recommended" or <Remove> and next to remove was <Important info>.  I clicked "important info" and was now frozen out of Add/Remove.  Sweetpacks has never again showed up in Add/Remove - although I never clicked to remove it.

 

Browsers now are all bad.

 

Mozilla won't open, giving error message: [ Firefox.exe application error:  The exception unknown software exception (0xc0000417) occurred in the application at location 0x100da84f. ]

 

Chrome gives the same error.  And the three bars in chrome turned orange and when opened showed [attempting to add sweetpacks extention ] which i clicked to "not allow."

 

Internet Explorer opened ok but then insisted on trying to opening a sweetpacks site.   Version with 'no add-ons' opened ok.

 

The AVG phone answerers had me send them files and have been saying Tier II folks will help me and will get back to me in 24-72 hours -- but it has been 10 days now of calling them everyday and hearing that Tier II is very busy and that they will expedite my case and I'll hear from them as soon as possible.

 

So, I'm thinking I will follow the steps in your link above -- if I'm not barking up the wrong tree?!  Is that link appropriate for me?

 

Also, someone suggested I just delete and reinstall my browsers.  That is fine with me.  Is that safe??  I'm afraid the virus is logging keystrokes and or has partitioned the harddrive and is running my system without my being able to see it or something more than what is obvious.

 

btw the laptop is an old Dell Inspiron E1505 running XP (actually I guess still running Media Center Edition of XP)

 

Thanks,

Bill

 

====================

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.25.2
Run by Bill at 15:50:11 on 2013-10-02
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.611 [GMT -4:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ================
.
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\SearchProtect\bin\CltMngSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\PROGRA~1\WI371A~1\Datamngr\DATAMN~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Bill\Local Settings\Application Data\Programs\Google\MusicManager\MusicManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Bill\Application Data\SearchProtect\bin\cltmng.exe
C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Update\1.3.21.153\GoogleCrashHandler.exe
C:\WINDOWS\system32\dmwu.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\jmdp\stij.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com/?ctid=CT3310511&octid=CT3310511&SearchSource=61&CUI=UN31798505151889114&UM=2&UP=SP94D88821-1E87-482D-A2A9-AA340315B231
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uProxyServer = :0
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\program files\windows ilivid toolbar\datamngr\toolbar\searchqudtx.dll
BHO: DataMngr: {9D717F81-9148-4f12-8568-69135F087DB0} - c:\program files\windows ilivid toolbar\datamngr\BrowserConnection.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\program files\windows ilivid toolbar\datamngr\toolbar\searchqudtx.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\bill\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MusicManager] "c:\documents and settings\bill\local settings\application data\programs\google\musicmanager\MusicManager.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [GoogleDriveSync] "c:\program files\google\drive\googledrivesync.exe" /autostart
uRun: [C6CB1F1BA370AD728ADA87A2361C750AA7F38586._service_run] "c:\documents and settings\bill\local settings\application data\google\chrome\application\chrome.exe" --type=service
uRun: [ROC_ROC_APR2013_AV] c:\documents and settings\bill\application data\avg april 2013 campaign\AVG-Secure-Search-Update.exe /PROMPT --mid d8d8862c7fedc4fa1909fda6000265f5-0cb6de6f0fc4b43b7277f2bfbf7b7ae2294fa6d3 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013
uRun: [AVG-Secure-Search-Update_0913a] c:\documents and settings\bill\application data\avg 0913a campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid d8d8862c7fedc4fa1909fda6000265f5-0cb6de6f0fc4b43b7277f2bfbf7b7ae2294fa6d3 --CMPID 0913a
uRun: [SearchProtect] c:\documents and settings\bill\application data\searchprotect\bin\cltmng.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [HP SchedIndexer] c:\program files\hewlett-packard\laserjet all-in-one\hppschedindexer.exe
mRun: [HP AutoIndexer] c:\program files\hewlett-packard\laserjet all-in-one\hppautoindexer.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [DATAMNGR] c:\progra~1\wi371a~1\datamngr\DATAMN~1.EXE
mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre7\bin\jusched.exe"
mRun: [SearchProtectAll] c:\program files\searchprotect\bin\cltmng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - <orphaned>
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: fidelity.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/63.11/uploader2.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169967170718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://whartonmbacm.webex.com/client/T26L/webex/ieatgpc.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{ACAB4372-6D14-4E2D-B2F4-B7386426F958} : DHCPNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - <no file>
AppInit_DLLs= c:\progra~1\wi371a~1\datamngr\datamngr.dll c:\progra~1\wi371a~1\datamngr\IEBHO.dll   
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\bill\application data\mozilla\firefox\profiles\7pgwj5b6.default\
FF - plugin: c:\documents and settings\bill\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\bill\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\bill\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\bill\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\bill\application data\mozilla\plugins\npo1d.dll
FF - plugin: c:\documents and settings\bill\local settings\application data\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_8_800_168.dll
FF - ExtSQL: !HIDDEN! 2011-01-29 13:22; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 146232]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2012-9-21 223032]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 102200]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 26936]
R1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-8-1 120120]
R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 209208]
R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 22840]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 176952]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 193848]
R1 RapportCerberus_56758;RapportCerberus_56758;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_56758.sys [2013-9-3 330960]
R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-9-10 148688]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-9-10 222416]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2013-8-27 3534896]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2013-8-20 300640]
R2 CltMngSvc;Search Protect by Conduit Updater;c:\program files\searchprotect\bin\CltMngSvc.exe [2013-5-8 97056]
R2 IBUpdaterService;IBUpdaterService;c:\windows\system32\dmwu.exe [2013-9-22 1434416]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-9-10 1435928]
S2 mrtRate;mrtRate; [x]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-7-31 580992]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [2007-7-15 6124]
S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2013-9-10 97008]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== File Associations ===============
.
ShellExec: hpqpssp.exe: Open=c:\program files\hp\digital imaging\bin\hpqpssp.exe
.
=============== Created Last 30 ================
.
2013-10-02 19:43:05    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2013-09-25 21:50:37    --------    d-----w-    C:\AVGTemp
2013-09-22 22:21:02    --------    d-----w-    c:\documents and settings\all users\application data\Conduit
2013-09-22 22:20:23    --------    d-----w-    c:\documents and settings\bill\local settings\application data\CRE
2013-09-22 22:20:23    --------    d-----w-    c:\documents and settings\bill\local settings\application data\Conduit
2013-09-22 22:20:22    --------    d-----w-    c:\program files\Conduit
2013-09-22 22:20:07    --------    d-----w-    c:\windows\system32\jmdp
2013-09-22 22:19:54    --------    d-----w-    c:\program files\SearchProtect
2013-09-22 22:19:43    --------    d-----w-    c:\documents and settings\bill\application data\SearchProtect
2013-09-22 22:18:15    --------    d-----w-    c:\windows\system32\ARFC
2013-09-22 22:18:13    27136    ----a-w-    c:\windows\system32\ImHttpComm.dll
2013-09-22 22:18:13    1434416    ----a-w-    c:\windows\system32\dmwu.exe
2013-09-22 22:18:10    --------    d-----w-    c:\windows\system32\WNLT
2013-09-22 19:01:12    --------    d-----w-    c:\documents and settings\bill\application data\AVG2014
2013-09-22 18:50:19    --------    d-----w-    c:\documents and settings\all users\application data\AVG2014
2013-09-22 18:29:53    --------    d-----w-    c:\documents and settings\bill\local settings\application data\Avg2014
2013-09-11 13:19:54    --------    d-----w-    c:\program files\Cisco Systems
2013-09-11 03:18:28    97008    ----a-w-    c:\windows\system32\drivers\RapportKELL.sys
2013-09-03 13:53:52    187248    ----a-w-    c:\program files\mozilla firefox\plugins\nppdf32.dll
2013-09-03 13:53:52    187248    ----a-w-    c:\program files\internet explorer\plugins\nppdf32.dll
.
==================== Find3M  ====================
.
2013-09-19 16:51:26    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-19 16:51:26    692616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-09-09 08:54:24    773968    ----a-w-    c:\windows\system32\msvcr100.dll
2013-09-09 08:54:24    632656    ----a-w-    c:\windows\system32\msvcr80.dll
2013-09-09 08:54:24    554832    ----a-w-    c:\windows\system32\msvcp80.dll
2013-09-09 08:54:24    479232    ----a-w-    c:\windows\system32\msvcm80.dll
2013-09-09 08:54:24    421200    ----a-w-    c:\windows\system32\msvcp100.dll
2013-08-23 03:37:18    176952    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2013-08-23 02:56:56    209208    ----a-w-    c:\windows\system32\drivers\avgidsdriverx.sys
2013-08-23 02:56:16    223032    ----a-w-    c:\windows\system32\drivers\avglogx.sys
2013-08-23 02:56:16    146232    ----a-w-    c:\windows\system32\drivers\avgidshx.sys
2013-08-09 01:56:45    386560    ----a-w-    c:\windows\system32\themeui.dll
2013-08-08 06:05:59    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-08-08 06:05:59    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-08-08 06:05:59    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-08-08 06:05:58    18944    ----a-w-    c:\windows\system32\corpol.dll
2013-08-08 01:27:48    1877760    ----a-w-    c:\windows\system32\win32k.sys
2013-08-08 00:02:34    385024    ----a-w-    c:\windows\system32\html.iec
2013-08-05 13:30:32    1289728    ----a-w-    c:\windows\system32\ole32.dll
2013-08-03 18:18:38    1543680    ------w-    c:\windows\system32\wmvdecod.dll
2013-08-01 20:08:52    193848    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2013-08-01 20:06:40    22840    ----a-w-    c:\windows\system32\drivers\avgidsshimx.sys
2013-08-01 20:06:14    120120    ----a-w-    c:\windows\system32\drivers\avgdiskx.sys
2013-08-01 20:05:58    26936    ----a-w-    c:\windows\system32\drivers\avgrkx86.sys
2013-07-10 10:37:53    406016    ----a-w-    c:\windows\system32\usp10.dll
.
============= FINISH: 15:57:50.20 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:17 PM

Posted 02 October 2013 - 04:58 PM

Hello bkaczmarek,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
1.
Download AdwCleaner
  • Double click on AdwCleaner.exe to run the tool.
    ***Note: Windows Vista and Windows 7 users:
    Right click in the adwCleaner.exe and select
    "Run as administrator"
  • Click the Search button.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your next reply.
  • Or you can find the logfile at C:\AdwCleaner[R1].txt.
2.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, Click Scan
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again
Things to include in your next reply::
AdwCleaner log
Roguekiller log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 bkaczmarek

bkaczmarek
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 02 October 2013 - 05:26 PM

Fireman,

 

A question.  Your Item 2 includes instrustions to:

 - download roguekiller

 - close all processes

 - run roguekiller

 

My question has to do with "close all processes."    

 

Does that mean that I should open TaskMgr and in the Processes tab, go thru all processes one at a time and click <end process>??

 

Thanks,

Bill



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:17 PM

Posted 03 October 2013 - 07:18 AM

 

Does that mean that I should open TaskMgr and in the Processes tab, go thru all processes one at a time and click <end process>??

No, This means to close programs like Internet Explorer, Firefox, Limewire, stuff like that.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 bkaczmarek

bkaczmarek
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 03 October 2013 - 08:10 AM

Fireman,

 

I'm stuck and need your advice.

 

Ok, here's where I am.

 

I ran AdwCleaner and it found two bad guys.  I did NOT remove them. I will send you the log together with the RogueKiller log, but have a question first.

 

While running RogueKiller a few things happened. [RogueKiller is running on the infected machine even while we speak] 

 

FIRST, a couple of hits showed up, namely:

 

(1) KILLED [TermProc]    SUSP PATH  2568   cltmng.exe     C:\Documents and settings\Bill\Application data\SearchProtect\bin\cltmng.exe

 

(2) ERROR [1052]       SERVICE   -1        IBUpdater Service     C:\WINDOWS\system32\dmwu.exe

 

 

SECOND, AVG Detection showed up RogueKiller and prompted me for authorization, so I allowed it and it said it 'created an exception.'

 

 

THIRD, a popup appeared that looks suspicious to me.  The title of the popup is "ERROR" and in the box the text reads "Your version is outdated. Please download the new version. Download it on the website?"  <Yes>  <No>"

 

While this popup is here, the scan bar is still moving as if progressing, and the RogueKiller Status shows "Searching for updates..."

 

Is this popup legit?  Should I click "Yes" to download the new version?  Since the popup doesn't indicate what program it is associated with, it looks suspicious to me... and I wanted to ask what to do, since clicking boxes is what got me into this mess.

 

Bill


Edited by bkaczmarek, 03 October 2013 - 08:15 AM.


#6 bkaczmarek

bkaczmarek
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 03 October 2013 - 08:36 AM

p.s. the RogueKiller top of screen reads with a version number:  "v8.7.0"      

(And RogueKiller definitely seems frozen, despite the green progress bar still cycling around.)



#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:17 PM

Posted 03 October 2013 - 09:44 AM

Go ahead and stop Roguekiller and delete it. Then download Roguekiller again from the link I gave you and run it again as I told you before.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 bkaczmarek

bkaczmarek
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 03 October 2013 - 10:18 AM

Fireman,

 

OK, I deleted and downloaded/ ran RogueKiller again.  

 

Again, I'm not sure what to do. Here's where I am at.

 

Three things happened again.

 

FIRST:  RogueKiller found one thing in the Prescan; and onscreen instructions say to hit the Scan button [which is now greyed out!]

 

(1) ERROR [1052]       SERVICE   -1        IBUpdater Service     C:\WINDOWS\system32\dmwu.exe

 

SECOND:  Again "AVG Detection" popup said it found RogueKiller and I clicked to not remove it and instead to create an exception

 

THIRD:  a suspicious popup again appeared.  This one reads:         "EULA - You must approve the terms to use the program.    RogueKiller Software License Terms   [... blah blah...]   <Accept>  <Decline>"       [The instruction post didn't mention to accept an EULA, but maybe the instructions mistakenly omit that step?]

 

 

(Also, by the way, this time when I opened Mozilla to download RogueKiller, it was captured and took me to SweetPacks.)

 

=============

So, what next?    [Is the EULA legit?  Maybe I should simply <Accept>?]

 

Should I close/delete/download and run RogueKiller again?    

 

[SORRY, PLEASE DISREGARD THIS PARAGRAPH... the message on AVG screen calls out name of Object as "RogueKiller.exe", so I'm guessing <Allow> was the safe choice]  

If/when I do, should I click something else on the "AVG Detector" popup this time?   ie  "NOT allow"?      I don't know if this would block the malware or the RogueKiller?   I'm starting to suspect maybe it will block the malware, given that the RogueKiller has already started the prescan successfully by that point anyway.  

 

I look forward to your advice!  

Thanks!


Edited by bkaczmarek, 03 October 2013 - 11:26 AM.


#9 bkaczmarek

bkaczmarek
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 03 October 2013 - 10:25 AM

SORRY, PLEASE DISREGARD THIS POST.  

The AVG Detection popup shows:  "Object name: C:\....RogueKiller.exe"    so it must be safe.

 

====================

p.s. And further...  if I should have been clicking in the AVG Detector popup   "do NOT allow" (or "block";  or "remove"... sorry I can't remember the option wording exactly) instead of choosing "allow", then should I be worried that AVG says it "created an exception"?   Does that "exception" mean I've created an opening for the malware (in the AVG antivirus)???

 

Thanks in advance!


Edited by bkaczmarek, 03 October 2013 - 11:16 AM.


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:17 PM

Posted 03 October 2013 - 01:23 PM

 

So, what next?    [Is the EULA legit?  Maybe I should simply <Accept>?]

 

Yes accept the eula

 

 

 

Does that "exception" mean I've created an opening for the malware (in the AVG antivirus)???

No it means you allowed roguekiller to run.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 bkaczmarek

bkaczmarek
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 03 October 2013 - 02:26 PM

Thanks Fireman, we are making progress!!

 

(btw you had said not to add/remove programs etc... and I haven't since I got your note.  But full disclosure is that before you had told me, I had removed and reinstalled Firefox.)

 

I ran AdwCleaner and RogueKiller and am pasting logs for both below.  (I did NOT procede to remove any of the identified 'bad guys'... as that's what I understood were the instructions.)

 

========= LOG 1:  AdwCleaner ================

 

# AdwCleaner v3.006 - Report created 02/10/2013 at 18:12:49
# Updated 01/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Bill - INSPIRONDB52CT9
# Running from : C:\Documents and Settings\Bill\My Documents\Downloads\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : CltMngSvc
Service Found : IBUpdaterService

***** [ Files / Folders ] *****

File Found : C:\DOCUME~1\Bill\LOCALS~1\Temp\Searchqu.ini
File Found : C:\DOCUME~1\Bill\LOCALS~1\Temp\searchqutoolbar-manifest.xml
File Found : C:\END
File Found : C:\Program Files\Mozilla Firefox\Extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433}
File Found : C:\Program Files\Mozilla Firefox\searchplugins\Search_Results.xml
File Found : C:\WINDOWS\system32\dmwu.exe
File Found : C:\WINDOWS\system32\ImhxxpComm.dll
File Found : C:\WINDOWS\system32\roboot.exe
Folder Found C:\Documents and Settings\All Users\Application Data\boost_interprocess
Folder Found C:\Documents and Settings\All Users\Application Data\Conduit
Folder Found C:\Documents and Settings\Bill\Application Data\Searchprotect
Folder Found C:\Documents and Settings\Bill\Application Data\searchquband
Folder Found C:\Documents and Settings\Bill\Application Data\Searchqutoolbar
Folder Found C:\Documents and Settings\Bill\Application Data\Systweak
Folder Found C:\Documents and Settings\Bill\Local Settings\Application Data\Conduit
Folder Found C:\Documents and Settings\Bill\Local Settings\Application Data\Ilivid Player
Folder Found C:\Documents and Settings\Bill\Local Settings\Application Data\PackageAware
Folder Found C:\Program Files\Conduit
Folder Found C:\Program Files\Ilivid
Folder Found C:\Program Files\Searchprotect
Folder Found C:\Program Files\Windows iLivid Toolbar
Folder Found C:\WINDOWS\system32\ARFC
Folder Found C:\WINDOWS\system32\jmdp
Folder Found C:\WINDOWS\system32\WNLT

***** [ Shortcuts ] *****


***** [ Registry ] *****

Data Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~1\WI371A~1\Datamngr\datamngr.dll
Data Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~1\WI371A~1\Datamngr\IEBHO.dll
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\ConduitSearchScopes
Key Found : HKCU\Software\DataMngr
Key Found : HKCU\Software\DataMngr_Toolbar
Key Found : HKCU\Software\ilivid
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\ImInstaller
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4F12-8568-69135F087DB0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D717F81-9148-4F12-8568-69135F087DB0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\SearchProtect
Key Found : HKCU\Software\searchqutoolbar
Key Found : HKCU\Software\smartbar
Key Found : HKCU\Software\systweak
Key Found : HKCU\Software\wnlt
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\Software\AVG Secure Search
Key Found : HKLM\Software\AVG Security Toolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{AC662AF2-4601-4A68-84DF-A3FE83F1A5F9}
Key Found : HKLM\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}
Key Found : HKLM\SOFTWARE\Classes\AppID\BrowserConnection.dll
Key Found : HKLM\SOFTWARE\Classes\AppID\DNSBHO.dll
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\BrowserConnection.Loader
Key Found : HKLM\SOFTWARE\Classes\BrowserConnection.Loader.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9D717F81-9148-4F12-8568-69135F087DB0}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}
Key Found : HKLM\SOFTWARE\Classes\DnsBHO.BHO
Key Found : HKLM\SOFTWARE\Classes\DnsBHO.BHO.1
Key Found : HKLM\SOFTWARE\Classes\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{44B619BC-3D2B-4990-AA4F-9AA366921792}
Key Found : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard
Key Found : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3310511
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{5B4144E1-B61D-495A-9A50-CD1A95D86D15}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{841D5A49-E48D-413C-9C28-EB3D9081D705}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\Software\DataMngr
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Windows Searchqu Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\wnlt
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4F12-8568-69135F087DB0}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Searchqu Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wnlt
Key Found : HKLM\Software\SearchProtect
Key Found : HKLM\Software\SearchquMediabarTb
Key Found : HKLM\Software\Viewpoint
Key Found : HKLM\Software\wnlt
Value Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [SearchProtect]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{99079A25-328F-4BD4-BE04-00955ACAA0A7}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]
Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe]
Value Found : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\WINDOWS\system32\ARFC\wrtc.exe]

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxp://search.conduit.com/?ctid=CT3310511&octid=CT3310511&SearchSource=61&CUI=UN31798505151889114&UM=2&UP=SP94D88821-1E87-482D-A2A9-AA340315B231

-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7pgwj5b6.default\prefs.js ]


-\\ Google Chrome v

[ File : C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [9509 octets] - [02/10/2013 18:12:49]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [9569 octets] ##########
 

========== LOG 2: RogueKiller ===============

 

RogueKiller V8.7.1 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Bill [Admin rights]
Mode : Scan -- Date : 10/03/2013 15:14:42
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SERVICE] IBUpdaterService -- C:\WINDOWS\system32\dmwu.exe [x] -> ERROR [1052]

¤¤¤ Registry Entries : 11 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : ROC_ROC_APR2013_AV (C:\Documents and Settings\Bill\Application Data\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid d8d8862c7fedc4fa1909fda6000265f5-0cb6de6f0fc4b43b7277f2bfbf7b7ae2294fa6d3 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013 [x][x][x][x]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : AVG-Secure-Search-Update_0913a (C:\Documents and Settings\Bill\Application Data\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid d8d8862c7fedc4fa1909fda6000265f5-0cb6de6f0fc4b43b7277f2bfbf7b7ae2294fa6d3 --CMPID 0913a [x][x][x]) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : SearchProtect (C:\Documents and Settings\Bill\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3171413948-3101098101-1794936492-1006\[...]\Run : ROC_ROC_APR2013_AV (C:\Documents and Settings\Bill\Application Data\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid d8d8862c7fedc4fa1909fda6000265f5-0cb6de6f0fc4b43b7277f2bfbf7b7ae2294fa6d3 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013 [x][x][x][x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3171413948-3101098101-1794936492-1006\[...]\Run : AVG-Secure-Search-Update_0913a (C:\Documents and Settings\Bill\Application Data\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid d8d8862c7fedc4fa1909fda6000265f5-0cb6de6f0fc4b43b7277f2bfbf7b7ae2294fa6d3 --CMPID 0913a [x][x][x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-3171413948-3101098101-1794936492-1006\[...]\Run : SearchProtect (C:\Documents and Settings\Bill\Application Data\SearchProtect\bin\cltmng.exe [7]) -> FOUND
[SERVICE][BLVALUE] HKLM\[...]\CCSet\[...]\Services : IBUpdaterService (C:\WINDOWS\system32\dmwu.exe [7]) -> FOUND
[SERVICE][BLVALUE] HKLM\[...]\CS001\[...]\Services : IBUpdaterService (C:\WINDOWS\system32\dmwu.exe [7]) -> FOUND
[SERVICE][BLVALUE] HKLM\[...]\CS002\[...]\Services : IBUpdaterService (C:\WINDOWS\system32\dmwu.exe [7]) -> FOUND
[PROXY IE][PUM] HKCU\[...]\Internet Settings : ProxyServer (:0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (?MILLIS_PER_SECOND@GCDate@@2JB) : GrooveUtil.DLL -> HOOKED (Unknown @ 0xC8F7333C)
[Inline] EAT @explorer.exe (OPENSSL_ia32cap_P) : avgntopensslx.dll -> HOOKED (Unknown @ 0x6DA05A26)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost
HPC82BA9 HP001B78C82BA9


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - FUJITSU MHV2040BH +++++
--- User ---
[MBR] 94b74004bf70010db491af5f94865546
[BSP] 6a16940a05e78a8357108e829835cd80 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 31918 Mo
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 65448810 | Size: 4753 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10032013_151442.txt >>


##
 



#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:17 PM

Posted 03 October 2013 - 02:44 PM

1.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

2.

  •    
  • Re-Run RogueKiller
       
  • Close all the running processes
       
  • Under Vista/Seven, right click -> Run as Administrator
       
  • Otherwise just double-click on RogueKiller.exe
       
  • When prompted, Click Delete 
       
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
       
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

 

Things to include in your next reply::

AdwCleaner log

Roguekiller log

How is your machine running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 bkaczmarek

bkaczmarek
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 03 October 2013 - 03:29 PM

Thanks Fireman,

 

Things seemed to go well.  (Unfortunately the AVG 2014 "update process" began running during the RogueKiller routine, but hopefully that didn't cause any harm.)

 

FYI RogueKiller said unable to find a bad guy it had listed - I assume you'll notice if there were any issues.

 

AVG 2014 is now asking for a re-boot, so I'll do that after posting this.  Mozilla opened up clean - so that is a good sign!  Too soon to tell if everything else is hunky-dory, but it appears to be so far.

 

Btw, is it safe to run AdwCleaner and RogueKiller to see if they get any hits on the other two machines here?  If I get any hits, I won't delete, but instead I'll post in a new Topic -- is that the way to do it?   Ok to look and see if anything pops up during scans?

 

Below are the logs for AdwCleaner and for RogueKiller:

 

=========  Log 1 =========

 

# AdwCleaner v3.006 - Report created 03/10/2013 at 15:49:12
# Updated 01/10/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Bill - INSPIRONDB52CT9
# Running from : C:\Documents and Settings\Bill\My Documents\Downloads\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

Service Deleted : CltMngSvc
[#] Service Deleted : IBUpdaterService

***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\boost_interprocess
Folder Deleted : C:\Documents and Settings\All Users\Application Data\Conduit
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\Ilivid
Folder Deleted : C:\Program Files\Searchprotect
Folder Deleted : C:\Program Files\Windows iLivid Toolbar
Folder Deleted : C:\WINDOWS\system32\ARFC
Folder Deleted : C:\WINDOWS\system32\jmdp
Folder Deleted : C:\WINDOWS\system32\WNLT
Folder Deleted : C:\Documents and Settings\Bill\Local Settings\Application Data\Conduit
Folder Deleted : C:\Documents and Settings\Bill\Local Settings\Application Data\Ilivid Player
Folder Deleted : C:\Documents and Settings\Bill\Local Settings\Application Data\PackageAware
Folder Deleted : C:\Documents and Settings\Bill\Application Data\Searchprotect
Folder Deleted : C:\Documents and Settings\Bill\Application Data\searchquband
Folder Deleted : C:\Documents and Settings\Bill\Application Data\Searchqutoolbar
Folder Deleted : C:\Documents and Settings\Bill\Application Data\Systweak
File Deleted : C:\Program Files\Mozilla Firefox\Extensions\{1FD91A9C-410C-4090-BBCC-55D3450EF433}
File Deleted : C:\END
File Deleted : C:\WINDOWS\system32\dmwu.exe
File Deleted : C:\WINDOWS\system32\ImhxxpComm.dll
File Deleted : C:\WINDOWS\system32\roboot.exe
File Deleted : C:\DOCUME~1\Bill\LOCALS~1\Temp\Searchqu.ini
File Deleted : C:\DOCUME~1\Bill\LOCALS~1\Temp\searchqutoolbar-manifest.xml
File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\Search_Results.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [SearchProtect]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\BrowserConnection.dll
Key Deleted : HKLM\SOFTWARE\Classes\AppID\DNSBHO.dll
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\BrowserConnection.Loader
Key Deleted : HKLM\SOFTWARE\Classes\BrowserConnection.Loader.1
Key Deleted : HKLM\SOFTWARE\Classes\DnsBHO.BHO
Key Deleted : HKLM\SOFTWARE\Classes\DnsBHO.BHO.1
Key Deleted : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard
Key Deleted : HKLM\SOFTWARE\Classes\SearchQUIEHelper.DNSGuard.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [DataMngr]
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [SearchProtectAll]
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3310511
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{AC662AF2-4601-4A68-84DF-A3FE83F1A5F9}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9D717F81-9148-4F12-8568-69135F087DB0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4CA8-A185-8FF989AF1115}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FEFD3AF5-A346-4451-AA23-A3AD54915515}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{44B619BC-3D2B-4990-AA4F-9AA366921792}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{5B4144E1-B61D-495A-9A50-CD1A95D86D15}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{841D5A49-E48D-413C-9C28-EB3D9081D705}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9D717F81-9148-4F12-8568-69135F087DB0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9D717F81-9148-4F12-8568-69135F087DB0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9D717F81-9148-4F12-8568-69135F087DB0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{99079A25-328F-4BD4-BE04-00955ACAA0A7}]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\Program Files\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe]
Value Deleted : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List [C:\WINDOWS\system32\ARFC\wrtc.exe]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\searchqutoolbar
Key Deleted : HKCU\Software\smartbar
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\wnlt
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\Software\SearchquMediabarTb
Key Deleted : HKLM\Software\Viewpoint
Key Deleted : HKLM\Software\wnlt
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Searchqu Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wnlt
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Windows Searchqu Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\wnlt
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~1\WI371A~1\Datamngr\datamngr.dll
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~1\WI371A~1\Datamngr\IEBHO.dll

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Documents and Settings\Bill\Application Data\Mozilla\Firefox\Profiles\7pgwj5b6.default\prefs.js ]


-\\ Google Chrome v

[ File : C:\Documents and Settings\Bill\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [9649 octets] - [02/10/2013 18:12:49]
AdwCleaner[R1].txt - [9709 octets] - [03/10/2013 15:47:15]
AdwCleaner[S0].txt - [9746 octets] - [03/10/2013 15:49:12]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9806 octets] ##########
 

============== LOG 2 ============

 

RogueKiller V8.7.1 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Bill [Admin rights]
Mode : Remove -- Date : 10/03/2013 16:14:22
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : ROC_ROC_APR2013_AV (C:\Documents and Settings\Bill\Application Data\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid d8d8862c7fedc4fa1909fda6000265f5-0cb6de6f0fc4b43b7277f2bfbf7b7ae2294fa6d3 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013 [x][x][x][x]) -> DELETED
[RUN][SUSP PATH] HKCU\[...]\Run : AVG-Secure-Search-Update_0913a (C:\Documents and Settings\Bill\Application Data\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid d8d8862c7fedc4fa1909fda6000265f5-0cb6de6f0fc4b43b7277f2bfbf7b7ae2294fa6d3 --CMPID 0913a [x][x][x]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-3171413948-3101098101-1794936492-1006\[...]\Run : ROC_ROC_APR2013_AV (C:\Documents and Settings\Bill\Application Data\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid d8d8862c7fedc4fa1909fda6000265f5-0cb6de6f0fc4b43b7277f2bfbf7b7ae2294fa6d3 --CMPID ROC_APR2013_AV --CMPIDEXTRA 2013 [x][x][x][x]) -> [0x2] The system cannot find the file specified.
[RUN][SUSP PATH] HKUS\S-1-5-21-3171413948-3101098101-1794936492-1006\[...]\Run : AVG-Secure-Search-Update_0913a (C:\Documents and Settings\Bill\Application Data\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid d8d8862c7fedc4fa1909fda6000265f5-0cb6de6f0fc4b43b7277f2bfbf7b7ae2294fa6d3 --CMPID 0913a [x][x][x]) -> [0x2] The system cannot find the file specified.
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Inline] EAT @explorer.exe (?MILLIS_PER_SECOND@GCDate@@2JB) : GrooveUtil.DLL -> HOOKED (Unknown @ 0xC8F7333C)
[Inline] EAT @explorer.exe (OPENSSL_ia32cap_P) : avgntopensslx.dll -> HOOKED (Unknown @ 0x6DA05A26)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost
HPC82BA9 HP001B78C82BA9


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - FUJITSU MHV2040BH +++++
--- User ---
[MBR] 94b74004bf70010db491af5f94865546
[BSP] 6a16940a05e78a8357108e829835cd80 : MBR Code unknown
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 31918 Mo
2 - [XXXXXX] UNKNOWN (0x00) [VISIBLE] Offset (sectors): 65448810 | Size: 4753 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_10032013_161422.txt >>
RKreport[0]_S_10032013_151442.txt;RKreport[0]_S_10032013_161359.txt


##



#14 bkaczmarek

bkaczmarek
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:11:17 PM

Posted 03 October 2013 - 03:53 PM

p.s. the Reboot came up fine.  

 

A couple of minor questions:  

 

 - Not all icons in lower right hand side showed up - but easy to add from control panel - e.g. icons for "battery status" and "speaker level"

 

 - When I opened IE, a popup 'Manage Add-ons'  opened, listing SweetPacks as Enabled.   OK to Remove?  (You had instructed me not to do anything much till I got the 'all clean' from you.)

 

 - I'll wait to open Chrome until I hear from you -- that is my real backbone... I don't want to risk opening it and getting it damaged/infected till other stuff looks fine.

 

 - Also, please let me know if OK to run a scan using AVG.  I'm curious to see if AVG again finds as many objects as it typically did in its scans.

 

An additional question:  

 - Do you advise between using AVG Free and MS Security Essentials ?  I'd like to switch to Security Essentials since it is much less intrusive and AVG machine had a problem whereas MSSE machine hasn't ever had a problem.  Any advice?

 

Thanks in advance!

Bill



#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:17 PM

Posted 03 October 2013 - 07:53 PM

 

When I opened IE, a popup 'Manage Add-ons'  opened, listing SweetPacks as Enabled.   OK to Remove?  (You had instructed me not to do anything much till I got the 'all clean' from you.)

Yes go ahead and remove it. :thumbup2:

 

 

 - Also, please let me know if OK to run a scan using AVG.  I'm curious to see if AVG again finds as many objects as it typically did in its scans.

Please dont run a scan at this time.

 

 

1.

  • Download Malwarebytes Anti-Rootkit from HERE

      
  • Unzip the contents to a folder in a convenient location.
      
  • Open the folder where the contents were unzipped and run mbar.exe
      
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
      
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
      
  • Wait while the system shuts down and the cleanup process is performed.
      
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
      
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users